Originally intended as a personal documentation of my knowledge and research on the often-overlooked yet vital area of incident management, this book has grown into a comprehensive resource aimed at elevating awareness and preparedness for cyber threats in industrial control systems (ICS) and critical infrastructure. It simplifies complex ICS challenges, emphasizes the importance of coordinated incident response, and equips professionals with practical tools, techniques, and training exercises for real-world application. Designed to empower both new and seasoned professionals, this book also highlights the collective efforts in the field of ICS cybersecurity, offering a structured approach to safeguarding organizations against evolving threats. Pre-order now to secure your copy and enhance your ICS cybersecurity skills ahead of its July 2025 release.
Understanding the Importance of Risk Registers in OT Cybersecurity
OT cyber-risk encompasses a wide range of threats and vulnerabilities that can disrupt industrial operations, lead to financial losses, and even pose safety hazards. Risk registers are essential tools in managing these OT cyber risks, offering a structured approach to identifying, assessing, and prioritizing the risks that could affect an organization’s OT environment.
In a recent discussion with Industrial Cyber, cybersecurity experts shed light on the crucial role of maintaining risk registers in OT cybersecurity. They also explored how often these registers should be reviewed and updated to stay effective.
Marco (Marc) Ayala, President of InfraGard Houston Members Alliance, emphasized the foundational role of risk registers in ICS/OT cybersecurity. He stated, “A risk register is indispensable for identifying, assessing, and prioritizing risks that could impact operational technology. By maintaining this register, organizations ensure they systematically address potential vulnerabilities and allocate resources where they are most needed.”
Ian Bramson, Vice President for Global Industrial Cybersecurity at Black & Veatch, highlighted the importance of a risk-based approach to cybersecurity. “Companies have limited resources to keep up with a constantly changing threat environment. A risk-based approach to cyber is key to optimizing security posture and effectively investing resources. Developing and managing a strong risk register is essential for adapting to evolving threats.”
Durgesh Kalya, Network Security Expert at Covestro, further elaborated on the critical role of OT in ensuring business continuity, particularly in the process industry. “Operational Technology (OT) is a crucial enabler for automation and is closely linked to the license to operate, as many environmental and monitoring systems fall under OT. It’s vital for organizations to clearly define what constitutes OT within their specific context, as this can vary widely.”
Sinclair Koelemij, an ICS security professional, outlined the multiple benefits of maintaining a risk register in OT cybersecurity. He noted that it provides a comprehensive view of potential risks, enables prioritization and mitigation, ensures accountability, aids in regulatory compliance, supports informed decision-making, assists in incident response and recovery, and fosters continuous improvement in risk management. By maintaining a risk register, organizations can manage risks on a daily basis.
This conversation underscores the significance of risk registers as a foundational element of effective OT cybersecurity, helping organizations navigate the complexities of protecting their critical infrastructure.
In an interview at the Cyber Security for Critical Assets USA Summit, Kalya addressed the importance of robust incident management frameworks, collaboration between organizations and ICS vendors, and the need for understanding and segmenting systems to mitigate ransomware risks. To view the video and the original excerpt of the interview with Tom Field, check out the link: https://www.govinfosecurity.com/robust-incident-management-for-critical-infrastructure-a-25373
Ensuring the security of critical infrastructure necessitates managing both legacy systems and emerging cyberthreats. Durgesh Kalya, an OT network security expert at Covestro LLC, emphasized the necessity of integrating the incident command system—initially developed by the Federal Emergency Management Agency and the Department of Homeland Security—with industrial automation systems. This integration promotes active participation and collaboration among industry stakeholders.
“Essentially, everyone is a cybersecurity engineer because they work on computer systems. It’s not possible to update software on hardware that is decades old; modern hardware and equipment are required,” Kalya explained. Field, T. (2024) Robust incident management for critical infrastructure, Government Information Security. Available at: https://www.govinfosecurity.com/robust-incident-management-for-critical-infrastructure-a-25373 (Accessed: 02 June 2024).
Are you aiming to become a cybersecurity expert but finding your learning progress slower than you’d like? I recently found inspiration in a valuable concept presented by Elizabeth, a medical student, in her informative YouTube video titled “You’re Not Slow: Become a Speed Learner in 20 Minutes” (Source: https://youtu.be/_wzJnWCBWkI?si=hnskSM0k4tWFFtTv). I’ve adapted her idea to help you accelerate your journey toward mastering Cybersecurity.
Here are some key insights, influenced by Elizabeth’s wisdom, to expedite your Cybersecurity learning:
Building a Strong Foundation: Start by establishing a solid knowledge base. Ask yourself: What are the core principles of Cybersecurity? Why are these principles crucial? How do they underpin secure systems? What practical skills can I immediately apply? Where can I further deepen my understanding?
