In our last few newsletters we have explored several cybersecurity topics which make the case that in operational technology environments, traditional malware detection-based cybersecurity methods are not enough. Effective cybersecurity is not achieved through detection after the fact – it’s achieved through preventing the threat in the first place. This is done by identifying potential threat sources through threat profiling and protecting the access points with organizational behavior-based methods. Therefore, with offshore vessels, cybersecurity programs that rely solely on detection-based methods should be avoided, and organizational behavior-based cybersecurity programs are preferred.
However, evaluating the capability of an organizational behavior-based cybersecurity program can be difficult and time consuming. We need to determine if the organization behaves in a way that ensures unknown threats have the lowest possible potential of being introduced to the system finding a target and triggering to do damage. In many cases such as marine underwriting or vessel selection or condition survey applications, there is not enough time to execute a comprehensive facilitated evaluation of organizational cybersecurity behavior.
What is required is a behavior-based evaluation method that can –
- quickly give you information that you can use to help you determine if a vessel has the capabilities necessary to establish a minimally acceptable level of cybersecurity, and
- be scaled up for more comprehensive evaluations when possible or necessary.
The answer lies with organizational maturity models. Maturity model analysis is a proven method for evaluating organizational capability and behavior. They provide several important benefits including –
- They can be tailored to the exact intended use – for example, the US Dept of Energy has provided a maturity model specific to cybersecurity in the oil and gas segment (DoE ONG C2M2)
- They can be configured to match the exact needs of a specific application by modifying the priority of each practice in the model. This allows you to determine which of the organizational behaviors is most important and adjust the model to give you the feedback you need.
- They are scalable, which means you can tailor the scope of the evaluation to the specific situation — for example you can do a quick high-level self-evaluation of an asset’s short-term capability, or a facilitated comprehensive deep dive into the assets long-term capability.
Athens Group Services’ scalable approach to cybersecurity program evaluation uses organizational maturity models. The maturity model we use is unique in that it combines the NIST Framework for cybersecurity, the DoE Cybersecurity Capability Maturity Model (C2M2), and the Athens Group Services software systems quality maturity model into a single comprehensive measure of both the cyber technology system and cybersecurity maturity.
Athens Group Services’ approach is scalable in that it provides both a quick high-level self-evaluation of an asset’s short-term cybersecurity capability, as well as comprehensive facilitated evaluations that allow you to design, evaluate and improve cybersecurity programs.
The Athens Group Services Cyber Maturity Self-Check© is an on-line analysis that allows you to evaluate 47 of the 312 DoE C2M2 practices which Athens Group Services has identified as the most critical for a minimally acceptable cybersecurity capability. The results provide information that you can use to help determine if a vessel has the capabilities necessary to establish a minimally acceptable level of cybersecurity. Look for more information about Athens Group Services’ Cyber Maturity Self-Check in our next newsletter.
As operational technology systems become increasingly automated and connected to distributed cloud networks, we are uniquely qualified to understand how cyber technology verification and assurance must be improved to protect against evolving cyber threats. Contact us for more information about how we can help your organization protect itself in an increasingly risky environment.
To see the latest Athens Group Services developments, please follow us on Linkedin and Twitter.