Cybersecurity preparedness and business continuity standards for OT
According to the 2021 Cyberthreat Defense Report, an annual survey of 1,200 IT security professionals in 17 countries and 19 industries, 86% of all companies registered a successful cyberattack. While an attack can be costly and damaging for any organization, it can be catastrophic for manufacturing companies with prolonged downtime, unfulfilled contracts and lost revenue, or even complete production failures.
Rapid and effective recovery from an attack is critical. It’s also possible and practical if there is an emergency preparedness program in place.
In Germany, the Federal Office for Security in Information Technology (Bundesamt für Sicherheit in der Informationstechnik or BSI) is the counterpart to the US Cybersecurity and Infrastructure Security Agency (CISA). It has published a set of Business Continuity Management System (BCMS) standards (see page 6 in the linked publication for the description in English). It’s referred to as the BSI 200-4 and follows the ISO 22301 security and resilience standards to help companies keep production running in the event of cyberattacks or to bring it back online quickly.
BSI 200-4
In the case of damaging events, a distinction is made between a disruption, an emergency and a crisis. Disruptions are relatively easy to get under control as they affect individual vs. system-wide resources. In comparison, an emergency involves a wider interruption of business and production processes. That can become a crisis if a company does not have a suitable emergency plan in place.
With the BCMS step model, the BSI has defined various standards that are helpful for companies of all types and sizes.
Comparison of the BCMS levels
Characterstics | Reactive BCMS | Setup BCMS | Standard BCMS |
Benefits | Entry-level plan to deal with emergencies. | Progressive, step-by-step BCMS plan development based on available company resources. | Complete coverage and fully standards-compliant BCMS. |
Disadvantages | Gaps in coverage and areas that are not considered. | Leaves some steps incomplete or in progress. | Requires more resources for full implementation. |
- Reactive BCMS
This is an entry-level BCMS that enables a company without a plan to carry out rudimentary emergency and crisis management. It sets guidelines for what to do in an emergency and describes how to set up an emergency team, the process of detecting attacks, and how alerting and escalating are performed.
- Setup BCMS/Standard BCMS
The Setup BCMS allows for the gradual step-by-step setup of plan based on available resources. It focuses on the most time-critical business processes and increases in scope until all areas
are covered within a Standard BCMS that fulfills ISO 22301 requirements.
The aim of the BCMS standard is to shorten the time between the occurrence of damage and the return to normal operation. Each company must decide for itself how to build its emergency plan.
With approximately 270 pages, the BSI provides comprehensive and concrete assistance.
An emergency response and recovery plan is vital, and so is the preparation that comes with it. The baramundi Management Systems (bMS) OT Edition and resources on this blog can provide
essential tools for:
- Increasing employee awareness of cyberattacks by analyzing their own infrastructure, see How do I get an overview of my IT infrastructure in networked production?
- To gain transparency about the networked production assets, see Inventory in the OT – No device may remain undetected
- To implement appropriate vulnerability management, see Targeted vulnerability analysis in OT