Scoping IT & OT Together When Assessing an Organization's Resilience
The SEI engages with many organizations of various sizes and industries about their resilience. Those responsible for their organization's cybersecurity often tell us that their information technology (IT) and operational technology (OT) are too different to be assessed together. However, not accounting for both technologies could have serious implications to an organization's resilience. In this post I'll say why, and I'll describe the technology-agnostic tools the SEI uses to scope both IT and OT in resilience assessments.
IT and OT systems are distinct systems with their own cybersecurity priorities. In terms of the CIA Triad, IT generally prioritizes confidentiality and OT prioritizes availability. These priorities can drive how organizations deal with risks. However, when evaluating organizational resilience, what really matters are the interconnectedness of these two technologies and their criticality to the organization, because this drives the impact and likelihood of the risk. The NotPetya and WannaCry attacks exploited these characteristics, traversing IT and OT networks and either bringing down or severely degrading operations of major organizations.
Photo: Steag, Germany. Licensed under Creative Commons Attribution-Share Alike 3.0 Unported.
Even if you think IT and OT are apples and oranges, we can agree that many organizations depend on both IT and OT to operate. We can also agree that an organization's ability to weather times of stress is critical to its customers, employees, and shareholders. It makes sense then that organizations should consider both IT and OT systems when determining operational resilience.
Resilience, Assessments, and the Importance of Scoping
To paraphrase the SEI's CERT Resilience Management Model (CERT-RMM), operational resilience is an organization's ability to manage the impact on assets and their related services due to realized risks associated with processes, systems, technology, the actions of people, or external events. In times of stress, a resilient business will be more likely to return to normal operation.
CERT-RMM proposes that organizations can achieve their optimal level of operational resilience through the effective communication and disposition of risks across a business's many verticals. Crucially, CERT-RMM abstracts organizations to their services and all the assets that support them: people, information, facilities, and technology of any type.
The SEI has developed two effective assessment tools based on CERT-RMM that measure an organization's operational resilience through the lens of cybersecurity: the Cyber Resilience Review (CRR), developed for the Department of Homeland Security, and the Cybersecurity Capability Maturity Model (C2M2), developed in partnership with industry representatives for the Department of Energy. Both assessments can be performed as a one-day self-assessment by the organization's own subject matter experts (SMEs) or as part of facilitated workshops. The C2M2 is for the energy sector and more broadly assesses cybersecurity programs. The CRR is sector agnostic and focuses on an organization's resilience management processes. Both assessments give organizations a repeatable tool to help determine their organizational resilience.
The assessments share a common set of CERT-RMM assumptions and methodologies. Both assessments focus on two aspects of the organization: (1) the organization's business objectives and (2) the protection and sustainment of assets that support those objectives. The organization itself determines the appropriate level of resilience and resources needed to achieve its objectives and efficiently meet regulatory requirements. The organization has the flexibility to assess the critical service or function regardless of its assets, and in a way that is consistent with their risk appetite.
Scoping, or determining what parts of the organization should be assessed, is key to the assessment's success. The CRR scopes to a single "critical service," and the C2M2 scopes to what it calls a "function." The critical service or function being assessed should indeed be critical to the business: if this service failed or went away, your business would also fail. For example, a car manufacturer may want to focus on its car manufacturing line. Scoping the critical service or function too broadly will dilute the visibility afforded by the assessments. For more, see my colleague Andrew Hoover's blog post about cyber resilience and the critical service.
Scoping the critical service or function allows the organization and the SMEs engaged in the assessment to clearly define the systems that are being assessed and in turn determine their overall resilience. Scoping also allows the organization to intelligently identify the level of risk associated with those systems. The organization can then prioritize its resources to close any identified gaps--one of the practice areas of cyber hygiene. Repeating the assessment against the same scope allows the organization to measure its performance over time.
IT and OT: Better When Assessed Together
For many organizations, IT and OT assets are both critical to survivability. We should be asking the same questions of both when determining organizational resilience. The answers to those questions might vary depending on whether they address IT or OT, but that should not preclude them being asked.
For example, both the CRR and C2M2 assessments ask about the practice of patching vulnerabilities. Patching IT is generally common and non-disruptive, but patching OT could be extremely rare and disruptive. To simply not ask the question because the IT or OT answers would be different could mask exposures to serious vulnerabilities. Exclusion of IT or OT assets from the assessment not only reduces the organization's visibility into their support of the critical service or function, but it can also create an unwarranted sense of security.
The presence of the term "cyber" in both the Cyber Resilience Review and Cybersecurity Capability Maturity Model does not imply a limitation on the critical service or supporting assets in scope. Though not all assets inherently include a cyber component, they might be connected through a network. Excluding some of the networked assets from the measurement of the organization's resilience casts considerable doubt on the efficacy of the measurement.
Having the right subject matter experts (SMEs) on hand is also important during the assessment. Even though IT and OT systems are subject to the same resilience questions, different SMEs may need to answer the questions appropriately.
The Emerging Convergence
As IT and OT become networked together more and more, their vulnerabilities and risks will become shared. Their combined impact on the resilience of the organization will become more complicated and potentially much greater. It has never been more critical to manage the resilience of an organization in the face of these impacts and act on, or at the very least be aware of, any gaps.