2023白皮書解鎖工業(yè)環(huán)境中的網(wǎng)絡(luò)彈性：五大原則

UnlockingCyberResilienceinIndustrialEnvironments:FivePrinciples

WHITEPAPER

NOVEMBER2023

Images:Midjourney,GettyImages

Contents

Executivesummary

3

Introduction

4

1GuidingprinciplesforcyberresilientOTenvironments

7

2ActionableapproachestoimplementingOTcybersecurity

8

principles

3MonitoringtheimplementationofOTcybersecurityprinciples11

4EnablinginnovationinOT

12

Conclusion

14

Contributors

15

Endnotes

17

Disclaimer

Thisdocumentispublishedbythe

WorldEconomicForumasacontribution

toaproject,insightareaorinteraction.

Thefindings,interpretationsand

conclusionsexpressedhereinarearesult

ofacollaborativeprocessfacilitatedand

endorsedbytheWorldEconomicForum

butwhoseresultsdonotnecessarily

representtheviewsoftheWorldEconomic

Forum,northeentiretyofitsMembers,

Partnersorotherstakeholders.

?2023WorldEconomicForum.Allrights

reserved.Nopartofthispublicationmay

bereproducedortransmittedinanyform

orbyanymeans,includingphotocopying

andrecording,orbyanyinformation

storageandretrievalsystem.

UnlockingCyberResilienceinIndustrialEnvironments:FivePrinciples2

November2023

UnlockingCyberResilience

inIndustrialEnvironments:

FivePrinciples

Executivesummary

Thedigitalizationandconnectednessofindustrialenvironmentsisopeningupbusinessopportunitiesandenhancingoperationalefficiency.Atthesametime,itexposesorganizationstocyberattacksthatcanoffsetthesegains.

Today’sindustrialenvironmentconsistsof

operationaltechnologies(OT)which,accordingtosomesources,arelargelyoutdated.1Theyhaveinteroperabilityandconnectivitylimitations,and

weakornosecuritymanagementcapabilitiesandprocedures.2

TheincreasedconvergenceofOTwiththetraditionalITenvironmentisleadingtoanincreaseininherentvulnerabilities,whicharedoublingeveryyear.3

TheOTenvironmentisfundamentalforensuringthecontinuationofindustrialoperationsthatkeepglobaleconomiesandinfrastructuresrunning.ToimproveOTenvironmentsecurity,theWorldEconomic

Forumincollaborationwithpartnersfromthe

electricity,manufacturing,andoilandgasindustries,hasdevelopedalistofguidingprinciples.Combinedwithasetofbestpractices,theseaimtohelpcyberleadersensureacyberresilientOTenvironmentforuninterruptedandefficientbusinessoperations.

Principle1:Performcomprehensiverisk

managementoftheOTenvironment.

Principle2:EnsureOTengineersandoperatorsofinstallationshaveresponsibilityforOTcybersecurity.

Principle3:Alignwithtoporganizational

leadership,strategicplanningteamsandthirdpartiestomakesecurity-by-designareality.

Principle4:MakecybersecuritystandardsandbestpracticescontractuallyenforceableonpartnersandvendorstobuildacybersecureOTenvironment.

Principle5:Runjointtabletopexercisestoensurepreparednessincaseofanactualincident.

Theseprinciplesandbestpracticescanhelp

organizationssafeguard,maintainandmonitor

theirindustrialOTenvironmentaswellasensure

businesscontinuity.WhilemanyorganizationsmayalreadyhavesomemeasuresinplacetoensureacyberresilientOTenvironment,sharedguidance

canhelpmanagecyberrisksattheecosystemleveltoincreasesystemicresilience.

UnlockingCyberResilienceinIndustrialEnvironments:FivePrinciples3

Since2021,themanufacturing

sectorhasbeen

themosttargeted,experiencing61%ofcyberattacks.Theoiland

gas(11%),

transportation

(10%)andutilities(10%)sectorshavebeennext.

