There is no question that companies need a cybersecurity program, but developing a comprehensive plan is difficult and executing the plan can be challenging. Fortunately, there is guidance available that provides the necessary clarity and outlines the requirements for offshore cybersecurity.

The ABS CyberSafety team has developed a way for companies to self-identify operational readiness. The team offers qualified and experienced advice that delivers clarity in determining the cybersecurity capability level of a cybersafety program, and offers input for streamlining the tasks required to stand up an operational technology (OT) cybersecurity program.

The foundation of this approach is the OT cybersecurity readiness profile, created using established sets of criteria to determine which of four groups an organization falls into:

1. IT and OT cybersecurity-capable;
2. IT cyber-aware and OT cyber-capable;
3. IT cyber-capable and OT cyber-aware; and
4. IT and OT cybersecurity-aware.

Many clients need some level of upfront cybersecurity engineering support to prepare for a cyber-risk assessment. Companies that fall into groups 1 and 2 need less OT cybersecurity preparatory support. Companies in groups 3 and 4 need more. In some cases, that assistance means helping organize the critical engineering documentation needed to allow for an efficient review of the three fundamental elements of cybersecurity.

The primary elements considered are:

• Control functions supporting asset handling and production activities;
• Cyber connections to and from those functions; and
• Identities of all machines and humans accessing those cyber connections.

Few industries in which control software is a critical element fully architect or capture their cybersystems in a rigorous engineering format. Before initiating a cybersecurity program, it is important to help companies understand, aggregate and organize control functions into design documents. Navigating this step successfully—whether it is being taken for a new program or to enhance an emerging program—is best accomplished through a structured process.

Using this process, information can be assembled for use in documenting an OT cyber policy and procedures that are tailored to a company’s specific needs and that fit with the company culture.

Most companies want help to quickly and clearly identify control functions that present a cyber-risk so the risks can be inventoried and addressed. At this stage, seven pertinent business attributes and seven cybersecurity documentation attributes are defined (which will be explained in detail in an OTC technical presentation on May 3). The goal of the assessment activity is to understand these attributes so a company can map out a cybersecurity program in a way that allows the program to focus on critical needs and make the best use of the security budget.

Successful execution of the inventory is an essential first step in achieving awareness of the current cybersecurity situation or profile, and determining what needs to be done to earn an ABS CyberSafety notation. Real-world execution in the offshore sector already has proven that this approach can be carried out successfully.

An offshore company was a first adopter, and is working with ABS to validate the ease and accuracy of its quick-start cybersystem inventory technique. Using the results of implementation with this “Group 1” company, ABS is refining its inventory technique for thoroughness, effectiveness and ease of use as a self-assessment tool. Companies that classify themselves in groups 3 and 4 probably will require more engineering support in performing the OT systems inventory.

This initial success is good news for the offshore industry because it proves that practical solutions are available.

There is an enormous amount of material in the public domain about cybersecurity, which can be overwhelming for a company that is trying to understand its risk level and determine how risk can be mitigated. The cybersecurity readiness profile assessment allows companies to block out the noise and focus on solutions.