The Industrial Cyber
Security Principle Method™

Methodology
There are six foundational principles for delivering a world-class industrial cyber security program.
The Industrial Cyber Security Principle Method™ is an OT security methodology created by SIS Industrial Cyber Security in direct response to the global need for OT-specific cyber security.

It blends established industry frameworks¹,²,³ with real-world experience, refined to better meet the changing nature of OT security threats.

When combined, these six principles are the vital ingredients in the SIS recipe for delivering world-class industrial cyber security programs.
1. Theodore J. Williams (1994) “The Purdue enterprise reference architecture.” Computers in industry Vol 24 (2). p. 141-158.

2. John Sherwood, Andrew Clark & David Lynas (2009) Enterprise Security Architecture Available at: https://sabsa.org/ [August 2024].

3. Michael J. Assante and Robert M. Lee (2015) The Industrial Control System Cyber Kill Chain Available at: https://sansorg.egnyte.com/dl/HHa9fCekmc [August,2024].

The Business-Driven Principle is about aligning your primary business functions with your industrial cyber security. It’s about ensuring what you do every day – your reason for being here – is properly serviced by your OT security requirements.

Typically, the Business-Driven Principle is the first to be executed in The Industrial Cyber Security Principle Method™ because it relies on a deep process of cross-organisation discovery that can be used to inform all other principles. This involves analysing business processes for OT systems, drawing from source data and information gathered from direct interviews with operational OT asset and engineering business managers.

The Risk-Based Principle is about customising your OT security to the specific risks associated with each system or subsystem in your business, rather than applying the same security control coverage across everything.

While organisations may implement point solutions for OT that provide some level of security, this is likely ad hoc. Often, no one in an organisation can confidently say whether the security level is appropriate to the risk, whether the benefit justifies the cost, or whether it meets a broader range of business requirements that aren’t directly related to OT (i.e. informed by The Business-Driven Principle).

The Enterprise-Wide Principle is about taking a whole-of-business perspective, right across every aspect of your organisation, to maximise the investment return and ensure the long-term value of your industrial cyber security.

Decisions made through an enterprise-wide lens ensure the time, effort and attention that goes into properly integrating your industrial cyber security into OT systems pays off in numerous ways. While OT may seem a very specific area of your business, it’s one that can have huge ramifications across all your departments and operations, especially if there’s a breach and/or your OT cyber security has been mismanaged.

The Methodical Principle is about approaching your OT cyber security in a meticulous and systematic manner. This relies on knowing the correct sequence of actions to take for optimal effectiveness of your OT.

Many organisations attempt to comply with multiple methodologies and standards at the risk of everything falling into a ‘muddy’ mess. A lack of refinement in implementation can be a major obstacle to achieving world-class security outcomes.

The OT Security-Focused Principle is about recognising and maintaining the importance of your OT. This means using specialist OT security teams that strictly adhere to industry-specific standards and certification.

Introducing a 100% laser-focused industrial cyber security approach will help keep your organisation at the forefront of the current and developing cyber threat landscape. It’s unlikely you can do it internally. Engaging external OT security specialists to unite with your internal team in adopting industry-specific security standards and certifications is ultimately the way to go.

The OT Security-Compliant Principle is about ensuring your organisation achieves and maintains compliance with the necessary regulatory frameworks governing OT – and then goes even further to give you the very best industrial cyber security.

If you’re OT security-compliant, this means you hit the minimal recognised targets for adequately securing your industrial assets. The process usually involves registering OT assets, reporting cyber incidents affecting essential services and adhering to mandated risk management programs. It’s a no-brainer for meeting your obligations.

How does your organisation measure up in Industrial Cyber Security?
Take the Scorecard >
SIS conducted a risk assessment of our operational technology environment and we were very impressed with their approach, methodology, execution, and delivery. They are adaptable, technically astute, and demonstrated a strong ability to fully understand business requirements specific to the oil and gas sector.
PMO and GRC ConsultantOil and Gas
The project provided our organisation with a clear view of our cyber security maturity and highlighted the range of threats that could impact our systems at any time. As a result of the assessment, several mitigation steps have already been implemented based on SIS’ key recommendations.
SCADA and EMS ProgrammerEnergy Interconnection
SIS delivered an Information Security Management System framework that ensured governance was appropriately embedded across ICT operations, including business critical control systems. This significantly strengthened our audit compliance posture against recognised industry standards.
Chief Information OfficerWater Utility
SIS effectively identified the required security controls to ensure essential services such as patching, configuration management, data backup, and secure remote access were available across both IT and OT environments for our new ADMS platform. Their familiarity with OT security is exceptional.
ADMS Project ManagerElectricity Distribution
SIS’ tailored methodology for control systems testing demonstrated a high level of specialist expertise in this domain. They also showed strong flexibility in accommodating changing schedules and efficiently mobilising resources to meet critical production deadlines during a major network management system upgrade.
OT Security LeadEnergy Infrastructure
SIS consultants applied a professional and structured approach to a complex OT enablement scenario. This resulted in comprehensive designs covering key functional and non functional requirements, while also identifying security risks and the supporting process framework. SIS is best in class for IT and OT integration work.
Technology Program ManagerMining and Resources
SIS’ level of expertise in operational technology security is outstanding.
Senior Technology LeaderRail and Freight Transport

See how
your organisation
stacks up against
the benchmark

Put your organisation to the test with the SIS Industrial Cyber Security Assessment Scorecard.
Take the Scorecard

Tell us a bit about you

Our workshops are tailored, so please check any specific areas of interest you might have.

Tell us a bit about you

Our workshops are tailored, so please check any specific areas of interest you might have.