Learning to Walk: Towards Assessing the Maturity

of OT Security Control Standards and Guidelines

Alexander Staves Sam Maesschalck Richard Derbyshire
Lancaster University Lancaster University Orange Cyberdefense
Lancaster, UK Lancaster, UK London, UK
[email protected] [email protected] [email protected]

Benjamin Green David Hutchison

Lancaster University Lancaster University
Lancaster, UK Lancaster, UK
[email protected] [email protected]

Abstract—The convergence of IT and OT has presented OT cyber security of their environments [7], [8]. Of particular
environments with several challenges, such as increasing the note is guidance provided for the implementation of relevant
attack surface of its real time systems to include more com- security controls. These are defined by the National Institute
monplace enterprise vulnerabilities. As OT is used across heavily
regulated sectors, including water and nuclear, many standards of Standards and Technology (NIST) as “safeguards or coun-
and guidelines are available to these sectors, providing them with termeasures prescribed for an organization designed to meet a
assistance towards continued improvements from a cyber security set of defined security requirements” [9]. The implementation
perspective. However, these standards and guidelines are not of these controls within OT environments has recently seen
always as mature as their IT counterparts. This paper proposes a shift [10], with 37.7% of organisations in 2022 stating that
a model to benchmark the maturity of OT focused standards
and guidelines, which we then use to analyse seven commonly OT asset owners or operators and engineering managers are
adopted resources. Based on this analysis, we find that these responsible for this task; this is a significant increase from
OT standards and guidelines do not always provide in-depth the previous year, when this responsibility was more likely
implementation guidance, and often refer instead to IT standards to be assigned to IT managers. This survey also highlights
and guidelines for more information. Improvements are urgently the misconception that IT security practices, including security
needed in security and risk mitigation for interconnected OT
and IT systems, as security controls in OT are typically re- controls, can be directly applied to OT environments, which
appropriated IT controls. To help achieve this goal, OT standards may not always be the case. However, the 2021 SANS
must mature further. survey [11] also claimed that despite significant progress in
Index Terms—Standards & Guidelines, Operational Technol- recent years, industrial organisations are yet to fully adapt to
ogy, Industrial Control Systems, Security Controls the changes brought by the integration of IT and OT, especially
I. I NTRODUCTION concerning the implementation of security controls informed
Over the past decade, the integration of Information Tech- by standards and guidelines.
nology (IT) within Operational Technology (OT) environments Mature standards provide comprehensive security controls,
has led to a noticeable increase in process optimisation and clear guidance, consistency, continuous improvement, en-
efficiency within industrial environments, including sectors hanced credibility, and regulatory compliance, ultimately of-
that form part of a country’s Critical National Infrastructure fering a robust framework for effectively safeguarding systems
(CNI) [1]. While, historically, IT and OT were segregated as and data against various threats. While IT-based standards
described by the Purdue Model [2], an increasing volume of such as ISO/IEC 27001 are widely adopted in practice due
standardised technology (including IT software and hardware) to their maturity, the plethora of standards and guidelines
is being integrated into OT systems that operate within the that have recently been published for OT, including sector-
Manufacturing and Cell/Area Zones. Despite the benefits that specific guidance, makes it difficult for OT asset owners to
this technological integration provides, it has also led to an know which route to take when it comes to the selection
increased attack surface for threat actors to target [3], [4], and implementation of security controls. Therefore, this paper
resulting in several notable cyber attacks specifically aimed at proposes a model towards the maturity evaluation of OT-
industrial environments, including CNI facilities [5], [6]. focused security control-related standards and guidelines. In
In response, standards bodies and government organisations turn, OT asset owners can use this model’s process to aid
have provided support in the form of standards and guidelines, them in the selection of standards and guidelines most suited
designed for use by asset owners to assess and improve the to their needs.
