Accepted author manuscript, 313 KB, PDF document
Available under license: CC BY: Creative Commons Attribution 4.0 International License
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
}
TY - GEN
T1 - Learning to Walk
T2 - Towards Assessing the Maturity of OT Security Control Standards and Guidelines
AU - Staves, Alex
AU - Maesschalck, Sam
AU - Derbyshire, Richard
AU - Green, Benjamin
AU - Hutchison, David
PY - 2023/7/24
Y1 - 2023/7/24
N2 - The convergence of IT and OT has presented OT environments with several challenges, such as increasing the attack surface of its real time systems to include more commonplace enterprise vulnerabilities. As OT is used across heavily regulated sectors, including water and nuclear, many standards and guidelines are available to these sectors, providing them with assistance towards continued improvements from a cyber security perspective. However, these standards and guidelines are not always as mature as their IT counterparts. This paper proposes a model to benchmark the maturity of OT focused standards and guidelines, which we then use to analyse seven commonly adopted resources. Based on this analysis, we find that these OT standards and guidelines do not always provide in-depth implementation guidance, and often refer instead to IT standards and guidelines for more information. Improvements are urgently needed in security and risk mitigation for interconnected OT and IT systems, as security controls in OT are typically re-appropriated IT controls. To help achieve this goal, OT standards must mature further.
AB - The convergence of IT and OT has presented OT environments with several challenges, such as increasing the attack surface of its real time systems to include more commonplace enterprise vulnerabilities. As OT is used across heavily regulated sectors, including water and nuclear, many standards and guidelines are available to these sectors, providing them with assistance towards continued improvements from a cyber security perspective. However, these standards and guidelines are not always as mature as their IT counterparts. This paper proposes a model to benchmark the maturity of OT focused standards and guidelines, which we then use to analyse seven commonly adopted resources. Based on this analysis, we find that these OT standards and guidelines do not always provide in-depth implementation guidance, and often refer instead to IT standards and guidelines for more information. Improvements are urgently needed in security and risk mitigation for interconnected OT and IT systems, as security controls in OT are typically re-appropriated IT controls. To help achieve this goal, OT standards must mature further.
U2 - 10.23919/IFIPNetworking57963.2023.10186424
DO - 10.23919/IFIPNetworking57963.2023.10186424
M3 - Conference contribution/Paper
SP - 1
EP - 6
BT - 2023 IFIP Networking Conference (IFIP Networking)
PB - IEEE
ER -