Verve Industrial, a cybersecurity company specializing in operational technology, has spent the last 25 years partnering with organizations to bridge IT and OT security challenges in industrial environments. Their report, “5 Principles for Designing a Successful Governance Model for OT Cyber Security,” details how organizations can determine the right governance model for their operation.
A governance model dictates who has authority over an organization’s cybersecurity and who is held accountable in the event of a cybersecurity incident. The model also determines who sets the overall OT cybersecurity agenda and what metrics should be achieved.
When designing a governance model, organizations have a number of decisions to make. This includes determining who will decide whether to patch a specific device or create a mitigation plan, what tools an organization uses to address cyber risk, and whether a specific device should be replaced if its firmware is out of date.
“More than talent, tools, or tactics, governance is the most fundamental decision to get right in order to achieve success in defending critical infrastructure,” the Verve report says.
Who is in charge is one of the most important questions an organization must answer when designing their governance model. Whether it’s the chief information security officer, head of operations or chief information officer, this person is responsible for making a number of decisions. This includes security decisions on OT assets within a plant or SCADA environment and budget and resource allocations.
According to the Verve report, there is no “one-size-fits-all” answer to who should be put in charge because an organization’s governance structure should reflect the culture and structure of the rest of the organization. Additionally, there often won’t be a single point of authority and accountability for all decisions because these decisions often require coordination and shared decision-rights across IT, security and risk management, operations, and finance.
“Although it would be nice to have a standard construct where accountability and authority are vested in one person or organizational function, this is nearly impossible given the realities of managing operations, assets and processes,” the Verve report says.
Verve Industrial’s first principle is secure C-suite alignment. According to the report, this is essential in determining the risks to operations, the risk appetite of senior leadership and board of directors, a rough cost estimate to achieve different levels of security maturity, and how the senior team will make decisions in each area.
“C-suite alignment ensures budgets, metrics, and resources are based on agreed upon objectives. If you find yourself midway through the OT cyber security journey, the best option is to reset and establish agreement on key objectives to encourage future progress,” the report says.
For it’s second principle, Verve cites a case study involving a utility holding company. The company’s incumbent governance model used the distributed business unit P&L ownership model which establishes clear accountabilities around targets and objectives, while allowing management of each business unit full authority to determine the strategies and tactics they use to deliver results. In line with Verve’s “go with the flow” principle, this model was used for OT cybersecurity governance as well.
“No governance model is perfect,” the report says. “Successfully OT cyber security leaders take time to understand the overall governance culture of their organization and build a model that works with the current flow, rather than trying to force-fit a theoretically ‘better’ governance model. At that point, the CISO will address gaps in the approach to ensure limitations do not become hindrances.”
Verve’s third principle involves determining a holistic cybersecurity spending budget. According to the report, it is important for organizations to gain visibility into total cybersecurity spending across various departments in order to align budget authority with security accountability for effective risk management.
In its fourth principle, Verve advises organizations adopt scorecards and key performance indicator metrics. According to Verve, successful OT organizations run on metrics, targets, detailed procedures, and tactical results that are monitored on an hourly, daily, and weekly basis.
Finally, Verve’s fifth principal recommends organizations “get tactical.” This means building detailed procedures identifying accountable parties and their levels of authority for specific deliverables.
“In critical operations, where a wrong, or even a correct, but delayed decision leads to lost production, injury, or even death, detailed and assigned decision-rights are crucial,” the report says. “Successful operators take time to thoroughly document the decision rights, as well as details such as who will take necessary actions in maintenance and quality.”