The Cyber Security Check is based on the free Cyber Security Check OT guide, which was developed by the German Federal Office for Information Security (BSI) in cooperation with the professional association of IT auditors, IT security managers and the IT governance officers ISACA Germany Chapter e. V. It offers a comprehensive review of your IT systems and networks in order to identify potential risks and enable early treatment. This review is specifically geared towards the need to protect OT systems (Operational Technology).
Cybersecurity is particularly important for operational technology, as these systems often control and monitor critical infrastructures such as power supplies, transport systems, factories, etc. An attack on these systems can have serious consequences for society and the economy, as they often perform vital functions. It is therefore of great importance that they are protected against cyberattacks. A cyberattack on OT systems can not only impair functionality, but can also pave the way to other IT systems in the company's network, leading to data loss, data manipulation and data leaks. These incidents often mean financial losses and damage to the company's reputation, but in the worst case scenario, OT attacks can even endanger human lives. In addition, the cybersecurity of OT systems is particularly vulnerable, as they often use older technologies and systems that are not equipped with the latest security features. The integration of IT systems into OT systems, such as industrial control systems (ICS), also increases the risk of cyberattacks, as this creates further attack scenarios.
To minimize these risks, it is essential that OT systems are regularly checked for cybersecurity. A Cyber Security Check based on the free Cyber Security Check OT guide can ensure such a check and provide you with recommendations for improving cybersecurity.
No ISMS required
Every ISMS (Information Security Management System) requires a comprehensive understanding and management of information security in the company. Extensive processes must be implemented and constantly monitored in order to ensure the desired level of information security. The advantage of the Cyber Security Check (OT) is that it can be carried out independently of an ISMS. An ISMS is not required to check and improve cybersecurity in the area of operational technology (OT). The check can be carried out at any time in an organization's security process; no documents on the OT security organization or organization are required, nor does a specific progress in the implementation of OT security measures have to be made. It can therefore be a time- and cost-efficient solution for companies that want to improve their cybersecurity in the OT area in a timely manner.
Subject of the check
The Cyber Security Check (OT) focuses on the entire operational area, in particular on process control systems and their networks, including field buses and input/output groups. This includes both the OT systems themselves and machine-oriented systems such as MES, as well as their connections to office IT, direct connections to external networks and the internet. All systems and services with physical, logical or functional interfaces are analysed with regard to their importance for the safe operation of the plant. This also includes auxiliary and secondary systems, even if they only indirectly influence the safe operation of the plant. A selection of relevant systems includes:
-
Heating/air conditioning/ventilation
-
Station automation and electrical protection technology (electrical power supply)
-
Autonomous control of secondary systems (e.g. tank farms, supply and disposal)
-
Building automation
-
Online monitoring and diagnostic systems, process data management and archiving
-
Engineering and plant documentation
-
Connected systems (fire alarm system, video surveillance, etc.)
-
Safety systems
-
External services such as cloud
The procedure
When conducting a Cyber Security Check (OT), it is important to determine the scope and complexity of the object under assessment in order to be able to estimate the effort required. To do this, representatives from various departments, such as management, operations management, plant management, production management, control technology, IT management and IT service providers, must be brought together to determine which OT systems and networks should be examined. It is important to create a common understanding of what systems are to be examined. The scope should be documented and approved by the management level, such as the management and plant management, taking into account the opinions of all participants. The scoping can already be part of the contract and define a time frame. In complex and extensive environments, it may be useful to carry out additional scoping in advance. The check is carried out strictly in accordance with the guidelines of the free Cyber Security Check OT and therefore consists of the following steps:
-
Placement of order
-
Risk assessment
-
Information review
-
Preparation of on-site assessment
-
On-site assessment
-
Post-processing/report generation