Management: ICS Security Management: Who should manage ICS security and where should they be placed?

Options:

Decision:

IF Risks are Low, THEN No ICS security manager should be in place.
OTHERWISE

IF Enterprise-wide security architecture is in place AND ICS is a significant component of the enterprise,
THEN An enterprise-wide ICS security manager should be used.
ALSO

IF Enterprise information protection is structured so that business units have security managers,
THEN Each major business unit with substantial ICS operations should have an ICS security manager.
ALSO

IF A facility contains ICS systems with Medium or High risk levels,
THEN That facility should have an ICS security manager.
ALSO

IF ICS systems have High or Medium risk,
THEN That ICS system should have a security manager.
ALSO IF An enterprise-wide ICS security manager is used,
THEN The top-level ICS security manager should be one level below the top-level enterprise security executive.
ALSO

IF The enterprise is small OR ICS is a major component of enterprise operations and managed at the enterprise level,
THEN The top-level ICS security manager should be at the enterprise executive level.
ALSO

IF An operations manager is in charge of a Medium or High risk ICS operation,
THEN An ICS security manager should work one level below the top-level operations manager for the relevant ICS systems.
ALSO

IF An ICS security manager is in place at any level,
THEN An ICS security manager should be a member of the overall ICS design and operations team.

Basis:

An enterprise-wide ICS security manager should be used:
An enterprise-wide ICS security manager has executive-level control over all ICS security decisions. This includes all facets of information protection as they apply to ICS systems. This is rarely the case in large enterprises, and when it is, the ICS security manager typically works for another high-level executive at the enterprise level and has responsibility across business units which typically have their own ICS security expertise that is coordinated by the enterprise-wide executive. This should not normally be the Information Protection Lead (IP Lead), since ICS is highly specialized and requires special knowledge and attention that is usually not available to the IP Lead, who has many other broad responsibilities.

Each major business unit with substantial ICS operations should have an ICS security manager:
This is compatible with an enterprise-wide ICS security manager, and typically used because each business unit typically has different sorts of ICS systems and requirements and operates in a different management decision-making structure, in different locations, and under different requirements.

Each facility should have an ICS security manager:
As a rule of thumb, when a facility contains ICS systems with Medium or High risk levels, it is prudent to have an individual in the ICS security manager role. However, this may be a role that also involves other duties, depending on the workload of this activity at the facility.

Each ICS system should have a security manager:
In cases where ICS systems have High or Medium risk, a security manager should be identified with each ICS, even if that individual plays other roles and may have that role for a multitude of such systems. This is required if only to have a responsible party with adequate knowledge of the specific ICS for making decisions regarding the implications of changes.

No ICS security manager should be in place:
In Low risk situations or in situations where ICS mechanisms are highly standardized, there may be no need for an ICS security manager.

The top-level ICS security manager should be at the enterprise executive level:
For large enterprises, there may be a single point of coordination of ICS security, and in smaller enterprises, there is often an individual tasked with this responsibility. To the extent that the ICS and enterprise information systems interact, the ICS security manager should be responsible for integration and protection across the boundaries. This has to be done at some level, and since enterprise architecture usually exists at this level, it is important that integration of these architectures is done at this level.

The top-level ICS security manager should be one level below the top-level enterprise security executive:
Some enterprises structure protection so that an IP Lead exists at the enterprise level. In those cases, when there is enterprise-wide unified ICS security management, the ICS manager might appropriately be placed in that position.

An ICS security manager should work one level below the top-level operations manager for the relevant ICS systems:
This is a reasonable management structure for an ICS security manager. The operations manager has responsibility that requires the expertise of the ICS security manager, and the ICS security manager tends to make decisions that directly effect and are affected by operational issues.

An ICS security manager should be a member of the overall ICS design and operations team:
In most cases when an ICS security manager is in place, it is appropriate for them to participate in the design and operations team activities. To the extent that ICS security architecture is in place, that architecture is usually the responsibility of the ICS security manager to assure, and thus their presence on the design team will be instrumental to proper architectural operations.