By Isiah Jones, MPS, CISSP, GICSP, C|CISO, Director, ICS Cyber Security Engineering
What is the ICS Security Manager as a Service?
The easiest way for both the ICS and cybersecurity communities to wrap their heads around what the heck ICS Security Manager as a Service is would be to initially think of the ICS focused version of CISO as a Service only with additional duties that include hands on technical engineering and architecture work. Some folks may see it as just another name for staff augmentation. However, staff augmentation implies a permanently contracted individual who essentially belongs to your organization as a contracted employee. Basically, they are simply just another extension to your pool of contractor employees. In some respects, ICS Security Manager as a Service is like a combination of CISO as a Service business models and traditional staff augmentations.
However, ICS Security Manager as a Service would not be a staff augmentation contractor employee position. Instead it would be like having a firm of experienced lawyers on constant retainer whenever you needed them. They act on your behalf and look out for your interests, they know your organization and your secrets and not only advise you but can also take action up to and including representing you in court or taking legal actions on your behalf. In that spirit ICS Security Manager as a Service would be a fractional, part-time, half-time or full-time scaled pricing-based retainer service that would provide asset owners with access to seasoned ICS Security professionals when they need them to perform various tasks on their behalf.
ICS Security Manager as a Service could be called upon to write security specifications and specific security controls and sub controls into ICS Master Plans, RFPs, RFIs, contract agreements, design guidelines, roadmaps throughout the lifecycle of your existing and new ICS assets and operations. The service could also include building out your inventory lists, architecture design, testing labs, systems security plans for each system, configuration plans and guides for each system and conducting evaluations of ICS vendor and integrator products and solutions on behalf of the asset owner and operator.
Some of the duties and tasks this service could complete and maintain are as follows (this is not an exhaustive or complete list):
- Build, operate and maintain ICS Security Program (this includes policies, procedures, frameworks, regulations, standards and best practices)
- Act as ICS Security Manager on behalf of asset owner and operator (this includes authority to oversee and direct ICS vendors, integrators, staff and contractors)
- Serve as liaison between ICS business owners and IT staff and corporate leadership (e.g. CIO, CISO, COO)
- Coordinate, evaluate and execute annual ICS focused assessments
- Coordinate, evaluate and execute annual ICS focused penetration tests
- Lead, support and execute implementations to mitigate discovered risks and vulnerabilities for ICS assets and operations
- Integrate, create and enforce ICS security requirements, standards, best practices and functionality into all ICS projects, contracts, agreements, operations and assets on behalf of asset owners and operators
- Build, maintain and execute ICS system security plans, ICS configuration management plans, ICS inventory list, ICS incident response plans, ICS system, network and architecture diagrams, etc.
- Test, evaluate, authorize, certify and facilitate products and services used by and for ICS assets and operations on behalf of owners and operators
- Enable and deliver ICS focused security training and awareness for ICS operators and supporting stakeholders (physical security, HR, finance, procurement, IT, vendors, integrators, EPCs, etc.)
Why do we need it?
Many would say this sounds like an amalgamation of existing varied contracted services that different firms may or may not provide. It also sounds like some of the duties that an MSSP would perform in some cases as well. In some respects, yes, but holistically no. Many of these services today are performed by IT firms that have no real ICS security chops or ICS integrators and vendors who have no significant security chops especially no systems security engineering, assessment, validation, secure design, secure integration or security operations and maintenance experiences. Additionally, many existing firms would focus in on just policies, audits, assessments and penetration tests then move on and only return to check to see what mitigations have been implemented. None of these solutions would provide the full lifecycle continuous completion of tasks necessary for ICS Security on behalf of asset owners and operators.
Asset owners and operators often lack dedicated ICS security expertise and the funding to hire such resources. ICS integrators, ICS vendors and consulting firms that are mostly IT security, compliance and audit based in their nature do not have the full lifecycle systems security engineering experiences or dedicated expertise to continuously close this gap for asset owners and operators. As a result, asset owners and operators end up spending the limited budget they have on expensive audits and assessments that leave them with gaps and findings they have no expertise on staff to help them mitigate. Owners and operators also end up depending heavily on integrators, vendors and MSSPs to perform duties and tasks that only address portions of the gaps and mitigations or end up creating more gaps and risks than they mitigate. Simply put, the status quo means well and does serve a purpose of good but the gaps that remain are continuously putting asset owners, operators and the infrastructures they monitor and control at risk.
A list of some reasons why asset owners and operators need ICS Security Manager as a Service are as follows (this is not a complete or exhaustive list):
- Asset owners, operator and critical infrastructure needs ICS security focused and dedicated resources
- Organizations lack resources for full-time ICS security staff
- IT does not focus exclusively on ICS security and generally lacks the ICS focused education, training, certifications, understanding and experiences needed
- Collateral duty with IT biased approaches to ICS create more risk than solutions
- ICS operators cannot focus exclusively on security of their operations and assets and generally lack significant security experience and awareness
- Some environments, asset types and sector verticals are best served by need to know, least privilege and segregation of duties, roles, access and infrastructure increasing the need for a separate, experienced and dedicated ICS Security Manager as a Service
- Connection to the dedicated ICS security focused community of practitioners is paramount
- Access to ICS security skilled resources with experiences across several organizations and infrastructures will be a force multiplier for all sector verticals and ICS asset types
- ICS Security Manager as a Service creates an authoritative role and voice for ICS asset owners and operators
- Provides an ICS Operations Security Liaison to CISO, CIO, CSO, COO and Board
Part 4 will provide insight into who we think can benefit from ICS Security Manager as a Service, and our concluding thoughts on why it is important and what your next steps should be.