by Tim Gale
A large, multi-site industrial manufacturer faces many challenges when developing and managing an industrial cybersecurity program. What comes first? What are the priorities? How long should it take to implement mitigations? How do you measure progress?
Many perform vulnerability and risk assessments which can produce hundreds of recommendations across dozens of sites. Some recommendations apply across the entire enterprise, while others are site specific. Recommendations also need to be evaluated against corporate standards. In some cases, corporate standards need to be written. Each recommendation needs to be rationalized and put into context. Work streams need to be established that manage the implementation of technology across existing company workgroups. aeSolutions offers many of these services. Figure 1 shows two workstreams which include examples such as patch management and network optimization.
After the completion of a set of baseline vulnerability and risk assessments, a Cybersecurity Program Development project is required to drive progress on closing the gaps and securing the systems that produce products and keep people safe. A system of benchmarks is needed to ensure progress is being made. Re-evaluation of the security posture is required during execution of the program to ensure systems are truly being secured.
The program management team is faced with a daunting task of summarizing and reporting the data to senior management. An example of such a report is illustrated in Figure 2, showing the current maturity level and a phased approach towards the future target state.
Figure 2: Cybersecurity Maturity Phases
Managing an Industrial Cybersecurity Program is a time-consuming effort. The lessons of others who have done this can be invaluable to keep it moving in the right direction. For more information on our industrial cybersecurity services please visit