Getting started with ICS and OT security metrics can be hard. What do you measure? How do you represent it? Do you even have the data? In this podcast, we talk with Erin Torruella to share her experience from building and managing metrics for multiple different sectors. She provides great advice on where to start and how to get the effort going in the right direction.
ChatGPT response was…
Operational Technology (OT) and Industrial Control Systems (ICS) are crucial components of critical infrastructure, and their security is essential for ensuring the safety, reliability, and availability of essential services. To measure the success or failure of an OT/ICS security program, several metrics can be considered, such as:
1. Vulnerability Management Metrics: This metric measures the number of vulnerabilities identified, the number of vulnerabilities remediated, and the time it takes to remediate the vulnerabilities.
2. Incident Response Metrics: This metric measures the effectiveness of the incident response process. It includes the time it takes to detect, contain, and resolve an incident, as well as the number and severity of incidents.
3. Compliance Metrics: This metric measures compliance with relevant security standards, regulations, and policies. It includes the number of audits conducted, the number of non-compliances identified, and the time it takes to remediate non-compliances.
4. Risk Management Metrics: This metric measures the effectiveness of the risk management program. It includes the number and severity of risks identified, the number of risks mitigated, and the time it takes to mitigate the risks.
5. Awareness Metrics: This metric measures the effectiveness of the security awareness program. It includes the number of training sessions conducted, the number of employees trained, and the level of understanding demonstrated by employees.
6. Asset Management Metrics: This metric measures the effectiveness of the asset management program. It includes the number and types of assets identified, the level of asset classification, and the accuracy of the asset inventory.
7. Performance Metrics: This metric measures the performance of the OT/ICS infrastructure. It includes uptime, availability, and response time.
Thanks for listening!
Show links:
Erin Torruella...
LinkedIn - https://www.linkedin.com/in/erin-torruella/
Twitter - https://twitter.com/LadySqrrl
Mastodon - https://infosec.exchange/@ladysqrrl
JD Christopher SANS talk on ICS Security Metrics - https://www.youtube.com/watch?v=gIsLP_Dtv7M
JD Christopher SANS blog post on ICS Security Metrics -https://www.sans.org/blog/mature-ics-security-with-metrics/
S.M.A.R.T. Methodology - https://en.wikipedia.org/wiki/SMART_criteria
DHS CISA Cross-Sector Cyber Performance Goals - https://www.cisa.gov/cross-sector-cybersecurity-performance-goals