Integration of IT frameworks for the management of information security within industrial control systems providing metrics and indicators

Abstract

As an extension of a previous methodological proposal to provide management of information security in Industrial Control Systems (ICS), this study aims to adapt IT frameworks to protect industrial and manufacturing enterprises against Information and Communication Technology disruptions and malicious activity. In order to accomplish this purpose, the integration of traditional IT standards and good practices such as COBIT, PMI-PMBOK, ITIL and NIST have been merged. Hereby, COBIT has been applied to align management with the enterprise strategy, PMI-PMBOK for project management, and ITIL for the support and maintenance of ICS services. In this respect, NIST-SP 800-82 has been used as a Guide to ICS Security. Prior to its implementation, we performed an evaluation and selection of a group of tools of these frameworks. Furthermore, they have been used effectively in the operational management of the information security in real cases. Among the main obtained benefits, we were able to reduce incidents and accomplished a holistic management. The achieved results and indicators demonstrate that the management tools comply with the control of the information security in the ICS in the contexts of technology, processes, and people aligned with the strategic objectives.