OT Cybersecurity Implementation Plan

Your OT Cybersecurity Implementation Plan Begins Now

– Planning your Way Towards a More Secure OT Environment–

By Luc A. Papillon, Chief Technology Officer, Mangan Incorporated and Mangan Cybersecurity

According to a study performed in 2019, as much as 88% of the workforce procrastinates on a daily basis.¹ Digital access to emails, social media, online news, and the myriad of ‘interesting’ articles have certainly contributed to this trend. The effect that procrastination can have in the Operational Technology (OT) world is vastly different than its impact in the Information Technology (IT) World.

In the traditional business world, while not great or acceptable, procrastination creates primarily a financial or productivity burden. How much is tolerated depends on an organization’s culture or philosophy.

Where manufacturing or processing facilities are involved however, procrastinating, and unscheduled delay tactics can create damaging or extremely dangerous circumstances. Plant engineers, operators and managers have developed various methods to keep their teams engaged even at times when looking for that perfect vacation spot is foremost in their staffs’ minds. Leaders have succeeded to some degree to mitigate this effect although work still needs to be done to improve the situation. Cybersecurity as it relates to Operational Technology (OT cybersecurity) can be looked at from the same lens as the controls necessary to safely operate the facility. We cannot afford to wait until an attack is upon us to react.

Addressing OT Cybersecurity implementation concerns can be overwhelming and challenging. Mangan Cybersecurity understands well the special provisions and requirements that exist within controls and processing environments. Since 1990, Mangan has supported its clients with knowledgeable and highly qualified engineers specifically trained to meet this high demand in Operational Technology.

Mangan Cybersecurity is ready to assist you with the steps recommended by this article. Once planning is complete, we stand ready to provide, management, engineering, assessment, design, and remediation services to meet your business continuity and OT Cybersecurity objectives.

Emphasizing OT Cybersecurity

While it may seem there’s never enough time to address all the needs of your facility, delaying OT Cybersecurity implementation protections can create the same burden experienced by ignoring operational issues when needed most. While we sleep or take our eye off the ball, bad actors are looking for new, innovative ways to target unsuspecting or vulnerable organizations. Not all bad activity can be halted, nor do we have a machine to step back in time and stop what has already occurred especially if you have been the unlucky recipient of a cyberattack. We can, however, be prepared before the next event is experienced.

If your OT Cybersecurity journey has already begun, maintaining the pressure and momentum gained so far is necessary. If you are like over half of the facilities living on the edge hoping that a breach will not happen to you, the time to act is now.

Planning for the OT Cybersecurity Implementation Journey

Whether you are new to the topic or have been at it for some time, there are steps recommended to make certain your OT Cybersecurity objectives are well understood and agreed to at the onset. Below are planning steps that can help to proactively reduce undue risks or vulnerabilities.

Figure A Planning Steps along the OT Cybersecurity Journey

Decide To participate

Accept the reality that OT and IT Cyber are not the same

Answer the question, “Why do this in the first place?”

Gain Senior Leadership Buy-In

Know what’s happening in your industry or business sector

Understand how much time you have?

Know your risks and corporate tolerance

Develop a high level cybersecurity plan

Present the high level cybersecurity plan

Develop a Detailed OT Cybersecurity Action Plan

1.Decide to participate

Doing nothing when it comes to OT Cybersecurity implementation is not an option. Your greatest defense against cyberattacks lies in your decision to act preemptively, with resolve, and without compromise. You must accept the fact that cyber attackers are here to stay; they will adapt, target different business sectors, and strike when least expected.

Of course a decision made must also be followed up with actionable results if it is to be effective. Your acceptance must therefore be accompanied with an action plan that addresses the OT concerns within your business sector; more on this later.

2.Accept the reality that OT and IT Cyber are not the same

It may be tempting to leverage your IT cybersecurity policies and procedures to meet OT Cybersecurity objectives. I would caution, however, to clearly understand the different concerns that exist between IT and OT environments. They are not the same nor should they be treated as such (see “From Cybersecurity Origins to the Zero Trust Model” for a detailed view of the differences).

