By Tony Mannion, Sales Development Manager, SolutionsPT
I have been reflecting recently as the number of assessments that we have been carrying out for customers has been increasing. You wouldn’t normally set off on a journey without knowing where you are hoping to end up. If you did, you would waste a lot of fuel and time along the way. So why do people do this on their cyber security journey?
I see so many customers who have invested quite heavily in technology to protect their environments only to find that it hasn’t delivered the benefits that they were expecting. Digging a bit deeper it is often due to the fact that the solution was deployed to address one area of concern rather than forming part of an overall policy.
This approach can often lead to a situation where there are many systems deployed on site, creating a management overhead, and still leaving fundamental gaps that leave a network vulnerable. To plug these gaps a new technology will be identified, and the merry-go-round starts again.
Give and get
We often get asked to review an architecture to ensure that it is compliant with a standard or regulation. Because most of our systems have a level of dependencies it is virtually impossible to be able to declare a part of the plant is compliant in isolation. As compliance relies on much more than the physical architecture, we would need to understand the company’s cyber culture as much as the specified end point protection.
Assessments are just that, they are a snapshot in time to indicate the health and maturity of a deployment, the more detail you give the more feedback you’ll get!
Security starts at the top, is there stakeholder buy in, and if so, then do policies and procedures underpin and support this approach, as good security is all about people, process, and technology.
Keep it simple and straightforward
K.I.S.S, an approach used by the late Kelly Johnson, who was the lead engineer at the Lockheed Skunk Works (a place responsible for the S-71 Blackbird spy plane amongst many other notable achievements), as well as Albert Einstein’s who stated, “make everything as simple as possible but not simpler”. Our methodology for industrial cyber security follows these core principles to apply appropriate protection and controls that is frictionless to end users.
Our approach is not rocket science, it is built on deep domain understanding and how to get tangible results with the best use of what you have already, how you need to modify your approach and then backfilled with suitable and appropriate controls and technology.
Security for Critical National Infrastructure (CNI) is very different to the widget factory; however, we use our skill across all verticals to ensure that you have the best level of protection based on your risk profile that fits within your budgetary constraints.
When we undertake assessments, we strive to provide advice and insight based on evidence we gather. Where possible if copies of your data can be provided, we can contextualise this within our findings and recommendations. Delivering an assessment that is only based on your understanding alone sometimes doesn’t reflect the truth that is hidden on the network. When supplementing data with our experience, we can prove not only insight but a spotlight into risks and issues that you never considered or knew existed.
Critical feedback
From the feedback I have had from our customers, one of the biggest benefits that they have following an assessment is that they can easily identify, from a high level, the changes that are required to increase the resilience of their systems and how to implement them in conjunction with policy and procedure changes to ensure that they are getting the right return for their money. It also helps them to get ahead of the issues instead of being reactive when a situation arrives.
Other feedback includes the benefit of having the assessments done by people who have deployed control systems and understand the practicality as well as the cyber security risks. This helps to define solutions that are going to help achieve a goal without compromising operational efficiency. I have often heard companies complain that adding security layers slows down their ability to effectively do their day job. This doesn’t need to be the case.
Another benefit that I hear is that it gives a great platform to communicate with the rest of the business. Being able to use a report to justify why you want to introduce a change can help to gain stakeholder buy in. It has allowed companies to define their roadmap, communicate it effectively and measure the success that the changes have brought about.
If you are advancing your OT cyber security and wish to alleviate any concerns, get in touch to book an assessment.