Cybersecurity Readiness: An Empirical Study of Effective Cybersecurity Practices for Industrial Control Systems

Industrial Control Systems (ICS) were primarily designed to operate air-gapped; however, the pressure for cost reduction and integration with business systems demanded the adoption of open systems architecture and ended up exposing ICS to threats which until then had been restricted only to the Information Technology (IT) systems. Although Cybersecurity Standards for Industrial Control Systems have been in place since the 1990s, providing the foundational knowledge required to Secure Industrial Control Systems; implementation failures and media disclosures revealed that organizations are not yet prepared to deploy Cybersecurity Controls effectively. This research has employed Design Science and interaction with experts on a qualitative manner exploring new insights and allowing to identify the main barriers for deploying and assessing industrial control systems. The results of this research include a list of Practices for effective deployment of Cybersecurity controls; list of Critical Success Factors for assessing ICS; and a list of most effective ways to report Cybersecurity risks to the board. This research counted with the participation of 200 practitioners and experts from Europe, Asia, Americas and Oceania.

Keywords: Index Terms Industrial Control Systems; Cybersecurity; Design Science Research; Group Support System research