Winner! Cyber Consultant of the Year at the 2026 Australian Cyber Awards Read >

Winner! Cyber Consultant of the Year

The Industrial Cyber
Security Principle Method™

Methodology
There are six foundational principles for delivering a world-class industrial cyber security program.
The Industrial Cyber Security Principle Method™ is an OT security methodology created by SIS Industrial Cyber Security in direct response to the global need for OT-specific cyber security.

It blends established industry frameworks¹,²,³ with real-world experience, refined to better meet the changing nature of OT security threats.

When combined, these six principles are the vital ingredients in the SIS recipe for delivering world-class industrial cyber security programs.
1. Theodore J. Williams (1994) “The Purdue enterprise reference architecture.” Computers in industry Vol 24 (2). p. 141-158.

2. John Sherwood, Andrew Clark & David Lynas (2009) Enterprise Security Architecture Available at: https://sabsa.org/ [August 2024].

3. Michael J. Assante and Robert M. Lee (2015) The Industrial Control System Cyber Kill Chain Available at: https://sansorg.egnyte.com/dl/HHa9fCekmc [August,2024].

The Business-Driven Principle is about aligning your primary business functions with your industrial cyber security. It’s about ensuring what you do every day – your reason for being here – is properly serviced by your OT security requirements.

Typically, the Business-Driven Principle is the first to be executed in The Industrial Cyber Security Principle Method™ because it relies on a deep process of cross-organisation discovery that can be used to inform all other principles. This involves analysing business processes for OT systems, drawing from source data and information gathered from direct interviews with operational OT asset and engineering business managers.

The Risk-Based Principle is about customising your OT security to the specific risks associated with each system or subsystem in your business, rather than applying the same security control coverage across everything.

While organisations may implement point solutions for OT that provide some level of security, this is likely ad hoc. Often, no one in an organisation can confidently say whether the security level is appropriate to the risk, whether the benefit justifies the cost, or whether it meets a broader range of business requirements that aren’t directly related to OT (i.e. informed by The Business-Driven Principle).

The Enterprise-Wide Principle is about taking a whole-of-business perspective, right across every aspect of your organisation, to maximise the investment return and ensure the long-term value of your industrial cyber security.

Decisions made through an enterprise-wide lens ensure the time, effort and attention that goes into properly integrating your industrial cyber security into OT systems pays off in numerous ways. While OT may seem a very specific area of your business, it’s one that can have huge ramifications across all your departments and operations, especially if there’s a breach and/or your OT cyber security has been mismanaged.

The Methodical Principle is about approaching your OT cyber security in a meticulous and systematic manner. This relies on knowing the correct sequence of actions to take for optimal effectiveness of your OT.

Many organisations attempt to comply with multiple methodologies and standards at the risk of everything falling into a ‘muddy’ mess. A lack of refinement in implementation can be a major obstacle to achieving world-class security outcomes.

The OT-Centric Principle is about recognising that OT security demands its own strategy, its own expertise, and its own discipline.

Borrowed IT thinking, however well-intentioned, is not enough. OT environments operate on different rules safety before confidentiality, availability before patching, process continuity before almost everything else.

A 100% OT-focused approach keeps your organisation ahead of the current and developing cyber threat landscape. In most cases, this means engaging specialist external OT security teams to work alongside your internal team bringing the industrial expertise, certifications, and standards knowledge that OT security requires.

The Assurance-Focused Principle is about going beyond compliance to build security that is proven, not presumed. Compliance sets the floor. It means meeting the minimum recognised targets for securing your industrial assets, registering OT assets, reporting cyber incidents, and adhering to mandated risk management programs. Meeting those obligations is essential.

But compliance is not security. You can be fully compliant on Monday and compromised by Tuesday. Assurance is what sits above the floor. It means proving your controls actually work under real operating conditions at every level of your environment, not just where auditors look. Organisations that treat compliance as the finish line remain exposed. Organisations that treat it as the starting line build genuine resilience.

How does your organisation measure up in Industrial Cyber Security?

See how
your organisation
stacks up against
the benchmark

Put your organisation to the test with the SIS Industrial Cyber Security Assessment Scorecard.
Winner – Cyber Consultant of the Year (SME). Finalist for Cyber Professional of the Year in Industries, Logistics & Critical Infrastructure, and a Finalist for GRC Provider of the Year.

Tell us a bit about you

Our workshops are tailored, so please check any specific areas of interest you might have.

Tell us a bit about you

Our workshops are tailored, so please check any specific areas of interest you might have.