Fill in the following table detailing alternatives for Specifying (S), Performing (P), and Verifying (V) ICS systems for Low, Medium, and High risk ICS systems following the rules here:
IF Risk is Low,
THEN The ICS security lead can specify, perform, and verify the same ICS element. (SPV)
IF Risk is Medium,
THEN The ICS security lead can specify and verify OR perform the same ICS element, but not both. (SV) OR (P)
IF Risk is High, THEN
|Operations||Physical technical safeguards||.||.||.|
|Operations||Logical technical safeguards||.||.||.|
The roles of the ICS security lead are limited by requirements for separation of duties. In particular, any one individual who specifies, manages/performs, and verifies any particular activity is essentially able to subvert that activity in its entirety. For that reason, any activity that is important enough to assure should be assured with separation of duties. Indeed, as risk goes up, more separation is reasonably applied. Thus the decision is about how to separate the duties of the ICS security lead.
Specify:The ICS security lead can specify ICS protection
Specifying an activity implies the ability to bound its scope and mandate its implementation. Generally, specifications are not so complete or perfect that they are implementable as is in performance.
Perform: The ICS security lead can perform/manage ICS protection
Performing an activity implies that specific actions are taken. They are supposed to reflect the specification, but do not always precisely do so. Management implies direct control over performance.
Verify: The ICS security lead can verify ICS protection
Verifying an activity implies determining whether and to what extent, the specification was properly performed or the performance properly varied from the specification. Hindsight is often touted as 20/20, but then history is often rewritten by the victors.