Many articles focused on cybersecurity stress how important it is to secure an Industrial Control System (ICS) and share ways on how to implement this security.
In this article, the assumption is this advice has already been taken, a plan has been created to secure the ICS, and the plan has been implemented.
Now what? How do we determine how well a security plan has been implemented? What is the difference between a system that meets a security rule in a minimalist fashion and one that performs in a more mature manner?
To help answer these questions, the J. M. Huber Corporation began the process of building a formal corporate ICS security program in 2016. They invited MAVERICK Technologies, a Rockwell Automation Company, to join the project in 2017.
MAVERICK and Huber have been working together for the last six years to develop the Industrial Control System Maturity Assessment Program (ICSMAP). The ICSMAP program is a custom program derived from principles contained in the ISA/IEC 62443 series of standards. Elements of this article are based on previous publications by Drew Franklin (J. M. Huber) and the author. ICSMAP will be discussed here as one way to evaluate the effectiveness and maturity of an ICS security program.
