The UK Government Centre for Protection of National Infrastructure (CPNI) published a list of 20 Critical Controls for Cyber Defence in conjunction with SANS. Many in the ICS world don’t follow SANS, so this distribution may reach a broader ICS audience.
The list is simply written, easy to understand and worth a read.
My immediate question while reading the list was the prioritization of these twenty security controls. The document addresses this at the end:
“The twenty controls are a baseline of high-priority ‘technical’ information security measures and controls that can be applied across an organisation to improve its cyber defence.”
CPNI could do better in prioritization. For example, #4 Continuous Vulnerability Assessment and Remediation and #20 Penetration Tests and Red Team Exercises would be an inefficient use of resources until a significant number of other security controls were in place.
Conversely, #5 Malware Defences, #8 Data Recovery Capability, #13 Boundary Defence, and #19 Secure Network Engineering would be items that would rate in the highest priority.
ICS and other networks will vary so it is hard to come up with a detailed prioritization that even most would agree on. That said, CPNI could provide additional value to the document by at least grouping them in some priority categories. They also could develop an ICS specific prioritization, and in that case could consider the security program maturity in the prioritization.