The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
Modeling Maturity for Cyber Security
October 28, 2021 | Robert Bergman
Organizations interested in cyber security don’t always know where to start. The Federal Government, ARC Advisory Group and McKinsey & Company consulting have developed models intended to help organizations organize their assets and resources around cyber security.
The Department of Energy Maturity Model: Comprehensive and flexible modeling
The Department of Energy (DOE) maturity model presents a structured method of ranking an organization’s capability and progression in cyber security. It synthesizes similar models from its government peers, including the Department of Homeland Security (DHS), the Federal Energy Regulatory Commission (FERC), the National Institute of Standards and Technology (NIST), the National Cybersecurity Center of Excellence (NCCoE), and the Energy Sector Government Coordinating Council (EGCC). Their objective is a benchmark against which organizations can quantify their current practices, processes and methods and set priorities for improvement. The DOE hopes that each company’s assessment results are anonymized and shared so that others can benchmark their performance.
The DOE model evaluates cyber security based on the presence of 334 practices, which it organizes into the following cyber security domains:
- Asset, change, and configuration management
- Threat and vulnerability management
- Risk management
- Identity and access management
- Situational awareness
- Event and incident response, continuity of operations
- Third-party risk management
- Workforce management
- Cyber security architecture
- Cyber security program management
To get an organization’s ranking, the model decomposes each domain in targeted practices. The breakout for the “asset, change, and configuration management domain,” for example, rates the organization on its capabilities to manage the following operations:
- IT and OT Asset Inventory
- Information Asset Inventory
- Asset Configuration
- Changes to Assets
- Management of Activities
For each area, the model process assigns a maturity index (MIL) that ranks companies from 0 to 5, with “0” meaning they are not doing anything at all, to “5,“ where the organization has established a thorough cyber security policy that is executed by skilled professionals with clear roles and responsibilities and effective performance tracking and evaluation.
Full details on each domain and ratings are here. The DOE model calls out practices for specific particular asset types. IT and OT assets, for example, include “both hardware and software, such as traditional and emerging enterprise IT assets and any industrial control system (ICS) devices, process control system devices and components, safety instrumented systems, Internet of things (IoT) devices, industrial Internet of things (IIoT) devices, supervisory control and data acquisition (SCADA) system devices and components, network and communications assets, and assets residing in the cloud.”
And while the DOE doesn’t use the term “device hardening” in the guidelines, the model does address these concepts in the context of a cybersecurity architecture, which provides guidance in how security can be “engineered in a way that transcends point solutions for individual assets such as identity management or access control” and implementation of cryptographic controls and management infrastructures for key generation, storage, destruction, update, and revocation.
Earning a MIL ranking in any given domain requires demonstrating performance in all practices in that level as well as its preceding level(s). The DOE has built some flexibility into the model, recognizing that organizations have different objectives and risk levels and that simply striving to achieve the highest level in each category may not give an accurate assessment of that organization’s cyber maturity. Instead, they suggest that organizations set priorities based on risk.
As such, unlike a similar model that the Department of Defense is rolling out to certify defense contractors to do business with the Federal government, the DOE guidance is not part of any regulatory framework. It does, however, anticipate that entities subject to compliance requirements might use this model to achieve regulated compliance with requirements of other agencies’ normative requirements.
The ARC Advisory Group Cybersecurity Maturity Model: Balancing cost and protection
ARC Advisory Group had developed a maturity model that maps somewhat to the DOE model and has a greater focus on aligning people, processes and technology investments. They extend the NIST cybersecurity framework with recommendations as an investment roadmap.
The model “structures industrial/OT cybersecurity as a sequence of steps that organizations should take to build a cybersecurity program that meets their risk management goals. The model’s incremental nature enables managers to balance program costs with their company’s respective tolerance for risk,” writes ARC Analyst Sid Snitkin.
The lowest level includes what they call passive practices for baseline security, which includes physical security, asset inventory, device hardening and patch management. At the next level are network defenses such as firewalls, anti-malware and access control, and above that are practices intended to contain an intrusion, including zones, ICS device firewalls and whitelisting. They refer to these first three levels as passive defense measures which attempt to protect systems against conventional hackers.
At the “higher” levels of protection are practices such as security information and event management (SIEM) and practices to anticipate attacks, such as anomaly and breach detection and threat intelligence, which in this model have the highest level of protection and cost.
“The additional costs for advanced security may be justifiable for large and critical control systems. But for most small systems, the basic defenses described in the first three steps of ARC’s model are often considered sufficient to reduce local safety and operational risks as well as the risks of an attacker using the system as a launchpad for attacks on more critical systems. Focusing cyber investments on these layers can also minimize or eliminate the need for costly cybersecurity resources,” writes Snitkin.
While attention to steps in these first three levels – especially device hardening — may indeed be most cost efficient for smaller companies and lower-risk assets, we would take issue with characterizing device hardening at the lowest tier of protection. We believe that automation systems that are cyber secure by design offer much better protection than seemingly more “advanced” treatments.
The McKinsey & Company cyber security model: Elevating the importance of security by design
In 2021, McKinsey & Company assessed the cybersecurity-maturity level of more than 100 companies in multiple industries and found that some industries, such as banking and healthcare, are making “fair” progress but they found that most have much work to do to protect their information assets against the threats and attacks that are growing swiftly in number and severity.
Like the DOE and ARC models, the McKinsey model intends to help companies understand their cybersecurity maturity by helping them to evaluate capabilities, technology and risk-management. In their risk-based approach, companies manage and measure security and privacy controls in an enterprise-risk framework, set risk-appetite thresholds and include all stakeholders in the cybersecurity operating model.
Also, like DOE and ARC, the McKinsey model calls out an advanced level of proactive cyber security that “transforms processes and adopts next-generation technologies.” But, unlike the other models, McKinsey includes “security by design” at this highest level of cyber security protection.
Does maturity modeling matter?
The DOE, ARC and McKinsey are but three of many approaches to cyber security maturing modeling and there are many more, including a spate of emerging products to assess and certify maturity. In its 2021 Hype Cycle for Cyber and IT Risk Management, Gartner Group rates cyber security maturity modeling as an “important technology, that could also deliver benefit within the next two years.” But in that same analysis, they dub cyber maturity modeling as something that will likely “become obsolete quickly and replaced by something else” before it reaches its plateau of widespread acceptance. What that “something else” is, no one can say right now but our money is on proliferation of secure by design.
For a model that will help rank maturity along the secure by design dimensions, see the Bedrock white paper: Chapter Four: Securing ICS.