(68b) Comprehensive Compliance Management: A Necessary Tool for the Effective Management of Industrial Cybersecurity

When it comes to protecting critical information, technologies, and infrastructure, including Industrial Automation and Control Systems (IACS), there is a worrying gap between technical practices and the current landscape of regulatory and technical requirements. Current requirements framework, applied to the secure management of information, technologies and infrastructure in any critical industry, establishes a common ground to understand (i) the involved assets (information, IT/OT/IoT technology and infrastructure) that it is necessary to analyze, characterize and protect; (ii) the risks faced by both the assets and the organization; and (iii) the minimum expected control solution at a technical, technological, and management level; while maintaining and improving its quality, safety, security, performance, and resilience. In many cases, organizations select a technical reference, generally because they feel more comfortable with it, but this approach leaves aside a much larger panorama of regulations and technical standards that are applicable and that can add value to the organization. The concept of compliance is usually seen separately and has become a problem when attending audits or evaluations by regulators such as CISA or TSA, or when a cyber incident occurs, in which DHS or the FBI intervene.