These questions will assist you in setting realistic goals and reducing frustration due to slow progress. Here are some that are what I consider basics, you should be familiar with these concepts.
Mastering Fundamental Concepts: Never underestimate the importance of foundational concepts. Even experts revisit them regularly. Inquire: What are the essential Cybersecurity concepts? How do these concepts differentiate experts from beginners? How quickly can I grasp these fundamental principles?
A strong grasp of the basics is key to expediting your learning.
Networking: A basic understanding of networking is essential for understanding how cyberattacks work and how to defend against them. This includes understanding concepts such as IP addresses, TCP/IP protocols, and network topologies.
Operating systems: A good understanding of operating systems is also important for cybersecurity professionals. This includes understanding how operating systems work, how to configure them securely, and how to troubleshoot them when problems arise.
Security concepts: There are a number of core security concepts that are essential for cybersecurity professionals to understand, such as confidentiality, integrity, availability, authentication, and authorization. These concepts are the foundation of all cybersecurity measures.
Security tools: There are a number of security tools that cybersecurity professionals use to protect computer systems and networks. These tools include firewalls, intrusion detection systems, and encryption tools.
Risk management: Cybersecurity professionals need to be able to identify, assess, and manage risks to computer systems and networks. This includes understanding the different types of cyber threats, how to assess their likelihood and impact, and how to implement appropriate controls to mitigate them.
Categorizing Your Learning: Organize your Cybersecurity knowledge into distinct categories Categorize: Security Fundamentals: The critical foundation Practical Skills: Immediate and applicable Administrative Details: Necessary but of lower priority Less Relevant Topics: Not your primary focus.
Prioritize your learning based on these categories for maximum efficiency.
Flexible Learning Approach: Break free from rigid learning structures. Keep it Interesting: Focus on topics within the Cybersecurity domain that genuinely intrigue you. Dont be afraid to jump domains, there is no particular order, the only order is what interests you.
This approach will maintain your motivation and prevent getting stuck in less engaging areas.
Let’s embark on this journey to unlock our Cybersecurity potential together! I extend my gratitude to Elizabeth for inspiring this approach to learning. #CybersecuritySkills #SpeedLearning #InfoSec
In today’s interconnected world, robust security measures across IoT domains are more critical than ever, with threats to connected devices and systems constantly emerging. To combat these challenges, international collaboration is essential, and the IoT Security Foundation (IoTSF) is fostering global and local networks of experts through its chapters. The newly launched IoTSF Houston Chapter is led by four visionary founders: Durgesh Kalya (Covestro), Sameer Koranne (IBM), Roya Gordon (Nozomi Networks), and David Lancaster (IBM). Their mission is to advance IoT security practices and promote secure, resilient operations in this era of “Connected Everything.” The chapter’s first event, a webinar titled “Introduction to IoTSF Houston, TX,” will take place on June 1st. IoTSF invites organizations and professionals worldwide to join the mission and consider starting their own chapters, helping build a safer IoT landscape through collaboration.
Last but not the least, join a study group. There are plenty, there is one that I recommend. Certification Station. certificationstation.org And if you are looking for free. Discussions and sessions, join me every Saturday exclusively on Certification Station on Discord. If you came here looking for old notes and videos, go to https://durgeshkalya.com/cissp-study/ Good luck. If you are looking for the write up of my CISSP Experience. Please click here (PDF)
Reflection on the Session: Mentoring and Cybersecurity by Tatia Zuloaga & Durgesh Kalya
In our recent session, Tatia Zuloaga and I explored the vital role of mentorship in cybersecurity. Tatia kicked off the discussion by highlighting her platform, Upnotch, and shared valuable insights on how and where to find a good mentor. She emphasized that a strong mentor can significantly impact one’s career trajectory, offering guidance, support, and networking opportunities.
I followed by discussing my own experiences with mentorship, both as a mentor and mentee. I underscored the importance of mentorship in cybersecurity, where staying ahead of evolving threats requires continuous learning and collaboration. We delved into how mentorship not only fosters professional growth but also strengthens the cybersecurity community as a whole.
The session was a great reminder of the power of mentorship, and how finding the right mentor—or becoming one—can open doors to new opportunities, knowledge, and career advancement in this ever-changing field.
I typically don’t dwell into this topic until unless I was told to speak about it in a conference / group discussion. While I admit, I do not have all the necessary certifications in place to be a subject matter expert, I certainly feel to understand the importance of Cybersecurity Frameworks in OT Security , you will need to understand some basic math and statistics. This post is to introduce you to these fundamental concepts.
Where do I begin?
Math Concepts:
It all starts with understanding that there are many thoughts, ideas and methodologies in cybersecurity practice. One thing is for sure, you will need some basic understanding of math. If I were starting from no where, then I would pick up a book on statistics and probability however, some basic concepts such as uncertainty and risk are important.
