A Practical Guide:
"Industrial Cybersecurity for Small and Medium Sized Businesses" leverages ISA’s in-depth knowledge of industrial automation and control systems (IACS) and subject-matter expertise in industrial cybersecurity.
SMBs need to fully understand their cybersecurity risk and take action to reduce this risk, just as they do with other business risks. The absence of previous incidents, or the belief that the organization is not a likely target, is not sufficient justification for ignoring this issue.
SMBs — just like large manufacturing operations — are at risk from a wide variety of threats, including amateur and professional hackers, environmental activists, disgruntled employees or contractors and even nation states or terrorists. In addition, many cybersecurity incidents are a result of accidents or unintentional actions. A company does not have to be a specific target to be affected.
From the Executive Summary
Effective cybersecurity management is essential for all organizations, regardless of size. There are many standards and guidance documents available to help organizations determine a way forward.
This document is intended to provide a starting point for small- and medium-businesses (SMBs), particularly those that manage industrial processes and employ some level of automation. Specific examples include SMBs in the chemical and water and wastewater treatment sectors.
While it is generally accepted that Operational Technology (OT) system security requires different or additional measures than general-purpose Information Technology (IT) system security, it is also true that smaller companies might have difficulty implementing much of the available guidance.
Standards and practices are often based on the assumption that engineering and operations resources are available to define, implement, and monitor the technology, business processes, and associated controls. Unfortunately, this is often not the case.
Smaller operations are typically not staffed to include such roles. It is more common to have broadly defined staff roles, with support and operation of IT systems as only part of an individual’s responsibilities.
Smaller companies may not even be fully aware of the risks they face or that they can contract for cybersecurity-related services. This guide is intended to identify the essential controls that need to be established.
SMBs need to understand their cybersecurity risk and to take action to reduce this risk, just as they do with other business risks. The absence of previous incidents, or the belief that the organization is not a likely target, is not sufficient justification for ignoring this issue.
SMBs can be at risk from a wide variety of threats, including amateur and professional hackers, environmental activists, disgruntled employees or contractors and even nation states or terrorists. In addition, many cybersecurity incidents are a result of accidents or unintentional actions. A company does not have to be a specific target to be affected.
The consequence to an SMB can vary tremendously based on the nature of operations and the vulnerabilities of each. It is essential that the underlying vulnerabilities are recognized and that these vulnerabilities be mitigated to minimize the likelihood of potentially dire events.
This document provides guidance based on well-established frameworks and standards. Further reference should be made to these frameworks and standards, focusing on the recommendations in this document.
Cybersecurity management is not a one-time activity. Like quality and safety management, cybersecurity management is an ongoing activity where continuous improvement must be made in order to manage the risks.
The white paper provides a thorough overview of industrial cybersecurity, covering:
• Risk assessment
• Essential cybersecurity initiatives, including: Identification, Protection, Detection, Response and Recovery
• Awareness and training
• Continuous improvement
• Additional references
This article is an excerpt from the International Society of Automation’s (ISA) white paper Industrial Cybersecurity for Small- and Medium-Sized Businesses. For more information, and to download the complete white paper, please visit https://www.isa.org/uploadedFiles/Content/PDFs/Industrial_Cybersecurity_for_SMB_WP.pdf
Contact the ISA at: International Society of Automation (ISA), 67 T.W. Alexander Drive, P.O. Box 12277, Research Triangle Park NC 27709. PHONE +1 919-549-8411. FAX +1 919-549-8288 EMAIL: [email protected]. URL: www.isa.org