Whitepaper and executive summary provided by the ISA, a technology and workforce training partner of IMEC.
Effective cybersecurity management is essential for all organizations, regardless of size. There are many standards and guidance documents available to help organizations determine a way forward.
The ISA whitepaper “Industrial Cybersecurity for Small- and Medium-Sized Businesses” is intended to provide a starting point for SMBs, particularly those that manage industrial processes and employ some level of automation. Specific examples include SMBs in the chemical, water, or wastewater treatment sectors.
While it is generally accepted that Operational Technology (OT) system security requires different or additional measures than general-purpose Information Technology (IT) system security, it is also true that smaller companies might have difficulty implementing much of the available guidance.
Standards and practices are often based on the assumption that engineering and operations resources are available to define, implement, and monitor the technology, business processes, and associated controls. Unfortunately, this is often not the case. Smaller operations are typically not staffed to include such roles. It is more common to have broadly defined staff roles, with support and operation of IT systems as only part of an individual’s responsibilities. Smaller companies may not even be fully aware of the risks they face or that they can contract for cybersecurity-related services. This guide is intended to identify the essential controls that need to be established.
SMBs need to understand their cybersecurity risk and to take action to reduce this risk, just as they do with other business risks. The absence of previous incidents, or the belief that the organization is not a likely target, is not sufficient justification for ignoring this issue.
SMBs can be at risk from a wide variety of threats, including amateur and professional hackers, environmental activists, disgruntled employees or contractors and even nation states or terrorists. In addition, many cybersecurity incidents are a result of accidents or unintentional actions. A company does not have to be a specific target to be affected.
The consequence to an SMB can vary tremendously based on the nature of operations and the vulnerabilities of each. It is essential that the underlying vulnerabilities are recognized and that these vulnerabilities be mitigated to minimize the likelihood of potentially dire events.
The whitepaper provides guidance based on well-established frameworks and standards. Further reference should be made to these frameworks and standards, focusing on the recommendations in the document.
Cybersecurity management is not a one-time activity. Like quality and safety management, cybersecurity management is an ongoing activity where continuous improvement must be made in order to manage the risks.
Learn more about additional cybersecurity resources through the following articles:
This whitepaper and executive summary were originally published by the International Society of Automation (ISA), an IMEC strategic partner. Learn more at www.isa.org.