Figure 2-1 As indicated in “From Cybersecurity Origins to the Zero Trust Model”, IT and OT Cybersecurity concerns are varied enough that they require a different approach and philosophy be followed.

3. Answer the question, “Why do this in the first place?”

Ask seasoned business professionals or project managers what their primary role is. Their response will likely include risk mitigation and reduction. Cybersecurity experts would probably respond in a similar fashion with risk mitigation ahead of all else. This is because, there can be no compromise when a cyberattack is upon us. Risks, vulnerabilities, and potential threats may simply be too great to choose to look the other way when control systems and processes are involved.

As operations and engineering professionals, you must make certain that control and availability of your critical processes are maintained even in the worst circumstances including a security breach. Anything less may result in injury or death, equipment damage, or environmental impacts, not to mention the business, financial and reputation hits your organization may experience.

4. Gain Senior Leadership Buy-In on OT Cybersecurity Implementation

The greatest chance for success of any large initiative begins at the top. You must be prepared to justify your OT cybersecurity needs and approach to your senior leadership and perhaps your board of directors. While technical aspects of the initiative may well drive the approach, this is not the time to bring in the details. Stay away from technical jargon that while necessary for ultimate success, add nothing to the business goals and tolerance for risk. Rather, understanding your audience is there to keep the business viable, place focus on business continuity discussions. Highlight the impact of doing nothing especially in the OT world, and the intended resiliency of your planned program.

You must also set your expectations when addressing your senior leaders. Be prepared to respond to non-technical questions that will lead the group to decide how to best address their cybersecurity concerns. It’s okay to not have all the answers when asked, but you must also be ready to seek valid responses and return in a timely fashion to the questioners. Remember that your objective is to achieve the OT Cybersecurity approach buy-in that ultimately will become clearly communicated across the organization.

5. Know what’s happening in your industry or business sector

As stated previously, while both IT and OT areas have cybersecurity fears and needs, addressing each with common personnel and the same tools is not appropriate. The same can be said when we consider the role your specific industry plays in selecting your OT cybersecurity strategy. Government, regulations or mandates, industry led regulations, business specific baselines, and current events, all contribute to the differences that exist between industries. Familiarity with each of these will maximize the potential success of your OT Cybersecurity program. Your selected contractor or support staff should therefore be well familiar whether areas are mandated or voluntary, as well as those that represent best practices. Additionally, experts in system integration and controls specifically related to your line of business can increase your ability to respond to cyberattacks when needed most.

Figure 5-1 A qualified vendor that specializes in your business sector, its control requirements and objectives can help you to develop a series of questions pertinent to your needs.

6. Understand how much time you have?

We have already established that you cannot afford to wait to begin your OT Cybersecurity Implementation Plan journey. How much time you have to enact your objectives and program is a different question altogether. Unfortunately, the answer is not as simple as you might think.

The most critical component to your to cybersecurity implementation schedule depends on any perceived or real threats that exist within your industry or your own facility. This would require an immediate focus to contain any potential damage. The facility’s visibility to others as well as mandates, time based regulations or other requirements will also impact how quickly you react or any incremental approach you recommend.

The discussion regarding your facility’s risk tolerance, business continuity targets and available budgets must also be explored. Any vendor you select must be able to align your personal business targets with what must be completed now versus what can wait or be scheduled for a later date. No matter how fast you choose to move, you must ensure that you protect the organization best possible within the goals set.

7. Know your risks and corporate tolerance

At this point, you may not have all the details necessary to develop a complete view of your organization’s current cybersecurity profile and tolerance. Even so, certain assumptions or industry knowledge must lead you to a picture whether perceived or real or your security concerns. This can become most valuable if you accept that both internal and external forces are at play and that a cyberattack can occur from anywhere. Add to this, the company’s culture for risk tolerance to prepare your targeted cybersecurity position. Of course, any decision made must ensure safety remains at the forefront of all your decisions.

