Creating a secure environment for your enterprise.
Whether the operational technology/industrial control system(s) (OT/ICS) environment is operational or in the development stage, RTI provides practical, comprehensive, and manageable cybersecurity solutions that align with the organization’s mission objectives and business processes. RTI tailors a cybersecurity program and various solutions to secure the organization’s site-specific OT/ICS environments.
Integrating a cybersecurity program for the OT/ICS environment can be challenging for an organization that does not have in-house expertise. RTI specializes in cybersecurity program integration and guides the organization to adopting the appropriate cybersecurity frame for the environment. The cybersecurity program and framework provide a solid foundation to secure the organization’s assets. In return, the organization reduces risk of system penetration from an outside attacks, man-in-the-middle attacks, insider threats, data (corruption, interruption, loss), unauthorized access, etcetera – resulting in compromised safety, production downtime, reduced product quality, and other negative side effects from poor cybersecurity program structure.
RTI supports the idea of security through compliance by laying solid foundation with a cybersecurity program, business mission requirements identification, and security control framework adoption.
Organizations often start a cybersecurity program by performing a cybersecurity risk assessment of the environment. Cybersecurity risk assessments do not bring a significant value to the organization when the organization has not fully implemented the components of a Cybersecurity Program. Basically, assessing an IT/OT/ICS system without cybersecurity program components in place is a waste of time and money. Organizations pay 5 to 6 figures for an assessment when a program does not exist or partially exists resulting in little or no benefit to the organization. The assessment results repeatedly end up “There is insufficient evidence to determine compliancy of the security control.” In other cases, the assessment appears complete, but the results and/or risk ratings from the assessment do not align with the organization’s enterprise risk framework and/or lines of business. Assessing an organization where the Cybersecurity Program does not map to a Business Impact Analysis (BIA) or does not have the required components for a Cybersecurity Program result in a strain on the organization’s valuable resources.
RTI approaches first steps of a cybersecurity program slightly different than other companies. RTI’s first steps to building a cybersecurity program begin with a Cybersecurity Program Readiness Review (CPRR) pre-assessment. RTI asks 4 questions in the pre-assessment stage:
- Where is the organization is relation to a robust cybersecurity program?
- What are the differences between the standard recommended components of a cybersecurity program and the organization’s program? Another works, what are the GAPs?
- In what order and how to apply the results from the GAP analysis to benefit the organization?
- How to implement and monitor the answers to previous questions that best supports the organization?
RTI’s method discovers where the organization’s cybersecurity program maturity level is currently, performs a gap analysis to determine what the differences are against recommended cybersecurity program components, prioritizes a list of actions on how to implement a program, and provides a cybersecurity program execution. The results of the CPRR guides the organization to focus available resources to develop a cybersecurity program to increase security of critical assets and mitigate cybersecurity risks. The report brings awareness to the organization’s executive management and provides a pathway and strategy to build a robust cybersecurity program.
RTI’s approach to building a solid cybersecurity program include 9 essential components. In the planning stage, the organization establishes governance from the executive level, gather cybersecurity program requirements, develop cybersecurity program policies, and create a cybersecurity deployment plan. The implementation stage includes implementing the program policies, program assurance testing activities, and responding to risks in accordance to the organization’s mission and business objectives. The analysis stage includes continuously monitoring the program for lessons learned and reporting results to the executive level leadership. The final stage is adjusting the cybersecurity program to improve the cybersecurity programs efficiency. RTI can assist the organization with the details for each component to build a cybersecurity program that is robust and resilient.
When an organization implements the essential components of a cybersecurity program from a top-down approach, even in existing environments, the organization will have the infrastructure and components necessary to build a healthy program. In addition, the result provides senior management the necessary information to make decisive decisions to protect the business’s critical resources and lines of business. This approach is highly successful.
RTI can assist the organization with successfully establishing the components of a cybersecurity program. RTI solutions draw from industry’s best practices, standards, and the experience of seasoned cybersecurity program professionals. RTI understands the tasks related to execute the essential components and propose an approach that will decrease the cybersecurity gaps, increase security, and set the organization on a solid foundation for a SECURE and RESILIENT cybersecurity program and OT/ICS.
Where does an organization start in a maze of options, issues, questions, and potential directions in building a cybersecurity program? These are the typical questions RTI finds when entering into an engagement with a client. RTI commonly encounters an adoption of technical solutions that are un-sustainable or there are no plans to maximizes the effectiveness and contribution to increase the return on investment (RoI).
As a company, RTI practices a “systems of systems engineering” philosophy. Meaning that one technical, administrative, or physical solution contributes to other present or future solutions. Strategic planning and implementation of a cybersecurity program assists security management personnel develop valuable metrics that benefit the organization’s mission goals and business objectives. A cybersecurity program provides the ability to focus on monitoring the security and compliance of a particular section of an organization, quickly return to service business-critical processes, and/or fail-over capabilities to prevent system downtime.
In response to the complexities of building an OT/ICS cybersecurity program, RTI developed a modular approach to assist organizations in converging the IT and OT/ICS environments. The process consists of 6 phases with each phase consisting of modules.
- Discovery – consists of tasks to determine the cybersecurity state of the environment.
- Cybersecurity Program – consists of tasks related to building a cybersecurity program (e.g. writing policies, safeguard selection, risk management framework selection).
- Network Design – consists of designing a network that integrates with the current network as much a possible or design a new network that provides layered security to protect the environment.
- Implementation and Cutover Plan – consists of items to get the system up and running (e.g. Bill of materials, pre-deployment tabletop exercises, and an implementation plan.
- Acceptance Testing – includes penetration testing and cybersecurity vulnerability testing.
- Continuous Improvement and Monitoring – includes incident response capabilities, penetration testing, and on-going support activities to sustain the production and security requirements of the environment.
RTI realizes that building a new architecture or integrating into an existing design is a costly investment that requires a substantial time commitment. That is the reason RTI developed the modular approach. Organizations can plan a solution that controls the costs and time to fit the specific need of the organization.
Often organization’s think compliancy means security. However, that is far from the case. An organization may meet the compliancy requirements driven by government, regulatory, laws, standards, or internal policies, but still have weakness in their cybersecurity defenses. For example, an organization may have compliancy with undiscovered and/or unmitigated vulnerabilities leaving the organization with a false sense of security. In addition, some organizations relax in increasing information security assurance on critical assets because organizations focus on meeting compliance requirements, rather than adopting standards that align with the organization’s mission goals and business objectives.
The organization needs a cybersecurity risk strategy that includes a business impact analysis (BIA), a consideration of risk, and the selection of security safeguards. The BIA helps identify and prioritize the critical information, assets, and services. In addition, the BIA helps determine the risk appetite and return to service thresholds for the organization. The risk-based consideration to protect the confidentiality, integrity, availability (CIA) of the organization’s information help determine if the categorization of the information is critical, high, medium, or low. The risk-based CIA determination drives the appropriate selection of safeguards, and the tailoring of the security controls. The cybersecurity risk strategy is the first step to develop a bespoke cybersecurity program for the organization.
Whether the organization has cybersecurity compliance requirements driven by government, regulatory, laws, standards, and/or internal policies, RTI can assist the organization to meet compliancy requirements and secure the environment. It all starts with a cybersecurity strategy to build a solid cybersecurity program driven from the organization’s executive level. A good program focuses on risk and safeguards to maintain critical services instead of deploying unnecessary security controls for compliance. It is important the organization understands what they are trying to protect, and laser focus their resources to protect the critical mission and business processes.