Sat Nov 22 06:31:55 PST 2014

Management: ICS Security Management: Who should manage ICS security and where should they be placed?


Options:

Option 1: An enterprise-wide ICS security manager should be used.
Option 2: Each major business unit with substantial ICS operations should have an ICS security manager.
Option 3: Each facility should have an ICS security manager.
Option 4: Each ICS system should have a security manager.
Option 5: No ICS security manager should be in place.
Option A: The top-level ICS security manager should be at the enterprise executive level.
Option B: The top-level ICS security manager should be one level below the top-level enterprise security executive.
Option C: An ICS security manager should work one level below the top-level operations manager for the relevant ICS systems.
Option D: An ICS security manager should be a member of the overall ICS design and operations team.

Decision:

IF Risks are Low, THEN No ICS security manager should be in place.
OTHERWISE


Basis:

An enterprise-wide ICS security manager should be used:
An enterprise-wide ICS security manager has executive-level control over all ICS security decisions. This includes all facets of information protection as they apply to ICS systems. This is rarely the case in large enterprises, and when it is, the ICS security manager typically works for another high-level executive at the enterprise level and has responsibility across business units which typically have their own ICS security expertise that is coordinated by the enterprise-wide executive. This should not normally be the CISO or other equivalent function, since ICS is highly specialized and requires special knowledge and attention that is usually not available to the CISO or equivalent, who has many other broad responsibilities.

Each major business unit with substantial ICS operations should have an ICS security manager:
This is compatible with an enterprise-wide ICS security manager, and typically used because each business unit typically has different sorts of ICS systems and requirements and operates in a different management decision-making structure, in different locations, and under different requirements.

Each facility should have an ICS security manager:
As a rule of thumb, when a facility contains ICS systems with Medium or High risk levels, it is prudent to have an individual in the ICS security manager role. However, this may be a role that also involves other duties, depending on the workload of this activity at the facility.

Each ICS system should have a security manager:
In cases where ICS systems have High or Medium risk, a security manager should be identified with each ICS, even if that individual plays other roles and may have that role for a multitude of such systems. This is required if only to have a responsible party with adequate knowledge of the specific ICS for making decisions regarding the implications of changes.

No ICS security manager should be in place:
In Low risk situations or in situations where ICS mechanisms are highly standardized, there may be no need for an ICS security manager.


The top-level ICS security manager should be at the enterprise executive level:
For large enterprises, there may be a single point of coordination of ICS security, and in smaller enterprises, there is often an individual tasked with this responsibility. To the extent that the ICS and enterprise information systems interact, the ICS security manager should be responsible for integration and protection across the boundaries. This has to be done at some level, and since enterprise architecture usually exists at this level, it is important that integration of these architectures is done at this level.

The top-level ICS security manager should be one level below the top-level enterprise security executive:
Some enterprises structure protection so that a CISO or equivalent function exists at the enterprise level. In those cases, when there is enterprise-wide unified ICS security management, the ICS manager might appropriately be placed in that position.

An ICS security manager should work one level below the top-level operations manager for the relevant ICS systems:
This is a reasonable management structure for an ICS security manager. The operations manager has responsibility that requires the expertise of the ICS security manager, and the ICS security manager tends to make decisions that directly effect and are affected by operational issues.

An ICS security manager should be a member of the overall ICS design and operations team:
In most cases when an ICS security manager is in place, it is appropriate for them to participate in the design and operations team activities. To the extent that ICS security architecture is in place, that architecture is usually the responsibility of the ICS security manager to assure, and thus their presence on the design team will be instrumental to proper architectural operations.

Copyright(c) Fred Cohen, 1988-2012 - All Rights Reserved