8. Develop a high level cybersecurity implementation plan

Armed with knowledge of your industry, alignment with qualified staff and vendors, as well as understanding your organization’s tolerance for risk, you are best aligned for success. The key here is to develop a plan with just enough details to ensure it addresses any concerns or suggestions made when initial buy-in was sought. Again, technical details are left for later and do not belong here. A good rule of thumb to follow is to provide no more technical details than would be typically included in a 5-year strategic plan.

The high level plan should minimally include the following sections:

Introduction – Include a brief justification for the OT cybersecurity implementation plan. Add its applicability to your environment and the contents of the document itself. This section may be short or long depending on your organizational expectations but remember that you are not trying to resolve anything here nor are you identifying risks. Rather, you are presenting an approach to enhance or maintain the OT cybersecurity posture of your facility.
Boundaries – Plans often fail when scope limits and boundaries are not clearly set. Ensure that you indicate what the plan is intended to address and just as meaningful, what it does not contain.

Figure 8-1 A good place to start as you set boundaries may lie within the Purdue Model. An OT Cybersecurity vendor should be responsible for all aspects downstream from the DMZ and influential at the enterprise level.

Scope – Include a high level scope for the effort. This scope of work should contain the basic steps to gather the information necessary, assess and report on the results as well as include a path forward for remediation. Any suggestion made must address business continuity, budgets, or risk tolerance strategies. Include a preliminary schedule (Level 1 only) to clearly indicate the plan and buy-in that will be sought.

9. Present the high level cybersecurity plan (more buy-in)

Armed with the information gathered and a greater understanding of the work ahead, a new buy-in session is coordinated. This time, however, your objective is to gain acceptance of the high level plan developed. Remember that you are looked to as the resident expert for OT Cybersecurity. Present your suggested approach from a business perspective. Be prepared to answer questions like, “How much will this cost?” or “What if I do nothing?” The leaders of your organization may well be weighing the return on the investment for what you are proposing as a risk mitigation strategy. Expect some adjustments and pushback to the final product but hopefully nothing that would totally derail your recommended path forward. This step may take only one or multiple meetings to garner the team’s support.

Once the plan is agreed to by all parties, It is crucial that those who approved it are in total alignment with the approach and are willing to defend it in writing and in action if necessary. Total support of your OT Cybersecurity initiative provides its greatest chance for success. Anything less can put its effectiveness at risk.

10. Develop a Detailed OT Cybersecurity Action Plan

With support from the senior leadership, you are ready to prepare the detailed OT Cybersecurity Action Plan. This is an expansion of the scope of work developed for high level planning (See step 8). The resulting document should include all the objectives presented earlier with enough detail to evaluate or execute them to completion. Consider limited resources in labor, budgets, parts, shutdowns, production, etc., while developing the documented plan.

Figure 10-1 Applying details for the Business Continuity and Disaster Recovery Plans.

The need for an effective OT cybersecurity action plan is established for us by external factors whether politically, personally, or nationally driven. How to begin, where to place our focus, or how much emphasis to place on each concern, can be debated for some time. This will differ from site to site. No matter the extent or complexity of your program, however, a thoughtfully planned and developed process can be applied proactively to ensure progress is made to meet your business continuity and risk Objectives. Anything less is simply unacceptable.

1. Darius Foroux, “Procrastination Study: 88% Of The Workforce Procrastinates”, https://dariusforoux.com/procrastination-study/

TSA pipeline cybersecurity planning, testing and mitigation.

OT cybersecurity threat analysis services.

Cybersecurity tolerance profiles for your organization.

Specifically developed to meet your organization’s objectives.

Alignment of your business risk tolerance, continuity, and budgets.

Coordination, assessments, evaluations, and remediation strategies for cybersecurity.

Time to recovery from a cyberattack is of the essence.

The heart of cybersecurity preparedness and proactivity.

Training specifically addressing OT cybersecurity concerns and approaches.

Navigate and develop your OT cybersecurity documentation and compliance.

Putting your plan into action with OT cybersecurity remediation services.

OT Cybersecurity Implementation Begins Now