Warning: This is the most difficult task in this book for most people.
OT cyber incidents and their consequences are lagging indicators. The bad event that caused the impact has already happened. While it is important to capture and present the information you gathered in Week 4, it’s not enough. We should identify and track leading indicators. Indicators that are predictive of the likelihood of future OT cyber incidents with a growing or unacceptable impact.
There are three main categories for these leading indicators. Your task this week is to create and track at least one leading indicator in each category.
Security Posture Indicator
If your security posture is strong, especially on security controls that impact OT cyber incidents, then it will be harder for an adversary to compromise OT and impact Operations. Identify and track a security posture indicator, such as time to apply security patches above an 8 CVSS score on Priority category OT cyber assets.
Network Activity Indicator
If your OT security is under a growing attack, it is more likely to fail. Create and track a network activity indicator. For instance, you could track the number of rejected connection attempts on an OT remote access device or rejected packets on ICS protocol ports at the OT electronic security perimeter (the number of adversaries knocking on the door).
Sector, Country, or Threat Indicator
If you are seeing your peers subject to increased attacks, near misses, and compromises, then it is reasonable to assume the threat on your company has increased as well. Identify a trusted third party that gathers and makes this information available. This could be your sector’s ISAC, your government, or a threat intel company. Be careful not to select a source whose interest is in promoting the threat is high.
Security Posture Indicator:
Network Activity Indicator:
Threat Indicator:
When these indicators go up you should revisit your OT cyber risk management decisions. At least annually review the performance of these leading indicators and try to improve them.