Just like other parameters and processes in control and automation, cybersecurity can also be measured to determine correct and effective action.
"We implement a lot of controls in our plant, and cybersecurity is very new in comparison, but we still have to consider it," said Khalid Al-Ghamdi, engineering consultant, Process Automation Systems division, Process Control and Systems department, Saudi Arabian Oil Co. (Saudi Aramco). "Management mainly asks, 'Are we safe?' So we buy some cybersecurity software, but we still scratch our head because we're not completely certain."
Al-Ghamdi presented "Measuring effectiveness of operations technology (OT) cybersecurity controls" at the 2019 Emerson Global Users Exchange in Nashville, Tenn.
To develop a successful cybersecurity program and protections, Al-Ghamdi reported that several questions must be answered, namely: Why measure? What to measure? How to measure? And who needs to do what?
"Cybersecurity has to be justified by some increase in revenue, and we're in a world of key performance indicators (KPIs), so we have to measure to manage and evaluate the effectiveness of cybersecurity control implementations," explained Al-Ghamdi. "We also have to measure cybersecurity because it helps transform technical jargon into business-friendly terms, keeps management involved, turns good data into good decisions, justifies investments if needed, and builds a foundation for KPIs about cybersecurity."
Al-Ghamdi added that cybersecurity metrics should be focused on things users want to measure, and deciding where to focus should be based on previous assessments of gaps and regulatory requirements or policies. "If you don't know where to focus, then start simple, capitalize on available expertise, go for some quick wins, and use an iterative model," said Al-Ghamdi. Some of these regulatory requirements and guides include:
Individual applications, facilities and organizations decide what cybersecurity metrics to measure based on technical, procedural and/or environmental controls, such as number of incidents, incident response procedure (IRP), door access controls, etc. "They also decide what to measure based on business impacts," added Al-Ghamdi. "These can include industrial control system/operations technology (ICS/OT) group vs. enterprise metrics, and compliance vs. gaps."
"Once applicable KPIs are established and their data is gathered, they can be aggregated to come up with one number that's easy to understand, such as a percentage level of cybersecurity that can be compared." Khalid Al-Ghamdi, engineering consultant, Saudi Aramco
Al-Ghamdi reported there are at least five basic steps needed to develop and implement an effective cybersecurity program. They include:
"Complete cybersecurity can't be the goal because it can't achieved—potential probes, intrusions and attacks are always evolving," said Al-Gahmdi. "This means cybersecurity must be always evolving, too, and KPIs must be measured month to month."
In addition, Al-Ghamdi recommended using the following eight KPIs and matrices for OT cybersecurity in a given environment:
"Once these and other applicable KPIs are established and their data is gathered, they can be aggregated to come up with one number that's easy to understand, such as a percentage level of cybersecurity that can be compared," added Al-Ghamdi. "For instance, if you're 88% cybersecure one month and 86% cybersecure the next month, you can drill down to find out what needs to be addressed. However, because people tend to relax over time, each facility also needs cybersecurity awareness sessions and drills. Plus, they also need to have enough plant administrators for cybersecurity, so one is always around when needed."
Al-Ghamdi also suggested using a simple formula for network security, which he defined as: Network security = (# of network devices with hardened configurations / total # of network devices) x 70% + (# of certified firewall policies / total # of firewall policies) x 30%
Once the results of these KPIs and other statistical indicators for cybersecurity are collected, Al-Ghamdi advised assigning tasks for addressing them to several primary job descriptions and departments that can be established, including:
"It's also essential to keep going with cybersecurity," concluded Al-Ghamdi. "Once we populate our KPIs and other tables, we can see where problems are happening and manage them. However, because this is a learning curve, we also have to go back every six months, and see what else we have to do. It helps to remember that it took process safety about 140 years to push into the process industries and become mature, and cybersecurity is still at an early stage."