This work is funded, in part, through the NG-CDI Prosperity Partnership The core contributions of this paper are:
funded by UK’s EPSRC and British Telecom plc (EP/R004935/1). • The proposal of a model based on existing IT standards,
 towards the maturity evaluation of security control-related highly inconsistent in the quality of the guidance provided,
guidance provided by OT-specific standards and guide- including a typical lack of quantifiable metrics.
lines. Previous work also highlighted the inconsistencies of OT-
• An example usage of the proposed methodology on seven focused standards and guidelines when assessing and improv-
commonly adopted OT standards. ing cyber incident response and recovery [21]. While some
The remainder of this paper is structured as follows. Sec- standards were found to have sufficient maturity regarding
tion II describes related work. Section III describes a method their use in practice, the inconsistencies that were identified
for developing the proposed maturity evaluation model. Sec- could result in a less than complete picture when selecting
tion IV presents example usage of the proposed model through specific standards over others.
its application to seven OT standards and guidelines. Section V While existing work discusses the limitations concerning
concludes the paper and explores areas for future work. OT standards and guidelines, the primary focus is on spe-
cific controls or topics within these standards, such as patch
II. R ELATED W ORK management, risk management, or response and recovery.
Several recent works have discussed the maturity of OT An emphasis is also made on comparing OT standards with
standards and guidelines. For example, Francia et al. [12] each other rather than assessing their maturity. The following
provide a survey on security best practices and risk assessment section, therefore, proposes a methodology for assessing the
for OT, and develop a new framework (CORAS). Using maturity of security control focused standards and guidelines.
the CORAS framework, the authors propose a model-based III. M ODEL P ROPOSAL
risk assessment methodology enabled by these standards and A. Method
guidelines. However, it is noted that although some OT-specific Security controls are discussed here across a variety of liter-
standards are closely aligned to IT-specific standards, there are ature, including industry-led standards and guidelines, training
discrepancies between them. For example, while the security materials, and academic works. Controls are implemented to
controls detailed in NIST SP 800-53 [13] closely align with provide safeguards or countermeasures against the realisation
those in NERC CIP [14], the “business risk reduction” needs of security risks to assets, where assets are defined as any
to be met differently due to NIST SP 800-53 solely focusing organisational resource (data, systems, humans, etc.) [22].
on information security controls. To help us develop the proposed model for benchmarking
Gentile et al. [15] provide a survey of standards and best security controls within OT standards and guidelines, ISO/IEC
practices for patch management within particle accelerators. 27001 [23], ISO/IEC 27002 [24], and NIST SP 800-53 [13]
In this work, the authors conclude that while the reviewed have been selected for review due to their prevalence within
standards share some principles, certain concepts present chal- the IT space, providing a view of what “good” looks like.
lenges when merging these into a single reference standard, ISO/IEC 27001, which also references its sister standards
highlighting differences in maturity between these. As a result, 27000 and 27002, has been selected due to its common use
a workflow for patch management is proposed. across a range of organisations, both in terms of size and
Kulik et al. [16] propose an approach for formally verifying service offering; the latter may include additional legal and
compliance with OT security standards. In this work, the regulatory factors. ISO/IEC 27001 is said to be designed in
authors note that standards are commonly validated only such a way as to allow flexibility, and therefore it is adopted
through model checking, and they demonstrate that formal globally and has been considered the “common language” for
verification can be used to implement security control from information security for over a decade [25], [26]. NIST 800-53
these standards. has also been selected because it targets United States Federal
Wagner et al. [17] discuss the applicability of OT standards information systems and organisations. Kurii et al. explain how
within Small and Medium-sized Enterprises (SMEs) compared the use of NIST SP 800-53 within the US Federal government
to large enterprises. Results from this conclude that SMEs has made it one of the most commonly adopted standards to
have a higher barrier to entry when adopting OT standards. this day [27].
In particular, IEC 62443 [18] is considered too complex for In order to provide clear contextualisation for the dis-
SMEs to implement effectively. However, while VDI/VDE cussion around security controls, an understanding of how
2182 [19] is better suited for smaller enterprises, it only an organisation selects and implements security controls is
addresses risk management. required. The following section discusses an organisation’s
Knowles et al. [20] provide a survey on cyber security information security policy, including definitions and examples
management for industrial control systems. In this work, from the selected industry standards, and a brief discussion on
the authors note that despite being extensively used in OT how organisations outline key security policy requirements,
environments, IT standards and guidelines present several i.e., the factors via which they are derived. In doing so,
limitations as they are tailored towards information security, precise requirements can be defined for the development of
and consequently cannot be applied comprehensively within a benchmark model.
