50 Questions to Be Answered by a CISO Before Starting an IT/OT Cybersecurity Strategy
As we continue our journey toward establishing a robust OT enterprise cybersecurity program, the next critical step involves thorough preparation and understanding. For a Chief Information Security Officer (CISO) and their team, asking the right questions at the outset is essential for crafting an effective strategy. This article outlines key questions that need to be addressed to ensure a solid foundation for an IT/OT cybersecurity enterprise program and to ensure a well-defined engagement with a consultant.
Before diving into the questions, you may want to revisit the previous articles in this series for foundational insights:
Article 1: Navigating the Complexities of OT Cybersecurity: A Comprehensive Overview
Article 2: Defining Operational Technology (OT) Cybersecurity Across Industries
Organizational Overview
Who are your supporters among your leadership and board of directors?
What are the primary verticals of your organization’s operations?
Do you have a formal IT/OT team?
Do you have an OT cybersecurity leader?
In which industry sectors does the company operate?
How many locations does your organization have, and where are they located?
What are the key OT systems and processes critical to your operations?
Current Cybersecurity Posture
Do you currently have an IT cybersecurity program?
Do you have an OT cybersecurity program in place?
If yes, what are the main components of your existing program? How do you handle IT and OT convergence? What is the org chart of the IT/OT organization?
Governance and Compliance
What are the regulatory and compliance requirements applicable to your industry (e.g., NERC CIP, IEC 62443, ENISA, etc.)?
Do you have a governance framework for managing OT cybersecurity?
How do you ensure compliance with relevant standards and regulations?
Risk Management
What is the risk score for each of your company’s operation sites?
Do you conduct regular risk assessments for OT systems?
If yes, what are your OT environment's main cybersecurity risks and threats?
How do you prioritize and mitigate these risks?
Asset Management
Are all your OT assets connected to the network?
Do you maintain an inventory of all OT assets?
Are these assets classified and prioritized based on criticality?
How do you classify these assets?
Network Security
Do you have an IT/OT reference network architecture?
If yes, have you applied it to all of your sites?
How is your OT network segmented from your IT network?
How many of your sites or subsystems are air-gapped?
What security measures do you use for air-gapped network security?
How do you measure your OT network security effectiveness?
What protection mechanisms are you using?
What detection mechanisms are you using?
What network security measures (e.g., firewalls, IDS/IPS) are in place?
Do you employ network traffic analysis tools for OT environments?
How do you handle network anomalies and suspicious activities?
Access Control
What access control mechanisms are implemented for OT systems?
What are the main specifications of the typical OT access control technology?
Do you access critical OT systems using zero trust and multi-factor authentication (MFA)?
Do you conduct regular audits of access control policies? (Added)
Incident Response
Do you have an incident response plan specific to OT environments?
If yes, is it integrated with your main corporate plan?
How often do you conduct OT incident response drills and simulations?
How often do you conduct IT/OT incident response drills and simulations?
Continuous Monitoring
What tools and technologies do you use for continuous monitoring of OT environments?
What are the standard specifications you use for OT monitoring tools?
How do you measure the effectiveness of the monitoring tools?
How do you integrate threat intelligence into your monitoring processes?
Do you use advanced analytics for threat detection?
Training and Awareness
Do you have clear job descriptions for each of your employees?
Do you offer an OT cybersecurity training program for all levels within the company?
If yes, how is this program integrated into the company-wide functional training program?
Do you conduct regular cybersecurity training for employees, especially those with OT systems?
How do you promote cybersecurity awareness within the organization?
Vendor and Supply Chain Security
How do you assess the cybersecurity practices of your OT vendors and suppliers?
How is this linked to your corporate policies as a whole?
What measures are in place to secure the supply chain and ensure a secure bill of materials?
Budget and Resources
What is your current budget for OT cybersecurity?
Do you have sufficient resources (personnel, tools, technologies) to manage OT cybersecurity effectively?
Addressing these questions can help CISOs and their teams gain a comprehensive understanding of their current state and identify the necessary steps to build an effective OT cybersecurity program or at least a scope of work aiming to close the gaps identified from the questionnaire. This preparation sets the stage for developing a strategic plan that addresses the unique challenges of securing OT environments.
Stay tuned for our next article, where we will delve into the basic strategy of an enterprise OT cybersecurity program and outline the essential components and sub-components to build a resilient and robust security posture. Feel free to contact me directly if you need support or have any questions.