Virtually any discussion about securing operations and automation systems arrives at the question of how to affirm the performance and effectiveness of the cybersecurity program. Independent certification of product or system capability and expertise is a valuable tool for the end user as they determine how to best secure their systems. However, it is not a panacea, or even fully adequate for the task. A complete response to this question must address the three major elements of any such program—generally described as people, process, and technology.
Lack of applicable guidance is generally no longer the issue. On the contrary, many stakeholders are most challenged by the need to choose from several possible sources. In addition, standards are intended to be used as references, supported by associated guidance and practical examples. These examples can take the form of representative case studies or use cases that allow the reader to interpret and extrapolate successful examples to their situation.
相当大的努力已经进入了框架,标准和推荐实践的发展。这些可能是特定的扇区,或者更普遍集中起来,以实现更广泛的应用。虽然对于设置最小期望来说是必不可少的,但这些通常不足以完全解决与保护操作系统相关的需求。
How to respond
A solid understanding of the principles, concepts, and terminology is an essential prerequisite, but this is not solely sufficient for the development of an effective cybersecurity program. While there are many possible approaches for accomplishing this, most share several common elements.
As obvious as this may sound, the first element is the identification of clear objectives for the proposed program. Several of these are possible, and each requires a slightly different response.
Perhaps the simplest and most compelling is compliance, typically to a specific regulation or set of external requirements. In regulated industries these may have already been defined by the regulatory body. Examples include the CIP standards defined by NERC, or the CFATS standards for the chemical industry. While compliance is generally forced by an external entity like a government agency or industry group, conformance is voluntary adherence to a standard, rule, specification, requirement, design, process, or practice. It most commonly takes the form of meeting the normative requirements defined in an industry standard.
Regardless of how the objectives are stated, it is very important to understand that neither compliance nor conformity will necessarily make the system secure in any absolute sense. Security is a matter of degree and no matter how much is done, intrusions may occur, and further improvements may be required.
Even if neither compliance nor conformance are the goals, there may still be a desire to reduce the risk of cybersecurity incidents. Regardless of whether the ultimate objective is compliance or conformance, an effective program almost certainly requires a detailed risk assessment. Risk management is an established discipline, and there are many suitable methodologies that may be used, including the approach detailed in the ISA/IEC 62443-3-2 standard.
Once there is a firm grasp of the risks faced, it is possible to identify the most appropriate specifications to be used as the basis for certification. In situations such as regulated industries, this step may be relatively straightforward, as the regulation can also define the specification that must be used.
Recommendations
The end user must take the steps necessary to fully understand and appreciate the implications associated with available certifications. This applies to both certifications of products as well as experts retained to provide services.
使用专业知识证明来确定为提供安全相关服务而确定个人的资格。在此之前,谨慎地了解这些证书的基础,因为并非所有课程和培训计划都具有相同的品质。确认支持课程充分解决了工业系统特有或独特的特征和约束是特别重要的。
在进行任何相关事项之前,增刊iers must fully understand the potential benefits. In some cases, they may be seen as essential qualifications to enter a market, while in other situations they may provide a competitive differentiator.
Finally, it’s important to understand that there may be other important goals driving a desire to certify products or systems. It is essential that these be identified and quantified as part of the basis for the cost and effort required.