Introduction

WhydoesOTcybersecurity

matter?

Theindustrialinfrastructureandoperations

landscapesareundergoingaprofound

transformationduetotechnologicalinnovation.Agrowingconvergenceofinformationtechnology(IT)andoperationaltechnology(OT)isdrivenbythe

rapidadoptionofcutting-edgetechnologieslike

bigdata,digitaltwinsandtheindustrialinternetofthings(IIoT).Thesetwodomainsareexpectedtobecomeincreasinglyintricateandinterconnectedovertime.Thisinexorableshiftisexemplified,in

part,bytheprojectedIIoTmarketgrowth,4whichisexpectedtosurgefromapproximately$85.5billionin2023tonearly$169.6billionby2028.

WhatisthedifferencebetweenITandOT?

Informationtechnologyreferstotechnologies

includingcomputersandnetworksthatstore,

processandtransmitinformation,whileoperationaltechnologyencompassesindustrialcontrolsystems(ICS)thatoperate,controlandmonitorindustrial

equipmentandprocesses.

ThegrowingsynergybetweenITandOT,commonly

referredtoasIT/OTconvergence,presents

numerousopportunitiesforindustrialorganizations.Theseincluderemotecontrol;real-timemonitoring;enhancedvisibilityofmachinery,plantsandassets;simplificationofanomalydetection;improved

operationalefficiencyandproductivity;andfasterdecision-makingprocesses.

However,thisnewfoundconnectivitybetweenOTdevicesandITnetworksalsoexpandsthecyber

risklandscape,introducingbothintentionaland

unintentionalcybersecuritythreats.Traditionally,theOTenvironmentremained“air-gapped,”meaningitwasnotconnectedtotheinternet,andexternalhardwareandremovablemedia(e.g.USBdrives)weretheprimarycybersecurityconcerns.Asthesetwoenvironmentsmerge,cybersecuritybreachescaninfiltratefromITtoOTthroughmeanssuchasinternetmalwareinfectionandunauthorizedaccessviamobiledevices.

Today,OTenvironments,inlargepart,relyonlegacytechnologiesbuilttoperformspecifictasksand

operatingonspecializedsoftwareandproprietary

protocols.Oftendesignedwithoutcybersecurity

inmind,manyoftheselegacysystemshavebeenproducedbynow-defunctmanufacturerswhose

softwareupdatesareinfrequentanddifficultto

implement,ultimatelyleavingthemexposedto

securitythreats.Infact,arecentstudybyMicrosoftfoundthat75%ofindustrialcontroldevicesare

unpatchedandfeaturehigh-severityvulnerabilities.5Otherthreatfactorsincludeimpropernetwork

segmentation–which,accordingtoDragos,

happenstobethecasefor50%oforganizations6–orpoorremote-accesspractices.

Maliciousactorsdonotshyawayfromexploiting

suchvulnerabilities.AreportbyMcKinseyshows

thatOTcybereventshaveincreasedby140%from2020to2021.7Ofthoseevents,35%sustained

physicaldamagewithanestimatedimpactof$140millionperincident.8Thatsaid,itisimportantto

notethatnotallindustriesareequallyimpacted

byOTattacks.Forinstance,since

2021

,9the

manufacturingsectorhasbeenthemosttargeted,experiencing61%ofcyberattacks.Theoiland

gas(11%),transportation(10%)andutilities(10%)sectorshavebeennext.

Organizationsinthemanufacturing,oiland

gas,andelectricityindustriesboredamages

amountingto$2.8milliononaveragein2021.10Inadditiontofinanciallosses(directlyfromthe

damageandfromrelateddowntime),dataand

intellectualpropertytheft,andreputationdamage,cybersecuritybreachesinOTenvironmentscanhaveconsequencessuchas:

–Damagetotheenvironment.

