Check Yourself Before You Assess Yourself
7 Questions to Achieve Awareness of the Security Posture of Your Environment
After working as a consultant for several years, I sometimes think back to my days as a SCADA security analyst for an oil and gas company. If I knew then what I know now, how would I have done things differently? If I were responsible for keeping an oil and gas company’s assets, processes, and people safe from cyber threats, how would I go about doing that? Where would I even start? And, if I were to hire someone to perform an assessment, what type of assessment would best serve me right now?
Typically, one would call a third-party to come in to help set a baseline and provide a report that details the current gaps within your defenses. While that strategy is effective, it will not be as effective or efficient if you don’t have knowledge of your current environment.
But, how do you start the baselining process, so that when a third-party comes in to perform an assessment, you already have an idea of where you are strong and where you need to improve your defenses? What are the top questions you should ask to gain a solid understanding of the environment for which you are responsible to protect? And what documentation supplements the answers to these questions?
Pulling from best practices and my experiences successfully implementing this for clients, here are seven critical questions and examples of documentation that will assist in creating an educated baseline assessment:
Going through a continuous internal process of asking questions and updating documentation to understand your environment might not be fun, but it’s essential to being a good security professional at any business, small or large. Things change regularly, especially within the operations of the oil and gas industry. One year, a company can be focused on the transportation of natural gas using pipelines and the next year it might have sold most of those assets and now is focused on the refinement of natural gas. The strategies for securing and monitoring a geographically disperse pipeline likely won’t be optimal for securing a self-contained refining facility.
Constantly asking questions to understand changes within your environment, both large and small, allows you to be more effective in ensuring that your near and long-term cyber security investments are still effective and relevant. From a cyber security assessment standpoint, it can help focus your assessment efforts on addressing weaknesses, instead of focusing on cyber security in general (although, periodic reviews of your overall cyber security posture are good practices to do as well). This also allows the third-party experts to be more efficient at their job, possibly saving you time and money by allowing them to focus on formulating actionable strategies to address your biggest risks, instead of investigating the basics of your cyber security posture.
About the Author
Andrew Tillotson is a cyber security professional within Revolutionary Security’s Industrial Control Systems (ICS) practice. He has over seven years experience working with and securing SCADA, DCS, PCN, and other Operational Technology (OT) environments, both as a front-line user/practitioner and as a consultant.