The cupcakes are ready!
Edward Liebig
IT/OT Executive Cybersecurity Leader | Experienced CISO | Adjunct Professor
In my example of Grandma Mae and her cupcakes, I made the assertion that OT Cybersecurity still has a gooey center (the nexus of OT and IT).
This past week, we witnessed the release of the NIST SP 800-82r3 Guide to Operational Technology (OT) Security. What has caught my attention about this release is the OT-specific mapping (as a whole, vice ICS focused) and the utilization of other NIST standards, which have traditionally been more IT cyber-centric, such as the Cybersecurity Framework CSF v.1.1, with specific recommendations for applying these principles in IACS/OT environments.
Appendix 7 provides an OT overlay that is a partial adaptation of the controls and control baselines found in NIST SP 800-53, Rev. 5. It also includes supplementary guidance specific to OT. The OT overlay is designed to be applicable to all OT systems in all industrial sectors. Further, tailoring can add specificity to a particular sector (e.g., pipeline, energy). Ultimately, an overlay may be produced for a specific system (e.g., the XYZ company). These mappings and recommendations provide a solid foundation for tailoring and aligning with your enterprise needs.
This marks a significant milestone! This guide serves as the starting point for measuring risk comprehensively across diverse technologies and requirements. The NIST SP 800-82r3 provides OT guidance for implementing the NIST Risk Management Framework (RMF). The guideline provides a table of recommendations for “applying the RMF to OT and includes a brief description of:
Recommended by LinkedIn
This is where we "frost the cupcakes."
(I promise, this will be my last cupcake analogy ;-) - Just as we witnessed with the emergence of NIST 800-53 in 2005, there is now an accessible and understandable mapping to what was once an isolated process (sometime, not so long ago, quite literally). The "frosting" will encompass further refinement of the recommendations and many emerging capabilities as best-of-breed products integrate their functionalities. Like IT, we will witness the emergence of new categories of OT Cybersecurity capabilities and tools.
Just like in 1994 (when the CISSP certification was released, legitimizing Security as a career path), the opportunity to drive OT cybersecurity forward lies in our hands. We can do better this time. We can recognize and bridge the gap intelligently and purposefully. Coalitions, alliances, and partnerships, such as the JCDC, along with strategic corporate alliances, can help control the ebb and flow from isolated point solutions to consolidated capabilities, objectives, and additional standards.
Technologists, cybersecurity professionals, and process control engineering personnel who thoroughly comprehend the capabilities and constraints across both IT and OT Cybersecurity will possess a highly sought-after skill set, with increasing OT cybersecurity awareness and the increased targeting of critical infrastructure. There will be a logical division of talent requirements that includes major certifications as a guide to roles and responsibilities. Professional services organizations prepared to deliver IT and OT Cybersecurity solutions offer an exceptionally low-risk pathway to fine-tune your comprehensive IT and OT cybersecurity program. In looking at OT SOC services, there will be more business use cases for OT-specific SOCs (if even only a logical SOC function), remote, and MssP services.
The message that "there is more definition in process and OT Cybersecurity is a serious specialty within the cybersecurity field" needs to be integrated into our STEM programs and presented as a viable career choice or path – the "OT Cyber-defender." I wonder (and, dare say, challenge) if perhaps ISC2, ISACA, or GIAC would consider introducing one more certification that bridges the gap between IT and OT and supports this go-between activity as a cyber-skill/specialty.