–Exposureofpeopleandpersonneltodangerousconditions.Gartnerpredictsthatby2025,

maliciousactorswillbeabletoweaponizetheOTenvironmenttocauseharmorlossoflife.11

–Reducedavailabilityandqualityofessential

goodsandservicesincludingenergy,healthcareandtransportation;thiscantriggerbehaviourssuchaspanic-buyingandstockpilingby

consumers.

–Legalandregulatoryviolationsresultinginfines,lawsuitsandregulatoryscrutiny.

–Implicationsfornationalsecurityandpublic

safety,giventhatOTisasignificantcomponentofcriticalinfrastructure,andanylevelof

cybersecurityriskcanbeconsideredcritical.

UnlockingCyberResilienceinIndustrialEnvironments:FivePrinciples4

FIGURE1Cyberincidentsintheoilandgasindustry

Stuxnet

Iran,2010

Firstdocumentedtargeted

cyberattackonindustrial

controlsystems(ICSs)to

exhibitphysicalconsequences

BlackEnergy

Ukraine,2015

Remoteintrusionsatthree

regionalelectricitydistributioncompaniescausedpower

outagesforapproximately225,000people

Industroyer2

Ukraine,2022

Version2ofthe2016

malwarecausedmultipledisruptionsofenergy

distributionand

transmissionoperations

Triton

SaudiArabia,2017

Deploymentofmaliciouscode

disabledsafetysystemsdesignedtopreventcatastrophicindustrialandphysicalaccidentsandcost$1trillion

SuncorEnergyCanada,2023

InJune2023,SuncorEnergy

sufferedacyberattack

impactingpaymentoperationsatPetro-CanadagasstationsacrossCanada.Customers

wereunabletousecreditcardrewardspointstocomplete

theirpurchases

2012

2016

2021

Today

2015

2017

2022

2023

2010

Shamoon

SaudiArabia,2012

WipermalwareaffectedseveralITmachinesthatdisruptedtheindustrialoilandgasoperations,withrecoverytakingmorethantwoweeks

Industroyer

Ukraine,2016

Malwarecreatedlargedisruptionsandpoweroutagesto20%ofKyivpopulation

Colonialpipeline

USA,2021

Ransomwarecrippledfuel

suppliesto50millionAmericansfor11days,costing$4.4millionandbranddamage

Europeanoilhubs

Europe,2022

CyberattackontheAmsterdam-Rotterdam-Antwerp(ARA)oil

hubsconsiderablydisruptedtheloadingandunloadingofre?nedproductcargoesacrossseveralEUcountries

FloridaWaterFacility

USA,2021

Malicioususeruppedthe

levelsofsodiumhydroxide

from100partspermillion

to11,100partspermillion,

impactingsafetyand

humanlives

.

–forinstance,whetherthesedevicesareobsoleteorsupported,theirvulnerabilitiesandwhattheyareconnectingto–bothintheITandOTenvironments.Organizationsshouldbeabletoinvestigatethe

systemsandprocessesineachzoneandproviderecommendedsecuritycontrols.

Supplychainandthird-partyrisk.

Astudyfoundthat40%ofOTcybersecurity

practitionersconsidersupplychain/thirdparty

accesstotheOTenvironmenttobeoneofthetopthreecybersecurityrisks.14Whereassuchconcernsmaybemotivatedbytheweakercybersecurity

practicesofthirdparties,OTcybersecuritycan

alsobecompromisedbydeliberatetamperingof

third-partyhardware,softwareorfirmware.Thiscanhappenduringthemanufacturing,distributionor

maintenanceprocesses.

Toensureastrongcybersecuritypostureacrossorganizationsandindustries,robustcybersecuritymeasuresmustbedevelopedandimplementedtoprotectbothITandOTenvironments.

Whataretheexisting

cybersecurityframeworksfortheOTenvironment?

OrganizationsarenotstartingfromscratchwhenitcomestoOTcybersecurity.Infact,anumberofcybersecurityframeworkshavealreadybeendevelopedfortheOTenvironment.