OT environments. Additionally, many existing OT standards B. Model Requirements
provide guidance at a high level, and therefore further tech- 1) Security Policy: An organisation’s security requirements
nical guidance is also required. These publications are also are typically shaped around broad strategy/objectives, regula-
tory requirements, threat information, legislation, etc. Embod- provided.
ied within the information security policy, they are designed 3) Security Control Objectives: The selection and imple-
to provide a baseline set of requirements on which further, mentation of security controls must be based on clearly
more detailed decisions, can be made around the practical defined goals; this allows for a review of their success
selection and implementation of security controls. Taking post-implementation. When considering a security control’s
ISO/IEC 27002 as an initial reference point [24], this standard selection and implementation parameters, the term “control
discusses the requirements for an organisation’s information objectives” may be applied to outline the required outcome of
security policy. The objective of an information security policy the applied control(s).
is “To provide management direction and support for infor- ISO/IEC 27001 [23] references its sister document ISO/IEC
mation security following business requirements and relevant 27000 [28] for its baseline definition of an objective as a
laws and regulations”. This initial objective is expanded to “statement describing what is to be achieved as a result of
include a more comprehensive set of requirements, such as implementing controls”. ISO/IEC 27001 then provides control
organisational strategy, regulations, legislation, etc. ISO/IEC objectives for each of its subcategories of controls. NIST SP
27001 [23] provides complementary guidance to that of 800-53 [13] does not explicitly apply, and therefore the term
ISO/IEC 27002, covering the “requirements for information control objectives is defined within the standard. However,
security objectives and planning to achieve them”. reviewing the supplementary information that is provided, a
Overall, the core organisational strategy/objectives and other similar approach to ISO/IEC 27001 [23] is applied.
important factors, such as regulatory requirements and leg- Although the examples discussed here do not necessarily
islation, should be considered in creating an organisation’s apply the term “control objective”, each describes what the
information security policy. From this security policy, specific control category or subcategory expects to achieve through
information security objectives can be defined. Once a set of implementation. These descriptions fall in line with how
objectives has been defined, the process of security control one could interpret “control objective” and, therefore, how
selection and implementation can begin. To better understand it could be defined as such. When reviewing the applied
what the term “security control” means, the following section categorisations, ISO/IEC 27001 [23] and NIST 800-53 [13]
includes definitions and examples from the aforementioned are similar in their approach.
sources. 4) Security Control Requirements: When turning to indus-
2) Security Control Definition: To create a baseline defini- try standards and guidelines, one must identify appropriate
tion of security controls, the selected documents will provide controls to meet set objectives derived from the organisation’s
a comprehensive view of how security controls are defined information security policy. As discussed in Section III-B3,
and discussed. This will lead to a more detailed discussion on this has been achieved in slightly different ways. However,
categorisation and guidance and, ultimately, the development once a relevant control category has been selected, how is the
of a benchmarking model. control requirement defined, and is this sufficient for further
ISO/IEC 27001 [23] references its sister document ISO/IEC development towards practical selection and implementation?
27000 for a baseline definition of a control as a “Measure For example, in ISO/IEC 27001 [23], control “I.D A.9.4.3”
that is modifying risk. Controls include any process, policy, is defined as “Password management systems shall be in-
device, practice, or other activities which modify risk. Controls teractive and shall ensure a quality password”. While this
may not always exert the intended or assumed modifying requirement is clearly defined, the term “quality password”
effect” [28]. From this baseline definition, ISO/IEC 27001 is open to broad interpretation. For further clarification on the
includes details on security controls to cover a number of practical implementation of this control and to reduce some
organisational assets, from media handling to access control. level of ambiguity and individual interpretation, one must turn
The controls are broken down into overarching categories, to ISO/IEC 27002 [28] and its parallel implementation guid-
subcategories, one or more sub-subcategories, and a secu- ance. This parallel guidance presents nine key requirements of
rity control presented as a descriptive requirement. From A.9.4.3 and an additional paragraph on other information.
