banner

Conducting Security Program Maturity Evaluations of ICS Environments

ICS Security Program Maturity

This article was originally published on Linked In on July 29, 2019.

ICS Security Programs

The implementation and security of Industrial Control Systems (ICS) in business environments is challenging. Most organizations start with legacy environments or build new solutions with process effectiveness as their priority. Once an organization realizes they need to secure the environment they quickly come to the conclusion that their enterprise security program does not easily fit into the primary goals and requirements of the ICS environment. Thus, they need a method to evaluate their current security posture and identify a path forward that is prioritized to the goals of the process(es).

Most teams start from scratch because their teams have limited experience in conducting this type of assessment. They begin their effort by Googling and asking friends for their experiences. Their research identifies a plethora of methods and models. Mostly of these models relate to complex solutions for critical infrastructure. It is at this point the effort bogs down. The selection process itself is complex and prone to hesitancies born from inexperience.

Selecting a Maturity Model

I personally feel that evaluating maturity is similar to threat modeling. By this I mean that there are a lot of approaches, each equally confusing as the next. As mentioned, there are several models: Department of Energy (DOE) Cybersecurity Capability Maturity Model (C2M2)Center for Internet Security (CIS) 20 Controls, Industrial Internet Consortium (IIC) Internet of Things (IoT) Security Maturity ModelNorth American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP)National Institute of Science and Technology (NIST) Cybersecurity Framework (CSF), etc. The best an organization or individual can do is to select a method, modify it to what the team can accomplish, and then get buy-in from direct leadership.

Buy-in is essential because most people are not going to see the need or value in dedicating time to doing these efforts. Also, the people that are going to provide the most value to these efforts are the implementors, or at least their direct leadership. Most of the questions they are asked about their program are asking that they honestly rate their team’s effectiveness. Honest ratings are not something that people find easy and are always subjective. Rating their programs naturally leads to embellishment (on purpose or unintentionally) in the positive direction. I’ve actually experienced grading fatigue. Evaluating a security program is not something that can be done in one 60-minute meeting. This pulls people away from their normal duties and adds to frustration about the effort. This fatigue and frustration results in quick, positively, slanted ratings. Hence the value of a third-party evaluation.

Reviewing an ICS Security Program

I recently conducted a security assessment of an organization. I asked a lot of questions during the threat modeling phase. This, in a sense, turned the threat modeling into architecture review (no worries, two birds with one stone). The technical teams were extremely honest, and I was able to use their responses to conduct an honest review of their enterprise and control security programs. To guide my information gathering I used the basic concept outlined by the CIS 20 Controls. This helped because the controls are well organized, technical, and kept me on track.

Because the technical teams were very capable, I knew that I would need to select a maturity model they would understand and could use to guide technical implementation. Even if the report was more for the leadership of the company. I felt that detailing everything using the CIS 20 Controls breakdown would be confusing (to write and review) and significantly increase the subjectivity. So, I turned to the NIST CSF. The Core Functions and categories are easy to understand and gain agreement to their importance to the processes. I used the information I gathered to grade the subcategories. The subcategories provide a more granular reference point for the technical implementors that do not have backgrounds in IT security.

Of course, the implementation tier model outlined in the NIST CSF is good for demonstrating the basic maturity of a program. However, from an assessment stand point, I didn’t feel it really resonated as to why a subcategory’s tier rating was selected or what the organization can specifically do to improve. So, for the assessment, I generated a A thru D grading system which align, as well as I could do it, with the tiers.

=== A ===

  • Policies are in place, distributed, and implemented.
  • Team members are trained and augment each other’s skill sets.
  • Regular reviews are conducted to improve policies and procedures in line with business and security requirements.

=== B ===

  • Policies are in place, distributed, and implementation has started.
  • Team has some trained relating to their responsibilities.
  • No or inconsistent after actions / lessons learn efforts to improve policies and procedures.

=== C ===

  • Team has some expertise in security responsibilities.
  • Team understands the concern and attempts to manage on case-by-case basis.
  • No policies in place or are inconsistently implemented.
  • Team has not been trained.

=== D ===

  • Team has experience to keep things running and address issues on catch-as-catch-can basis.
  • No policies. Team has not been trained.
  • Team does not have expertise in security-related responsibilities.

Using this I was able to take the NIST CSF spreadsheet and grade each subcategory using the data I had collected. At first, I felt like I was not getting very far. Each grade is subjective, and you always feel that you do not have enough information. But, the beauty of this method is that it IS prone to argument. Arguments are conversation about the security program. So, I stopped worrying about my subjective grade assignments and concentrated on getting the grades as honest (in my eyes) as possible.

Adding Value to the Organization

My final report helped to provide the organization with my frame of mind for selecting the model and grades. While I hope that I was as accurate as possible, I know that the team will have to conduct a self-assessment to adjust the grades to make them a bit more accurate. They do need to do this so that they have a good starting point to compare the gaps to their business goals and prioritize their efforts.

Thus, if your organization is working to understand the maturity of your ICS security program, my recommendation is that you come up with a hybrid model for gathering information and grading methodology that fits your organization and your team. Then, get buy-in from your direct leadership. You do not want buy-in from everyone as that will drag out forever. But, with buy-in from your direct leadership you have someone that will go-to-bat for you and say, “This is our approach, please play along.” Leaving you to gather information rather than selling the approach to other teams.

Wrap-up

I’m open to any improvement on my grades and this approach. Please reach out here or directly.

For ICS team members that need help understanding these concepts, I recommend your organization considers sending team members to the SANS ICS410: ICS/SCADA Security Essentials course. I am an instructor of this course and I feel that ICS team members do gain enough knowledge from the course content to effectively participate in an honest evaluation of the security programs within their ICS environments.

Go forth and do good things,

Don C. Weber

Cutaway Security, LLC.

Email: don@cutawaysecurity.com

Website: http://www.cutawaysecurity.com

Twitter: https://twitter.com/cutaway

SANS Instructor: https://www.sans.org/instructors/don-c-weber

References

[0] https://www.energy.gov/ceser/activities/cybersecurity-critical-energy-infrastructure/energy-sector-cybersecurity-0-0

[1] https://www.energy.gov/sites/prod/files/2014/03/f13/C2M2-v1-1_cor.pdf

[2] https://www.cisecurity.org/controls/

[3] https://www.iiconsortium.org/pdf/IoT_SMM_Practitioner_Guide_2019-02-25.pdf

[4] https://www.nerc.com/pa/Stand/Pages/CIPStandards.aspx

[5] https://www.nist.gov/cyberframework

[6] https://www.nist.gov/document/2018-04-16frameworkv11core1xlsx

[7] https://www.sans.org/course/ics-scada-cyber-security-essentials

[8] https://www.sans.org/instructors/don-c-weber