TheInternationalElectrotechnicalCommission(IEC)6244315isaninternationalseriesofstandardsthattacklecybersecurityforindustrialautomationand

controlsystems.TheNationalInstituteofStandards

Whatarethesourcesofrisks?

CybersecurityrisksintheOTenvironmentare

amplifiedbyseveraloverarchingissuesthatarenot

alwaystechnicalinnaturebutdependonfactors

suchascorporatecultureandgovernance.These

include:

Lackofemphasisoncyberissuesinoperations

andshortageofpersonnelforOTcybersecurity.

Humanerror–researchshowsthat79%ofOT

expertsconsiderhumanerrortobethegreatestrisk

forOTsystems.12Moreover,thecurrentonboarding

andtrainingofOTpersonneldonotsufficiently

ensurethattheyadoptappropriatepoliciesand

measuresforOTcybersecurity.

Uncleardelineationofprocessownershipand

prioritizationofrisks.

TheIT/OTconvergencehasblurredprocess

ownership,allowingfornocleardelineationof

responsibilitiesandobligationsbetweentheITand

OTteams.Inaddition,thetwoviewtheirpriorities

differently.FromtheITperspective,procedures

fordatasecurityandprivacyarecrucial,whereas

theOTteamplacesprimaryfocusonphysical

performanceandsafetyoffacilitiesandequipment.

Poordevice/assetvisibilityandrapid

introductionofnewassets.

Whilethecreationandmaintenanceofanasset

inventoryintheOTenvironmentisregardedasone

ofthetopsecuritycontrols,accordingtoDragos,13

asmanyas80%oforganizationslackedvisibilityof

theOTenvironmentin2022.Organizationsneedto

haveanoverviewofthedevicesintheirnetworks

UnlockingCyberResilienceinIndustrialEnvironments:FivePrinciples5

andTechnology(NIST)hasreleasedSP800-8216

–aguideonhowtoimprovethesecurityofOT

systems;whiletheEuropeanJointResearchCentrehasproposedaframeworkonIndustrialAutomationandControlsSystems(IACS)tosharepracticesonIACSproducts’cybersecuritycertifications.17

Otherexamplesofcybersecurityframeworks

applicabletotheOTenvironmentandbeyond

includetheNISTCybersecurityFramework18

aswellastheCybersecurityCapabilityMaturity

Model(C2M2).19Effortshavealsobeenmade

atthelocalleveltoenhanceOTcybersecurity.

Forinstance,SaudiArabiahasdevelopedthe

OperationalTechnologyCybersecurityControls.

Similarly,oilandgascompaniesontheNorwegiancontinentalshelffollowguidelinessuchasNOG

104,NOG110andNOG123,whileintheUS,theNorthAmericanElectricReliabilityCorporation’s

CriticalInfrastructureProtection(NERCCIP)andtheAmericanPetroleumIndustryPipelineSecuritystandardsareofrelevance.

WhilenumerousOTcybersecurityframeworks

areavailable,manyofthosereferencedhereare

extremelycomplicatedandrequirealotofeffort

toensureeffectiveimplementation,particularlyfor

third-partysuppliersandvendorsthatmaystruggletocomplyduetoresourcelimitations–humanor

financial.Thisobligatesindustrialorganizationsto

ensurethatthirdpartiesarecapableofapplyingandadheringtotheseframeworksandstandards.

NosilverbulletexistsforsuccessfulimplementationofOTcybersecurityframeworksandstandards.

Mostofthetime,industryplayersmustapplya

widerangeofframeworksandstandardstocoverdistinctpartsoftheirinfrastructure,suchaswaterpumpsandutilities.

Alotoftheabove-mentionedframeworksareveryfocusedontechnicalcontrols.Yet,OTgovernance,i.e.whoisresponsibleforcybersecurityinOTandhowitinterlockswithIT,remainsachallengefor

manyorganizations.