the security requirement, reference is then made to ISO/IEC To provide another example, NIST SP 800-53’s [13] control
27002, where a more detailed control implementation guide is “IA-2(1)” is defined as “The information system implements
available [24]. multi-factor authentication for network access to privileged
An initial definition of a security control is provided by accounts”. As with ISO/IEC 27001 [23], the described re-
NIST SP 800-53 as “A safeguard or countermeasure prescribed quirement is open to interpretation. However, unlike ISO/IEC
for an information system or an organisation designed to 27001, no implementation guidance is directly available for
protect the confidentiality, integrity, and availability of its in- this control. Instead, a high level of detail is provided around
formation and to meet a set of defined security requirements.” the parent category (IA-2) and an additional related control
This initial definition takes a similar approach to that of category (AC-6). Upon inspection of the related control cate-
ISO/IEC 27001 [23]. A broad outline of overarching categories gory, a detailed description of the category is provided, with
is defined, with one or more sub-subcategories presented as several sub-categories providing more granular levels of detail.
tables. Additional information around priority baselines (i.e., Through these examples, it is clear that the level of detail
is the control prioritised as Low, Moderate, or High) is also provided within the control requirements is ample for further
exploration into practical control implementation. However, ID Criteria
adding implementation guidance and related controls helps A Is an information security policy discussed?
reduce any ambiguity and focuses attention towards more B Are a range of information policy requirements
defined? (e.g., contractual, legislative, regulatory. . . )
suitable practical implementation. Where lower-level categori- C Are security objectives discussed?
sation is absent, more detailed requirements are essential due D Are controls split into categories?
to the broader scoping nature of the control category. E Are controls split into sub-categories?
F Are individual control categories provided?
5) Security Control Classification: Security controls and G Are individual control category requirements outlined?
their associated objects (discussed in Section III-B6) broadly H Are individual social controls provided?
fall into one of two categories: Social or Technical. Technical I Are individual technical controls provided?
J Is implementation guidance provided for each individual control?
control relates to the use of technology to control system or K Are resources that are external to the series provided?
human actions. An example could be to control data flows L Are resources that are internal to the series provided?
through a network using access control lists or network seg- TABLE I
regation. In comparison, Social control relates to any control S ECURITY C ONTROL B ENCHMARK C RITERIA S ET
impacting human interaction. An example could be restricting
access to data outside of an individual’s role through user • Relevant control categories are selected based on pre-
access policies. outline security objectives.
6) Security Objects: A term not often used to describe • Control sub-categories are selected from control cate-
elements of cyber security is “Security Object”. NIST [29], for gories based on clearly defined sub-category objectives.
example, describes a computer security object as “Information • Individual controls are selected, with their requirements
objects that convey information used to maintain the security clearly defined. Furthermore, where applicable, recom-
of resources in a computerised environment”. This definition mendations towards related control categories are pro-
is close to that of the one adopted within the proposed model, vided for additional guidance.
in that security objects convey information used to maintain • Control-specific implementation guidance is provided,
the security of resources. However, for further clarity and to aid in the identification of key feature requirements,
additional scope, the applied definition is described as “Any applied during practical implementation of the control.
device, document, or agreement harbouring a set of security • Practical implementation of the selected control is applied
controls used to maintain the security of an organisational within a security object.
asset, be it computerised or otherwise”. Using this model, criteria (Table I) can be defined to
While the selected standards do not provide explicit ex- evaluate the maturity of other standards, specifically those
amples of security objects, an example can be taken from tailored towards OT environments.
ISO/IEC 27001 [23]. The implementation description concern-
ing control “A.12.3.1” states: “Backup copies of information, IV. A NALYSIS
software and system images shall be taken and tested regularly To provide an example implementation of the benchmark
in accordance with an agreed backup policy”. From this model proposed in Section III, seven OT standards and
description, it is possible to hypothetically specify two security guidelines were selected for analysis. These are: the NIST
objects: the software applied to backup copies of information, Framework for Improving Critical Infrastructure Cybersecurity
software, and system images, and the documentation outlining (NIST CSF) [8]; IEC 62443 [18]; and NIST SP 800-82 [30],
the backup policy. Essentially, the security controls residing reported as the most commonly adopted OT-specific standards
within these two objects are the backup software and support- by SANS in 2021 [11]. Additionally, ISO/IEC 27019 [31],
ing document’s content. These have been embodied within the ONR SyAPs [32], and NERC CIP [14] were selected to
two security objects (backup software and documentation). assess sector-specific standards and guidelines. Finally, the
