KPIs help gauge cybersecurity at Saudi Aramco

Jim Montague

Just like other parameters and processes in control and automation, cybersecurity can also be measured to determine correct and effective action.

"We implement a lot of controls in our plant, and cybersecurity is very new in comparison, but we still have to consider it," said Khalid Al-Ghamdi, engineering consultant, Process Automation Systems division, Process Control and Systems department, Saudi Arabian Oil Co. (Saudi Aramco). "Management mainly asks, 'Are we safe?' So we buy some cybersecurity software, but we still scratch our head because we're not completely certain."

Al-Ghamdi presented "Measuring effectiveness of operations technology (OT) cybersecurity controls" at the 2019 Emerson Global Users Exchange in Nashville, Tenn.

Why and what?

To develop a successful cybersecurity program and protections, Al-Ghamdi reported that several questions must be answered, namely: Why measure? What to measure? How to measure? And who needs to do what?

"Cybersecurity has to be justified by some increase in revenue, and we're in a world of key performance indicators (KPIs), so we have to measure to manage and evaluate the effectiveness of cybersecurity control implementations," explained Al-Ghamdi. "We also have to measure cybersecurity because it helps transform technical jargon into business-friendly terms, keeps management involved, turns good data into good decisions, justifies investments if needed, and builds a foundation for KPIs about cybersecurity."

Al-Ghamdi added that cybersecurity metrics should be focused on things users want to measure, and deciding where to focus should be based on previous assessments of gaps and regulatory requirements or policies. "If you don't know where to focus, then start simple, capitalize on available expertise, go for some quick wins, and use an iterative model," said Al-Ghamdi. Some of these regulatory requirements and guides include:

  • IEC 62443, Industrial Network and System Security;
  • NIST SP 800-53, Security Controls;
  • NIST SP 800-55, Performance Measurement Guide for Information Security; and,
  • NIST SP 800-82, Guide to Industrial Control Systems Security.

Individual applications, facilities and organizations decide what cybersecurity metrics to measure based on technical, procedural and/or environmental controls, such as number of incidents, incident response procedure (IRP), door access controls, etc. "They also decide what to measure based on business impacts," added Al-Ghamdi. "These can include industrial control system/operations technology (ICS/OT) group vs. enterprise metrics, and compliance vs. gaps."

"Once applicable KPIs are established and their data is gathered, they can be aggregated to come up with one number that's easy to understand, such as a percentage level of cybersecurity that can be compared." Khalid Al-Ghamdi, engineering consultant, Saudi Aramco

How to measure

Al-Ghamdi reported there are at least five basic steps needed to develop and implement an effective cybersecurity program. They include:

  • Identifying metrics by deciding on business goals; knowing your audience; starting small and building as you evolve; choosing scalable metrics that are understandable to non-technical audience; and, making sure any given metric answers a question for decision-makers.
  • Identifying required data sources to populate metrics; building a baseline of existing resources, such as number of servers, printers, workstations, network devices, etc.; and, using the baseline for all metrics.
  • Implementing metrics by automating collection of data wherever possible; building an Excel sheet for constituent parameters and formulas, such as number of backups and total supported systems; and, preserving collected information for each metric.
  • Presenting results by consolidating all relevant information into a report; presenting information in a graphical format; making metrics clear to the intended audience; and, ensuring sustainability of the collected data.
  • Adjusting and updating metrics by gauging progress after one year (at most); seeking audience feedback for improvements; adjusting underlying formulas to scale—and recognizing that 100% cybersecurity isn't the primary objective.

"Complete cybersecurity can't be the goal because it can't achieved—potential probes, intrusions and attacks are always evolving," said Al-Gahmdi. "This means cybersecurity must be always evolving, too, and KPIs must be measured month to month."

In addition, Al-Ghamdi recommended using the following eight KPIs and matrices for OT cybersecurity in a given environment:

  • How many cybersecurity incidents occur during one year?
  • What percentage of the setting has backups available?
  • What percentage of the environment is in compliance with patching policy?
  • How well is the endpoint protected by antivirus software, an intrusion protection system (IPS), etc?
  • What percentage complies with international best practices, such as firewalls or network configuration hardening?
  • How many cybersecurity awareness sessions were conducted in one year?
  • How many disaster recovery and cybersecurity drills were conducted during one year?
  • How many active system administrators are there?      

"Once these and other applicable KPIs are established and their data is gathered, they can be aggregated to come up with one number that's easy to understand, such as a percentage level of cybersecurity that can be compared," added Al-Ghamdi. "For instance, if you're 88% cybersecure one month and 86% cybersecure the next month, you can drill down to find out what needs to be addressed. However, because people tend to relax over time, each facility also needs cybersecurity awareness sessions and drills. Plus, they also need to have enough plant administrators for cybersecurity, so one is always around when needed."

Al-Ghamdi also suggested using a simple formula for network security, which he defined as: Network security = (# of network devices with hardened configurations / total # of network devices) x 70% + (# of certified firewall policies / total # of firewall policies) x 30%

Once the results of these KPIs and other statistical indicators for cybersecurity are collected, Al-Ghamdi advised assigning tasks for addressing them to several primary job descriptions and departments that can be established, including:

  • Chief information security officer/governor of risk compliance (CISO/GRC);
  • Plant administrators;
  • Network management systems (NMS) administrator;
  • Security operations center (SOC)/security information event management (SIEM); and,
  • Responsible, accountable, consulted, informed (RACI) model.

"It's also essential to keep going with cybersecurity," concluded Al-Ghamdi. "Once we populate our KPIs and other tables, we can see where problems are happening and manage them. However, because this is a learning curve, we also have to go back every six months, and see what else we have to do. It helps to remember that it took process safety about 140 years to push into the process industries and become mature, and cybersecurity is still at an early stage."