Skip to main content
The Dragos Blog

05.20.22 | 4 min read

How to Build a Roadmap for ICS/OT Cybersecurity: 3 Steps to a Sustainable Program

Dragos, Inc.

Gartner estimates that by 2023, 75% of organizations will restructure risk and security governance to address converged IT, OT, Internet of Things (IoT), and physical security needs – an increase from fewer than 15% in 2021.

This dramatic acceleration demonstrates the growing understanding that operational technology (OT) plays a critical role in organizational cybersecurity. The stats also show, however, that for a majority of companies, this is a significant shift. What does it take to get from point A to point B?

We addressed that exact question in our recent webinar, Starting Your Journey: A Roadmap for ICS/OT Security. Read on for our experts’ “deviously simple roadmap” that can help your business make tangible, measurable progress in a year or less.

Why Now? The Growing Importance of ICS/OT Security

The webinar presentation kicked off by answering an important question: Why now? Why are executives, Boards, and teams on the ground suddenly concerned with the convergence of IT and OT? We identified five key factors:

  1. Increased workforce. Compared to even five years ago, we now have a growing base of skilled ICS security practitioners who are highlighting the risks and importance of OT security.
  2. Greater governance. Executives and Boards are more engaged and increasingly highlight industrial cyber risk as a top concern. “Cybersecurity” no longer applies just to IT, and governance is adjusting accordingly.
  3. More projects. As technology changes and connectivity evolves, organizations must balance the security risks of new projects designed to drive cost savings and efficiencies.
  4. OT vs. IT. Cybersecurity continues to grow in criticality and complexity. IT and OT must understand the specific impacts to security controls, incident response, and risk evaluation within OT environments.
  5. Company culture. Ever heard the phrase “Culture eats strategy for breakfast”? It doesn’t matter how well-planned your roadmap is, you need a culture of safety and reliability to execute it effectively.

The fact that more organizations recognize the importance of ICS/OT security does not mean that pursuing it is without challenges. A recent survey that we conducted with the Ponemon Institute surfaced a number of common issues that continue to stand in organizations’ ways. These roadblocks include:

  • OT security is managed by the engineering department, which does not have security expertise
  • OT security is managed by an IT department without engineering expertise
  • Competition between IT and OT for budget dollars and new security projects

What does it take to overcome these challenges? A roadmap that is directional, transparent, and adaptable.

Step 1: Understand Your Risks and Impacts

A good roadmap should be deceptively simple. It is not a multi-year, fifty-step plan; it can and should be reevaluated every year or so based on changing dynamics. A roadmap should align your business objectives to cyber risks, prioritize projects and programmatic improvements, and provide insights into resourcing needs. It is broadly shared and created in context, with ties to current threat trends and incidents.

What is a roadmap NOT? A roadmap is not an auditable standard. It doesn’t replace other cyber risk governance models, it works in tandem with them. And it’s certainly not written in stone – in an industry that evolves this quickly, roadmaps must be able to adapt.

With those guardrails in mind, what does the roadmap toward a sustainable ICS/OT security program look like? It starts by understanding your risk.

  • Understand your risks and impact. Ask yourself the key question, “What does a really bad day look like?” and then look left and right of that “boom.” Identify what you can do both before and after the “boom” to reduce the risk of it happening and reduce the impact if it does.
  • Use historical and hypothetical scenarios to understand impact. It’s not an either/or. Incorporate data on real events into your impact evaluation as well as hypothetical, yet plausible, events that may reasonably occur. This approach lets you gain more insight into what a potential bad day could look like at your specific organization.
  • Run scenario scale considerations. Think about your prevention and detection strategies for different scales of events. Assessing these possibilities, from one scenario at massive scale to multiple scenarios at small scale over time, helps you better construct a comprehensive ICS/OT security strategy.

Step 2: Determine Maturity and Gaps

Once you have built the foundation of your roadmap by understanding risks and impacts, you can determine your maturity and gaps. We recommend a “Crawl, Walk, Run” approach that enables companies at any level of OT security maturity to make demonstrable, ongoing progress.

Which stage best describes your business?

  • Crawl: Your initial defenses may be resource-constrained (a fancy way of saying, “you’ve got one person and if they leave, you’re screwed.”) You have no documentation and no lessons learned.
  • Walk: Resources are less scarce. You have moved beyond “oral history” to written documentation. Multiple stakeholders are involved and configuration management is in place.
  • Run: People across teams are trained, ready, and exercised. Executives are active participants in ICS security. Capabilities are double-checked and reviewed, perhaps by an internal audit team.

There is no wrong answer. The key is to be honest about the capabilities of your people, processes, and technologies so you can determine where to invest your time, money, and resources.

Step 3: Implement and Measure

Once you understand how mature your organization is across the multiple facets of an ICS/OT security program, you can prioritize where to go next. Implementation helps you close the gaps between point A to point B, while measuring the distance from point A to point B enables you to demonstrate your progress.

There are a number of ways to measure success. Options include:

  • Using a risk register to communicate the cost-benefit analysis of various program components and facilitate high-level risk discussions.
  • “Measure what matters” by stating your goals and benefits, identifying data sources, understanding how that data relates to your goals/benefits, and creating metrics accordingly.
  • Start somewhere, even if it’s as simple as one metric that you know you can measure with confidence and consistency. Measuring the network visibility of your systems, for example, is a great place to start.

Remember that this process is about continuous improvement, not “once and done.” Don’t fall into the trap of admiring the problem more than you’re solving it. We find that 3-4 metrics for each person on your team is the “sweet spot” that demonstrates continual improvement while still focusing on what matters.

Final Words: It’s the Journey, Not the Destination

Every organization starts somewhere different. With a clear understanding of your risks and impacts, maturity and gaps, you can create a roadmap that guides your team to a sustainable ICS/OT security program in one year or less.

Watch the full webinar or view the slides for additional detail, plus a real-world use case, or get in touch to see how Dragos can help advance your ICS/OT security strategy.

CTA Image
< class="mini-cta__header heading--3"> Starting Your ICS/OT Cybersecurity Journey
View our infographic highlighting the 3 key steps to maturing your industrial security program.

Ready to put your insights into action?

Take the next steps and contact our team today.