NCSC CAF [7] was selected to assess government-provided
C. The Model guidelines for security controls.
Using the method discussed in Section III-A and the re- In Table II and across the following subsections, we have
quirements defined in Section III-B, the proposed model, provided an evaluation of the selected standards and guidelines
depicted in Figure 1, displays the flow of information from using the criteria set derived from the benchmark model. We
broad organisation strategy down to local level security con- define external resources as other standards or guidance that
trol implementation. Seven processes constitute the proposed are not part of the same family or series. For example, ISO/IEC
model, using existing approaches derived from the selected 27019 and ISO/IEC 27002 are in the same family and are,
standards and guidelines. This provides a benchmark by which therefore, considered internal to each other. However, while
evaluation of discussion on security controls can be performed. the NIST CSF references NIST SP 800-53, it is not part of
The processes within the model are as follows: the same series and is therefore considered external.
• Broad organisation strategy, including legislation, regula- 1) NIST CSF: The NIST CSF provides a comprehensive
tory requirements, etc. is considered in the development overview of requirements, categories, and controls required to
of an organisation’s security policies. effectively implement security measures for critical infrastruc-
• Security objectives are derived from the security policy. ture. It covers many aspects, including technical and social
 Fig. 1. Security Control Benchmark Model

A B C D E F G H I J K L
commentary is needed. There are no references to external
NIST CSF ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓
IEC 62443 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ (✓)
resources for each control; however, the document does refer
NIST SP 800-82 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ (✓) ✓ to external resources within the bibliography.
ISO/IEC 27019 ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ (✓) (✓) ✓
NCSC CAF ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ (✓) ✓
5) NCSC CAF: The NCSC CAF uses an outcome-based
ONR SyAPs ✓ ✓ ✓ ✓ ✓ ✓ ✓ (✓) approach consisting of four high-level objectives, each con-
NERC CIP ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ (✓)
taining control categories and sub-categories. It does not
TABLE II explicitly refer to information security policies; instead, it does
A NALYSIS R ESULTS
this implicitly. However, it does cover a range of require-
controls and links back to organisational security policies. ments, such as regulatory requirements. Within the document,
However, although comprehensive in its overview, it does there is high-level guidance for implementing controls, but
not provide guidance for implementing controls but refers to the examples provided can also be used as guidance. The
external resources for this advice. framework heavily references and relies on external resources
2) IEC 62443: IEC 62443 is an exhaustive series of stan- for further implementation and guidance, including IEC 62443
dards that provide a range of both requirements and controls. and ISO/IEC 27001.
Specific implementation guidance is provided for each control. 6) ONR SyAPs: The ONR Security Assessment Princi-
A particular aspect is how it provides requirement enhance- ples focus on the nuclear sector and guidance towards its
ments for the controls discussed, which can be beneficial regulation. We identified no direct security objectives in the
during implementation. Additionally, it covers four different documents, but these can be derived from the provided control
security levels for the life cycle of the controls. However, categories. No in-depth control implementation is provided,
although it refers to external resources, it does not refer to but the requirements are extensive and can be used as high-
these at an individual control level. level guidance. Throughout the SyAPs, there are no references
3) NIST SP 800-82: NIST SP 800-82 provides an overview to external resources.
of multiple control categories, sub-categories, and individual 7) NERC CIP: The NERC Critical Infrastructure Protec-
controls, which link back to various policy requirements. tion standards comprise a comprehensive set of documents
It also provides multiple control requirements for assessing covering many controls. There are multiple documents that
levels of implementation (low, medium, high) for individual contain different control categories which have multiple sub-
controls, which allows for greater depth. However, guidance categories. Although no in-depth implementation guidance
is only provided where OT-specific guidance is required; is provided, example evidence can be used as high-level
otherwise, it refers back to NIST SP 800-53. No references to guidance. Additional use of Violation Severity Levels is in-
external resources are made within the guidelines. corporated to determine the level of non-compliance to the
4) ISO/IEC 27019: ISO/IEC 27019 consists of a thorough standard. There are no references to external resources.
