Manufacturing Engineer: “You want me to patch what? How often? Yeah, right... I can’t take these systems offline for even a minute, those patches are going to have to wait until our next planned shut in the spring...”
Cybersecurity Manager: “Was that system that was breached compliant with our internal cyber specification?”
Process Engineer: “What specification?”
Plant GM: “Did the new remote sensing ecosystem project get approved for my plant?”
VP of Ops: “Yes! Install starts tomorrow.”
CISO: “Who signed off on it from Cybersecurity?”
ALL: Silence...
Just about every one of our clients is going through some form of digital transformation. And for our large industrial clients especially, they are now going through an OT (Operational Technology) cybersecurity (“cyber”) awakening. In most cases, cyber was not considered upfront, if at all, and the above (mildly embellished) scenarios are commonplace.
In the worst case, a breach occurs that brings a facility down, people are harmed, and property, plant and equipment are severely damaged. More commonly, systems have to be taken offline so that “security hardening” activities can take place which cause production disruption.
All of this can be avoided if cyber is thought about up front and wired into your business.
Here are three easy ways to get started:
1. Publish your cyber spec in as many places as possible (online and off), and encourage people to contact the Cyber team with questions.
2. Send a weekly cyber “nugget” (article, blog, tip) to your organization to keep it top of mind.
3. Incorporate a cyber check box into the capital/project approval process for your organization. A simple “Has the Cyber Dept signed off on this project?” Y/N. If NO, route this to “Joe Schnoggs, Cyber Manager” for approval.
It’s not the whole answer by any means, but at least it’s a start.