UnlockingCyberResilienceinIndustrialEnvironments:FivePrinciples6

1

GuidingprinciplesforcyberresilientOTenvironments

Theactiongroup“SecuringtheOTenvironment”conveningcyberleadersfromtheelectricity,

manufacturingandoilandgasindustriesaroundthetopicofOTcybersecurity,hasdeveloped

asetoffiveguidingprinciplestohelpindustrialorganizationsaddresscyberrisksandbuild

resilienceastheIT/OTconvergencecontinues.

Principle1

Principle2

Principle3

Principle4

Principle5

Perform

EnsureOTengineers

Alignwithtop

Makecybersecurity

Runjointtabletop

comprehensiverisk

andoperatorsof

organizational

standardsand

exercisestoensure

managementofthe

installationshave

leadership,strategic

bestpractices

preparednessincase

OTenvironment

responsibilityforOTcybersecurity

planningteamsand

thirdpartiestomake

security-by-designa

reality

contractually

enforceableon

partnersandvendors

tobuildacybersecure

OTenvironment

ofanactualincident

UnlockingCyberResilienceinIndustrialEnvironments:FivePrinciples7

2

Principle1

Principle2

ActionableapproachestoimplementingOT

cybersecurityprinciples

ToensurethesuccessfulimplementationoftheidentifiedOTcybersecurityprinciples,organizationsmustundertakeanumberofactionstotranslatetheoryintotangibleinstitutionalpractice.

PerformcomprehensiveriskmanagementoftheOTenvironment

Toincreaseoverallcybersecuritypreparednessandreducethepotentialandimpactofcyberattacks,

industrialorganizationsmusttakeacomprehensiveapproachtoriskmanagement.Thiscomprisesriskassessment–identificationofvulnerabilitiesand

gapsthatexposeanorganizationtoanattack,andofrisksthatcouldimpederecoveryandresilience–aswellasmitigationandmonitoringstrategies.Forriskmanagementtoberobustandcomplete,itisimportantthatorganizations:

–Identifyandclassifyassetsonthebasisontheircriticality,valueandsensitivitytotheorganization’soperations.

–Createaninventoryofthe“crownjewels”–thehighest-valueassetsintheirOTenvironment

which,ifcompromised,couldhaveamajor

impact.Oncethe“crownjewels”havebeen

identified,organizationsshouldidentifyhowtheyconnecttothenetwork,dataflows,etc.

–DetectsecurityvulnerabilitiesandthreatsacrossthemappedassetsandOTenvironment;

identifytheconsequencesthatcouldresultifthevulnerabilitiesareexploited(e.g.incaseofunauthorizedaccess,datatheft,equipment

damage,injuryandlossoflife,harmto

nationalsecurity,etc.);andprioritizemitigationaccordingly.

–Identifypotentialthreats(includingthreatevents,threatactors,etc.)thatcouldtargettheirOT

environment.

–EstablishanOTcybersecuritystrategyalignedwiththeoverallcybersecuritystrategy,outliningtheprevention,detectionandresponse

capabilities.Itshouldbereviewed,evaluated

andupdatedregularly.Organizationsshould

alsoconsiderdevelopingguidelinestoensure

effectiveadoptionandimplementationoftheOTcybersecuritystrategy.

EnsureOTengineersandinstallationoperatorshaveresponsibilityforOTcybersecurity

Researchshowsthat95%oforganizations20will

placetheresponsibilityforOTcybersecurityundertheChiefInformationSecurityOfficer(CISO)in

thenext12months.However,consideringthat

cybersecurityisasharedresponsibility,theITteamalonecannothavefullcontrolofOTcybersecurity;allstakeholders,atalllevelsoforganizational

management,needtodotheirpart.