set of objectives and controls for OT, which are mapped to 8) Discussion: Our analysis of the seven selected OT
security policies within other documents of the same family. standards and guidelines, based on the defined criteria set,
It presents OT-specific supplementary guidance for controls has led to several key findings. Overall, the majority of the
provided in ISO/IEC 27002, on which it heavily relies, but standards examined meet most of the established criteria. The
does not provide controls where it deems that no OT-specific broad conclusion is that the security controls present within
these OT standards and guidelines are generally mature and [2] P. Didier, F. Macias, J. Harstad, R. Antholine, S. A. Johnston,
comparable to their IT counterparts. However, there are a few S. Piyevsky, D. Zaniewski, S. Zuponcic, M. Schillace, and G. Wilcox,
“Converged plantwide ethernet (CPwE) design and implementation
notable areas where improvements can be made, which are guide,” Rockwell Automation, vol. 9, p. 564, 2011.
discussed here. [3] B. Green, R. Derbyshire, M. Krotofil, W. Knowles, D. Prince, and
Significantly, many of the OT standards and guidelines do N. Suri, “Pcaad: Towards automated determination and exploitation of
industrial systems,” Computers & Security, vol. 110, p. 102424, 2021.
not provide explicit implementation guidance. Instead, they [4] S. Maesschalck, A. Staves, R. Derbyshire, B. Green, and D. Hutchison,
often refer back to primarily IT-focused parent standards, or “Walking under the ladder logic: Plc-vbs: a plc control logic vulnera-
provide only implicit guidance through example evidence or bility scanning tool,” Computers & Security, vol. 127, 2023.
[5] R. Derbyshire, B. Green, D. Prince, A. Mauthe, and D. Hutchison,
requirements for correctly implementing each control. This can “An analysis of cyber security attack taxonomies,” in IEEE European
make it challenging for organisations to effectively adapt and Symposium on Security and Privacy Workshops. IEEE, 2018.
apply these controls to their OT environments, as the guidance [6] T. Miller, A. Staves, S. Maesschalck, M. Sturdee, and B. Green,
“Looking Back to Look Forward: Lessons learnt from Cyber-Attacks
may not be tailored specifically to OT systems. on Industrial Control Systems,” Int. J. Crit. Infrastruct. Prot., vol. 35,
During our analysis, several inconsistencies across the stan- p. 100464, 2021.
[7] NCSC, “NCSC CAF guidance,” http://bit.ly/3FDvAOO, 2022.
dards in terms of content were also identified. For instance, [8] NIST, “Framework for improving critical infrastructure cybersecurity,”
while the NCSC CAF does discuss controls for improving bit.ly/3Y8G92M, 2018.
Response and Recovery capabilities, the NIST CSF provides [9] NIST, “Security control - definition,” https://bit.ly/3ZgijmW, 2023, last
accessed: 13/02/2023.
more detailed guidance in these areas. This discrepancy may [10] D. Parsons, “The state of ICS/OT cybersecurity in 2022 and beyond,”
result in varying levels of implementation quality and effec- 2022.
tiveness, as organisations following different standards might [11] M. Bristow, “A SANS 2021 survey: OT/ICS cybersecurity,” 2021.
[12] G. A. Francia, D. Thornton, and J. Dawson, “Security best practices and
focus on different aspects of security controls depending on risk assessment of SCADA and industrial control systems,” 2012.
the guidance provided. [13] NIST, “NIST Special Publication 800-53, Revision 5,”
https://bit.ly/3ZfiVJs, 2020.
V. C ONCLUSION [14] North American Electric Reliability Corporation, “Nerc cip standards,”
http://bit.ly/3JxBbHl, 2006.
This paper proposes a model to benchmark OT standards [15] U. Gentile and L. Serio, “Survey on international standards and best
and guidelines and evaluate their maturity. The review of seven practices for patch management of complex industrial control systems:
the critical infrastructure of particle accelerators case study,” Int. J. Crit.
