In recent decades, there has been an unprecedented process of digitalisation of society, both in the workplace and at the personal level. All companies were interested in obtaining the latest equipment to facilitate tasks and increase their productivity. This process involved security consequences, since the new communication requirements and needs meant greater exposure of information. It was understood that it was necessary to take in the very serious security and applying policies that allowed for safe and responsible use of technology.
What is a cybersecurity policy?
It is a document derived from the regulations, standards and good practice guides, where the plans, procedures and processes that dictate how a company should protect its information and its assets are set out. Given its nature, it is usually considered a living document, which means that it is constantly changing and expanding as technology advances, the company grows, and the lessons learned in the responses given to recent incidents are added. The main objective of this document is to preserve the confidentiality and integrity of the information, as well as the availability of the systems, now also including the ICSs. It should primarily consider the way in which the company's employees interact with the other policies of the company's and inform them of their responsibilities, in order to protect the assets and information owned by the company.
The company's cybersecurity policy is usually a fairly generic document based on the rest of the policies, including:
- Access control.
- Classification and management of information.
- Physical and environmental security.
- Proper use of assets.
- Information transfer.
- Mobile devices.
- Restrictions on the use and installation of software.
- Backup copies.
- Protection against malicious software.
- Vulnerability management.
- Relationships with suppliers.
- Management of cybersecurity incidents.
- Business continuity plan.
- Cybersecurity training and awareness-raising.
- Safety of operations.
These policies may be applicable to both OT and IT systems, so it is necessary to particularise them to ICS and the type of process of each industry, considering their particular characteristics. For example, the physical security policy should include situations in which there are remote stations in the process, such as in a wind farm, where they could be accessible to anyone outside the company.
Why should I have a cybersecurity strategy in my industry?
There are many aspects that make it necessary to have a clear cybersecurity strategy in an industry, as there are several aspects that make them increasingly similar to traditional IT organisations. The most notable of these include:
- Industries' dependence on the network infrastructure in their production processes.
- Malicious software as a first level threat.
- Any business can be attacked in these ways.
- The existence of specific known cases for control systems.
- Cybercrime has become very lucrative and big business, especially following the boom in the cybercrime-as-a-service business model.
- Cybercrime as a service, facilitating illegal activities on the network by providing services.
To support this need, it is estimated that the cost of cybercrime will increase to 6 billion dollars by 2021. Cybercrime has become a matter of great importance, especially if we consider the added danger of disruption to systems belonging to critical infrastructures.
In addition to protecting a company against cyber threats and having a security policy, it has, among others, the following benefits:
- It contributes to the company's purposes. It plays a very important role in a company's decisions and helps it achieve its objectives.
- It helps the company meet the highest quality standards and the good practice guides.
- It allows employees working in ICS environments and critical infrastructure to feel safe in their workspace.
- It helps protect business productivity.
- It inspires trust in customers, since having a good cybersecurity policy is a clear sign that your data and orders will be stored and operated as securely as possible. This point also involves the evasion of possible legal claims because of a loss of classified information, for example.
Keys to a good cybersecurity strategy
Here are some keys to help develop a correct cybersecurity strategy:
- Develop policies and procedures that are appropriate to the industry: First, the most important elements for the production process should be identified, as well as the way in which employees interact with them. At this point, a definition of cybersecurity should be set out; its objectives, based on the prior identification of the assets to be protected; and their importance in it. These policies can be divided mainly into three branches:
- Prevention: for good cybersecurity control. For example, access control, identification and authentication, security of communications, etc.
- Detection: identify deviations that may occur, breaches or attempts to breach security.
- Recovery: once a cybersecurity incident has been detected, this measure will be applied to restore normal operation. For example, business continuity.
- Process for including a new policy -
- Organisation of security: in all companies, numberless tasks are carried out, some related to the main business that it carries out and others more focused on the maintenance, proper, of the company and its facilities. Therefore, it is important to structure a network of personnel responsible for cybersecurity in their respective fields. They should be appointed by the managers of each department and will be responsible for providing their subordinates with clear guidelines on how to bring cybersecurity to their respective department. They will also be the people who will be answerable to the company's management if their department suffers a cybersecurity incident. In addition, it is very important that those responsible, as well as management, show commitment to established cybersecurity policies, in order to set an example and encourage their employees to follow them.
- Establish a cybersecurity culture: it is vital for maintenance and compliance with policies. This measure includes, among others, the following actions:
- Applying and improving policies in line with the changes in the company, as well as on the basis of the incidents that may have occurred, because more is learnt from mistakes than from successes.
- Develop an effective training plan for employees, where they are taught basic concepts about computer security, tools and good practice, such as applying physical security controls (authorised access, accompaniment of visits, etc.), adequate protection of personal equipment, the risks, the use of mobile devices and the methods to recognise social engineering attacks. The training must be in accordance with their functions, that is, the training given to an administrative officer will be different from that given to a technician working with ICSs.
- A continuous awareness plan must be executed through informative actions and information pills. It is sought that the employees should want to comply with the policies, since it must never be forgotten that the employee is the most important link in the company's security chain.
- The manager of each department will be responsible for the implementation and supervision of the policies, carrying out regular internal audits, monitoring the frequently-used resources and systems and informing their employees about the monitoring methods used by the company.
- Having a business continuity plan: it must be mandatory in companies that operate Industrial Control Systems or designated as critical infrastructures, where maintaining system availability is vital. This plan should collect and specify the recovery objectives in case of service disruption, which includes a detailed evaluation of the criticality of each element that makes up the production system, in order to establish an order of recovery of the process. An analysis of the impact and consequences associated with an incident in each system must also be made. As mentioned above, there must be a designated cybersecurity team that ensures business continuity, where priority must be given to IC systems in order to restore operations.
As we have seen in this article, cybersecurity must be a priority issue for all industries, regardless of the sector in which they operate. The cost of suffering a cyberattack is increasing, as they are increasingly sophisticated and destructive. Therefore, it is necessary to take measures in this regard, and have a clear cybersecurity strategy, consistent with the productive business and comprehensible in order to be applied to the entire control system.