There is one important and vital concept that you need to have a very good understanding, it is called uncertainty. As in the case of a data breach, we are not certain or we lack data / information to calculate the true outcome of a data breach or when the data breach will actually occur. For example.
“There is a 35% chance that company ABC will have a data breach / data leak incident sometime in the next four years”
The objective is to be able to measure something and predict an outcome. In this particular example, we are very certain when something will happen.
“There is a 30% chance that company ABC will have a cyberattack in the form of data breach or data leak in the next three years”
Here is the same example with certainty that something will result (loss) from the data breach to the organization.
“There is a 20% chance that a data breach or data leak will result in a fine from GDPR regulation in the amount of $5 million dollars for the company ABC”
Risk Terminologies
For cybersecurity and other risk management methodologies, understanding the terms such as Vulnerability (V) , Threat (T), Impact (I) and Likelihood (L) is very essential to be able to measure risk and apply counter measures. Also I want to point that there are two important methods to risk management , a qualitative approach (subjective) and a quantitative approach. Which approach is good? There are studies out there that suggest otherwise. Read What’s Wrong with Risk Matrices? by Tony Cox (Link to original publication)
However, if you are a beginner in Risk Analysis, I certainly recommend you start with qualitative analysis for your understanding and also, choosing between the two is like choosing between a scoop of vanilla ice cream in a cup and spoon of vanilla ice Dippin’ Dots.
In order to understand both qualitative and quantitative approaches of risk analysis, we have some key risk terminologies that one needs to understand.
The case of the Sandwich Theif.
Let us say I have a special sandwich- my asset, which is very valuable, may have some secret sauce or ingredient. The value of this asset is $10, this is how much it cost for me to make it. Now, if I really want to protect this from a sandwich thief, I would like to know how valuable it is, did I not say $10, but it is not the true value. If I were to loose the $10 sandwich, it might cost me $30, why? Well, you see the sandwich when it was made, the ingredients were cheaper, may be I got a discounted price or I might spend $20 for the its shelf life on refrigeration. So understanding this value is very important because, if I were to put a counter measure, such as a lock on a cabinet or something more secure than that, then I want to make sure I am spending more than what is worth. Who makes that decision?
Vulnerability (V):
In cybersecurity, a vulnerability is a flaw, a weakness, a missing defense. This can be accidental or intentionally put in place.
An analogy to real world is “Padlocks are easiest to pick as they have a massive vulnerability in the form of easy access to locking pin and cylinder mechanism which can be aligned to pop open the lock”
Threat (T):
A threat is potential of exploiting a vulnerability which could result in a negative outcome. In cybersecurity, a threat is an exploitation of a vulnerability in a network, software or hardware that will allow a threat actor to gain privileged access to the system.
For example, a sandwich thief (threat actor) is a threat to your sandwich that is stored in a kitchen cabinet with a pad lock. How do we compute risk from threat and vulnerability?
Impact:(I)
Before we are able to define the risk, we need to also know what impact would this incident cost? Impact is the magnitude of harm that can be expected to result from a threat exploiting a vulnerability.
A sandwich stolen from the locked kitchen cabinet will result in a loss of $30 to your net worth.
We are almost ready to calculate risk, however, for the thief to exploit the vulnerability which is to pick the pad lock may seem easy enough but what if I told you, the kitchen is located in a armed location with 24 hours / 7 days a week surveillance and monitoring. Then what is the likely hood of such an event (incident) to even take place? You could say improbable or no chance at all and the impact would be moderate (subjective analysis).
We can express impact subjectively as follows:
Example 1: Negligible-1, Minor-2, Moderate-3, Significant-4, Severe-5
Example 2: Low-1, Moderate-2, High-3
Likelihood (L):
This is the probability that a threat will exploit the vulnerability. It is usually not a specific number but a range.
Example 1: Frequently – 5, Likely-4, Occasionally-3, Very Seldom-2, Not Likely at all-1
Example 2: 1=very unlikely, 2=low likelihood, 3=likely, 4=highly likely, and 5=near certain.
Risk Matrix / Risk Heat Map:
As you can see, we can then draw this Risk Matrix, also called as a Risk Heat Map.
As you can see, the qualitative analysis process involves judgment, intuition, and experience. For example, if I am a CSSP – Certified Sandwich Security Professional, with my intuition and judgement, I can categorize the risk of a sandwich thief stealing the sandwich to be LOW based on my understanding that it is unlikely for the sandwich thief to get into the kitchen and steal the sandwich which could have a protentional loss of $30 dollars, which is moderate. So, would I invest in putting any counter measures? As this is Risk is low, I would not consider it and accept this low risk.
End of this lesson, keep an eye out for more. Next- Quantitative Approach.
