Learning to Walk : Towards Assessing the Maturity of OT Security Control Standards and Guidelines

Staves, Alex and Maesschalck, Sam and Derbyshire, Richard and Green, Benjamin and Hutchison, David (2023) Learning to Walk : Towards Assessing the Maturity of OT Security Control Standards and Guidelines. In: 2023 IFIP Networking Conference (IFIP Networking) :. IEEE, pp. 1-6. ISBN 9783903176577

Text (OT_Controls_Standards_and_Guidelines_Benchmark-4)
OT_Controls_Standards_and_Guidelines_Benchmark_4.pdf - Accepted Version
Available under License Creative Commons Attribution.
Download (320kB)

Abstract

The convergence of IT and OT has presented OT environments with several challenges, such as increasing the attack surface of its real time systems to include more commonplace enterprise vulnerabilities. As OT is used across heavily regulated sectors, including water and nuclear, many standards and guidelines are available to these sectors, providing them with assistance towards continued improvements from a cyber security perspective. However, these standards and guidelines are not always as mature as their IT counterparts. This paper proposes a model to benchmark the maturity of OT focused standards and guidelines, which we then use to analyse seven commonly adopted resources. Based on this analysis, we find that these OT standards and guidelines do not always provide in-depth implementation guidance, and often refer instead to IT standards and guidelines for more information. Improvements are urgently needed in security and risk mitigation for interconnected OT and IT systems, as security controls in OT are typically re-appropriated IT controls. To help achieve this goal, OT standards must mature further.