The union of the IT and OT worlds is unstoppable, which means that the cybersecurity strategy, traditionally focused on the IT field, must now include aspects related to the industrial world. Having a good cybersecurity strategy is essential for IC systems to survive in this new era.
Specialized blog with informative contents destined to a public with marked technical profile, in order to improve knowledge and create a culture about the security in Internet.
Post related to: Policies
Manufacturers have an essential role with regards improving the cybersecurity in their devices. These improvements will not only affect the devices, but rather they will also involve an improvement in the cybersecurity of industrial infrastructure where the new security provisions and functions that have the manufacturers' automation and control solutions (e.g. SCADA, PLC, etc.) are introduced.
The problems originating from the application of patches in an industrial setting have consequently led to them being rejected by the operators. For years they were practically abandoned, but thanks to the support from security companies and IT departments they are now receiving their due credit.
After having analysed the "why" behind the cybersecurity capacities evaluation model in the first entry dedicated to the C4V model and after having explained how to carry out an appropriate management of risks in the value chain in the second edition, this third edition is dedicated to explaining how to carry out an evaluation of ourselves.
As explained in the first post of this series dedicated to the C4V model, the cyber security level of outsourced services is key to assess the cyber security capabilities of any organisation: It is no use increasing the cyber security levels of an organisation if their suppliers’ levels are not as high, because -it goes without saying that- "security is as strong as its weakest link".
The outsourcing of processes is not something we can consider new. In fact, the contrary is true. And in particular, in terms of how it applies to ICT (Information and Communication Technology), it is common for at least part of our systems to be accessed by third parties or managed directly by third parties.
These days, many companies provide services which are vital and strategic for those who run a country. So, any perturbation or destruction to these services would have a serious impact on the essential services delivered to the inhabitants. The Spanish PIC law (Protection of Critical Infrastructure) 8/2011 from April 28th classifies as critical the sectors of Administration, Chemical Industry, Information Technology and Communications (ITC), Energy, Financial and tax systems, Food supplies, Health, Investigative systems, Nuclear Industry, Space, Transport and Water. Thus, the companies that manage infrastructures relating to these sectors play a vital role, since they have the responsibility for protecting them.
The well known motto "there is strength in numbers" perfectly describes the beneficial situation that involves collaboration and knowledge sharing on cyber threats. The concept of Information Sharing bring to us the idea of establishing methods to share and take full benefit of the gathered knowledge among all actors. Among these partners, CERT and security companies play a key role in defining consensus documentation and the pathway for sharing knowledge effectively.