Thismakesitimperativethatrolesand

responsibilitiesbeclearlydefinedandproperly

communicatedwithIT/OTpersonnel.Thatsaid,OTteamsdonotnecessarilyhavetheawareness

orknowhowtoproperlyinspectandsecureOTnetworks.InordertoshareresponsibilityforOTcybersecurity,OTpersonnelacrossindustrialorganizationsneedtounderstand:

–When,howandwhyasecuritybreachmightoccurintheOTenvironment.CommunicationsonsecurityawarenessshouldbecarriedoutcontinuouslyforallOTpersonnel.

–Whotocontactincaseofasecuritybreachorsuspiciousactivity,thatis,whotogethelpfromandwhotocollaboratewithforsupport.

UnlockingCyberResilienceinIndustrialEnvironments:FivePrinciples8

Principle3

DifferentthreatdetectiontechnologiesusedbyITandOTcoulddetectthreatsinthe

OTenvironment.Therefore,cooperation

andcommunicationbetweentheITandOT

departmentsisessentialtoensurethatallstaffhaveclearlyandpreciselydefinedrolesand

responsibilitiesforworkingtogetheronincidentresponseinOT.

–Thevulnerabilitiesandrisks(includinginheritedrisks)thateachconnecteddeviceintheOT

environmentbrings.

–TheroleoftheSecurityOperationsCentre

(SOC),CISOteam,etc.OTpersonnelshouldalsobuildarelationshipwiththeSOCand

CISOteamstoensuretransferofknowledgeonsecurityarchitectureandpolicies,includingontheprevention,detection,analysisand

responsetocybersecurityincidents.Among

theOTpersonnel,a“CyberChampion”shouldbeappointedineachfacilitywhocanhelpwithcyberissuesduringcrises.

Alignwithtoporganizationalleadership,strategicplanningteamsandthirdpartiestomakesecurity-by-designareality

MostoftheexistingOTwasnotdesignedwith

cybersecurityinmind.Security-by-designisa

processratherthanaone-time“bolt-on”effortandassuchshouldgobeyondintegrationofsecurityduringthedesignanddevelopmentphaseofaproduct/

service.Toenforceasecurity-by-designapproachintheOTenvironment,organizationsshould:

–Raisecybersecurityissuesandrisksto

corporatemanagementtoensurethatcritical

OTsystemsaresafeguardedfrompotentialrisksandvulnerabilitiesfromtheoutsetby:

–OrganizingexecutivebriefingstohighlighttheimpactofOTcyberrisksonbusinessoperations,financesandreputation.

–Developingandpresentingriskassessmentstocommunicatetheinterplaybetween

OTcybersecuritybreaches,operationaldowntimeandcompliancepenalties.

–Sharingcasestudiesillustratingreal-worldexamplesofcybersecurityincidentsintheOTenvironmentandtheconsequences

experiencedbyorganizationsthatwerecaughtoff-guard.

–EncouragingtheintegrationofOT

cybersecurityintotheoverallbusiness

strategytoensurecompetitiveadvantage

bydemonstratingcommitmenttoprotectingcriticalOTinfrastructure.Itcanultimately

helpfosteroverallresilienceacrossindustryecosystems.

UnlockingCyberResilienceinIndustrialEnvironments:FivePrinciples9

Principle4

Principle5

Contractuallybindandenforcesecurity

standardsonpartnersandvendorstobuildasecureOTenvironment

Third-partysuppliersandvendorsdifferinthewaytheyapproachcybersecurity.Nevertheless,they

havetoguaranteethesecurityoftheirproductorserviceandtakeresponsibilityforwhatisdelivered.TobuildasecureOTenvironmentandensure

successfulcollaborationwithandenforcementofsecuritystandardsbypartnersandvendors,industrialorganizationsshould:

–ConductthoroughduediligenceofbothITandOTcybersecurityposturebeforecollaboratingwithanythird-partyvendorsandsuppliers.Theassessmentshouldcoverhowacyberattackagainstathird-partyvendororsuppliercouldimpactoperations.

–Classifyandcategorizethirdpartiesaccordingtotheirlevelandtypeofrisk(compliance,

financial,reputation,etc.)beforetheycanaccessfacilities,networkandconfidentialinformation.