OT standards and guidelines shows that they do well against Comput. Based Syst., vol. 9, pp. 115–132, 2019.
the defined criteria; however, deficiencies were found con- [16] T. Kulik and P. Larsen, “Towards formal verification of cyber security
cerning the practical implementation of the provided security standards,” vol. 30, 10 2018, pp. 79–94.
[17] P. Wagner, G. Hansch, C. Konrad, K.-H. John, J. Bauer, and J. Franke,
controls. The structure and high-level overview of controls “Applicability of security standards for operational technology by smes
were found to be adequate; however, areas concerning practical and large enterprises,” in 25th IEEE ETFA, vol. 1, 2020, pp. 1544–1551.
implementation require further development. The parent doc- [18] IEC, “IEC 62443,” 2019.
[19] The Association of German Engineers, “VDI/VDE 2182,” 2020.
uments of the reviewed standards are mostly IT-focused or do [20] W. Knowles, D. Prince, D. Hutchison, J. F. P. Disso, and K. Jones, “A
not cover the applicability or implementation of novel security survey of cyber security management in industrial control systems,” Int.
approaches, such as honeypots [33], for OT environments. J. Crit. Infrastruct. Prot., vol. 9, pp. 52–80, 2015.
[21] A. Staves, T. Anderson, H. Balderstone, B. Green, A. Gouglidis, and
Given the convergence of the IT and OT environments, a D. Hutchison, “A Cyber Incident Response and Recovery Framework to
greater level of maturity is required from these standards. Con- Support Operators of Industrial Control Systems,” International Journal
sidering the challenges of IT/OT convergence, more attention of Critical Infrastructure Protection, vol. 37, no. 100505, pp. 1–24, 2022.
[22] M. Whitman and H. Mattord, Principles of Information Security. Cen-
must be paid to interconnected IT and OT systems. Such ad- gage Learning, 2011.
ditional attention should also be reflected in the OT standards [23] ISO/IEC, “BS EN ISO/IEC 27001:2022,” 2022.
and guidelines, which are often less up-to-date than those of [24] ——, “BS EN ISO/IEC 27002:2022,” 2022.
[25] E. Humphreys, “Information security management standards: Compli-
their IT counterparts. For example, NIST SP 800-53 was last ance, governance and risk management,” Information Security Technical
updated in 2020, whereas NIST SP 80-82 was last updated Report, vol. 13, no. 4, pp. 247–255, 2008.
in 2015. This can lead to a lack of consistency in the quality [26] P. Roy, “A high-level comparison between the nist cyber security
framework and the iso 27001 information security standard,” in 2020
of implementation guidance for OT systems. Inconsistencies National Conference on Emerging Trends on Sustainable Technology
also exist between some of these documents when defining and Engineering Applications (NCETSTEA), 2020, pp. 1–3.
specific terms, which could lead to confusion where multiple [27] Y. Kurii and I. Opirskyy, “Analysis and comparison of the NIST SP 800-
53 and ISO/IEC 27001: 2013,” CEUR Workshop Proceedings, 2022.
standards and guidelines are adopted simultaneously. [28] ISO/IEC, “BS EN ISO/IEC 27000:2018,” 2018.
Using the proposed model, future work needs to assess [29] NIST, “Computer security objects register,” http://bit.ly/3JTXYP8, 2022.
[30] K. Stougger, V. Pillitteri, S. Lightman, M. Abrams, and A. Hahn, “NIST
a more complete set of OT standards and guidelines. This Special Publication 800-82: Guide to Industrial Control Systems (ICS)
will provide a more complete overview of their maturity, thus Security, Revision 2,” https://bit.ly/3lqq6Qu, 2015.
allowing a comprehensive set of recommendations for their [31] ISO/IEC, “BS EN ISO/IEC 27019:2017,” 2017.
[32] Office for Nuclear Regulation, “Security Assessment Principles for the
improvement to be identified. Civil Nuclear Industry,” bit.ly/3YWvMiN, 2017.
[33] S. Maesschalck, V. Giotsas, B. Green, and N. Race, “Don’t get stung,
R EFERENCES cover your ics in honey: How do honeypots fit within industrial control
system security,” Computers & Security, vol. 114, 2022.
[1] K. Schwab, The fourth industrial revolution. Currency, 2017.