With daily reports of OT security breaches and imminent changes to local legislation, it has never been more important for businesses to review their security settings. This can seem overwhelming, but no matter what your business’s size, it should be guided by three basic questions. 

What is your baseline security level?

Every organisation, big and small, should know its OT security posture. Conducting a security health check is fundamental to ascertaining your organisation’s baseline with regard to processes, technology and people.

Establishing a baseline enables you to benchmark your organisation according to international best practice in relation to ICS management systems such as ISA/IEC 62443 or C2M2 frameworks.

Standards and requirements will differ according to industry, particularly when the federal government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020 takes effect mid-year, expanding the scope to 11 sectors now deemed “critical”. Knowing where you stand now is important in understanding where you need to be.

What is most at risk?

If a baseline health check provides a helpful macro view, a security risk assessment enables organisations to narrow their gaze to focus more closely on immediate threats.

A thorough risk-based approach allows organisations to categorise and prioritise threats according to its baseline, accounting for security deficiencies, likelihood of attack and biggest impact.

Just like a hospital emergency department, triaging threat levels enables organisations to plan for and mitigate the most critical threats.

Is everyone on the same page?

The best analysis and planning in the world won’t lead you to your destination if no one has a road map.

Aligning internal stakeholders along the journey to improved OT cyber maturity is critical to success. The interconnectedness of businesses today requires a multidisciplinary response, be it the security team, engineers and possibly the IT team, seamlessly working together to uplift security levels.

The overarching objective must be clearly understood by all departments, with clear lines of communications and an understanding of responsibilities and required resources, both staffing and financial.

While these considerations may seem straightforward on paper, many organisations will lack the maturity and OT expertise to undertake such tasks. Additionally, experience has shown that internal reviews are often not successful in detecting system vulnerabilities, and organisations understandably lack awareness of the many and varied threat actors in the space.

Secolve can assist in reviewing your cyber security needs and hardening your OT defences, guiding you through the next steps to ensure compliance with the government’s new legislation. Get in touch to learn how we can help.