–Incorporatealistofbaselinesecurity

requirementsforthird-partyvendorsand

supplierswithaccesstofacilities,network

andconfidentialinformationwithinthesecurityframeworkmentionedinprinciple1.These

securityrequirementsshouldbemetbeforeformalizationofcollaboration.Examplesofsecurityrequirementsinclude:

–Implementationofsecuritylevels(SL)3and4ofIEC62443.

–ApplicationofadvancedcybersecuritystandardsforOTsoftwaredevelopment.

–Demonstrationofprovenhands-onexpertiseinhandlingcybersecurityevents.

–IncludeOTcybersecurityrequirementsin

contracts.OTcybersecurityrequirements

shouldcoverareassuchassecureremoteaccess,useofremovablemediadevices

totransferfiles,termsandconditionsfor

dataprotectionandprocessingofsensitiveinformationsharedbetweentheorganization

andthethirdparty,accident/incidentnotificationandreporting,etc.

–Continuouslyauditvendorandsuppliersecurityperformancetoensuretheyareadheringto

previouslyagreedsecuritycontrols.

–Incasethesecuritycontrolsarenotobserved,organizationsshoulddevelopanexitstrategythatincludesproperoversightoverthe

terminationofcollaborationwiththevendor,returnofassets,etc.

Runjointtabletopexercisestoensure

preparednessincaseofanactualincident

Atabletopexercisecannotalwaysperfectly

replicateeveryaspectofareal-lifescenarioor

incidentresponsesituation.Toensuremaximumpreparednessandamplifyitsbenefits,thetabletopexerciseshouldincludekeypersonnelandshouldhaveclearlydefinedandachievableobjectives.

Organizationsshouldtherefore:

–Usesecurityscenariosbasedonrealevents,andleverageandadaptexistingcrisis

managementprocedurestothecybercontext.

–EngagethecorrectstakeholdersthatgobeyondITandOTpersonnel.Exercisesshouldincludetheemergencypreparednessgroup,executiveleadershipandmanagement,technical

staff,thirdparties,legalcounselaswellas

psychologistswhocanevaluatetheresponsesandactionstakenbythesecurityincident

responseteam(SIRT).

–ClarifytherepresentationofOTcyber

competenceinincidentresponsetoensure

preparednesswhenathreateventoccursandexplorewhetheroperationscanberunintheOTenvironmentwithouttheIT.

–IncludeOTsitesacrossmultiplegeographiesandconsiderthelegalaspectsthatmayarise.

–Identifyweaknesses/gapsintheincident

responseandincludelessonslearnedinthepost-drillanalysisreports.

–Produceandcontinuouslyupdatethe

executives’playbookwithlessonslearnedfromsuchexercises.

UnlockingCyberResilienceinIndustrialEnvironments:FivePrinciples10

3

Monitoringthe

implementationof

OTcybersecurity

principles

ImplementationofOTcybersecurityprinciples

aloneisnotenough.Trackingtheirprogressandcontinuousassessmentofimpactiskeyinordertoensureeffectivenessoftheprinciplesandthatorganizationsareadaptingtothenewprocesses.TosuccessfullymonitortheimplementationofOTcybersecurityprinciples,organizationsshould:

–PerformregularauditstomonitorcompliancewiththeOTcybersecurityprinciples,includingassessmentsofcriticalthirdpartieswithaccesstotheOTenvironment.

–Conductreal-timemonitoringtodiscover,

identifyandassessdevicesandvulnerabilitieswithintheOTenvironment.The“now,nextandnever”approachcanhelporganizationsassessvulnerabilities.Gatheredinformationshouldbekeptinaregisterandreviewedperiodically.

–Developastrategicroadmapandprocessfor

reportingtothecorporateboardaboutprogressonOTcybersecurity.

–Senddata(e.g.IDSdata)regularlytothe

secur