Your OT Cybersecurity Implementation Plan Begins Now
– Planning your Way Towards a More Secure OT Environment–
By Luc A. Papillon, Chief Technology Officer, Mangan Incorporated and Mangan Cybersecurity
According to a study performed in 2019, as much as 88% of the workforce procrastinates on a daily basis.1 Digital access to emails, social media, online news, and the myriad of ‘interesting’ articles have certainly contributed to this trend. The effect that procrastination can have in the Operational Technology (OT) world is vastly different than its impact in the Information Technology (IT) World.
In the traditional business world, while not great or acceptable, procrastination creates primarily a financial or productivity burden. How much is tolerated depends on an organization’s culture or philosophy.
Where manufacturing or processing facilities are involved however, procrastinating, and unscheduled delay tactics can create damaging or extremely dangerous circumstances. Plant engineers, operators and managers have developed various methods to keep their teams engaged even at times when looking for that perfect vacation spot is foremost in their staffs’ minds. Leaders have succeeded to some degree to mitigate this effect although work still needs to be done to improve the situation. Cybersecurity as it relates to Operational Technology (OT cybersecurity) can be looked at from the same lens as the controls necessary to safely operate the facility. We cannot afford to wait until an attack is upon us to react.
Emphasizing OT Cybersecurity
While it may seem there’s never enough time to address all the needs of your facility, delaying OT Cybersecurity implementation protections can create the same burden experienced by ignoring operational issues when needed most. While we sleep or take our eye off the ball, bad actors are looking for new, innovative ways to target unsuspecting or vulnerable organizations. Not all bad activity can be halted, nor do we have a machine to step back in time and stop what has already occurred especially if you have been the unlucky recipient of a cyberattack. We can, however, be prepared before the next event is experienced.
If your OT Cybersecurity journey has already begun, maintaining the pressure and momentum gained so far is necessary. If you are like over half of the facilities living on the edge hoping that a breach will not happen to you, the time to act is now.
Planning for the OT Cybersecurity Implementation Journey
1.Decide to participate
Doing nothing when it comes to OT Cybersecurity implementation is not an option. Your greatest defense against cyberattacks lies in your decision to act preemptively, with resolve, and without compromise. You must accept the fact that cyber attackers are here to stay; they will adapt, target different business sectors, and strike when least expected.
Of course a decision made must also be followed up with actionable results if it is to be effective. Your acceptance must therefore be accompanied with an action plan that addresses the OT concerns within your business sector; more on this later.
2.Accept the reality that OT and IT Cyber are not the same
It may be tempting to leverage your IT cybersecurity policies and procedures to meet OT Cybersecurity objectives. I would caution, however, to clearly understand the different concerns that exist between IT and OT environments. They are not the same nor should they be treated as such (see “From Cybersecurity Origins to the Zero Trust Model” for a detailed view of the differences).
Figure 2-1 As indicated in “From Cybersecurity Origins to the Zero Trust Model”, IT and OT Cybersecurity concerns are varied enough that they require a different approach and philosophy be followed.
3. Answer the question, “Why do this in the first place?”
Ask seasoned business professionals or project managers what their primary role is. Their response will likely include risk mitigation and reduction. Cybersecurity experts would probably respond in a similar fashion with risk mitigation ahead of all else. This is because, there can be no compromise when a cyberattack is upon us. Risks, vulnerabilities, and potential threats may simply be too great to choose to look the other way when control systems and processes are involved.
As operations and engineering professionals, you must make certain that control and availability of your critical processes are maintained even in the worst circumstances including a security breach. Anything less may result in injury or death, equipment damage, or environmental impacts, not to mention the business, financial and reputation hits your organization may experience.
4. Gain Senior Leadership Buy-In on OT Cybersecurity Implementation
The greatest chance for success of any large initiative begins at the top. You must be prepared to justify your OT cybersecurity needs and approach to your senior leadership and perhaps your board of directors. While technical aspects of the initiative may well drive the approach, this is not the time to bring in the details. Stay away from technical jargon that while necessary for ultimate success, add nothing to the business goals and tolerance for risk. Rather, understanding your audience is there to keep the business viable, place focus on business continuity discussions. Highlight the impact of doing nothing especially in the OT world, and the intended resiliency of your planned program.
You must also set your expectations when addressing your senior leaders. Be prepared to respond to non-technical questions that will lead the group to decide how to best address their cybersecurity concerns. It’s okay to not have all the answers when asked, but you must also be ready to seek valid responses and return in a timely fashion to the questioners. Remember that your objective is to achieve the OT Cybersecurity approach buy-in that ultimately will become clearly communicated across the organization.
5. Know what’s happening in your industry or business sector
Figure 5-1 A qualified vendor that specializes in your business sector, its control requirements and objectives can help you to develop a series of questions pertinent to your needs.
6. Understand how much time you have?
We have already established that you cannot afford to wait to begin your OT Cybersecurity Implementation Plan journey. How much time you have to enact your objectives and program is a different question altogether. Unfortunately, the answer is not as simple as you might think.
The most critical component to your to cybersecurity implementation schedule depends on any perceived or real threats that exist within your industry or your own facility. This would require an immediate focus to contain any potential damage. The facility’s visibility to others as well as mandates, time based regulations or other requirements will also impact how quickly you react or any incremental approach you recommend.
The discussion regarding your facility’s risk tolerance, business continuity targets and available budgets must also be explored. Any vendor you select must be able to align your personal business targets with what must be completed now versus what can wait or be scheduled for a later date. No matter how fast you choose to move, you must ensure that you protect the organization best possible within the goals set.
7. Know your risks and corporate tolerance
8. Develop a high level cybersecurity implementation plan
Armed with knowledge of your industry, alignment with qualified staff and vendors, as well as understanding your organization’s tolerance for risk, you are best aligned for success. The key here is to develop a plan with just enough details to ensure it addresses any concerns or suggestions made when initial buy-in was sought. Again, technical details are left for later and do not belong here. A good rule of thumb to follow is to provide no more technical details than would be typically included in a 5-year strategic plan.
The high level plan should minimally include the following sections:
- Introduction – Include a brief justification for the OT cybersecurity implementation plan. Add its applicability to your environment and the contents of the document itself. This section may be short or long depending on your organizational expectations but remember that you are not trying to resolve anything here nor are you identifying risks. Rather, you are presenting an approach to enhance or maintain the OT cybersecurity posture of your facility.
- Boundaries – Plans often fail when scope limits and boundaries are not clearly set. Ensure that you indicate what the plan is intended to address and just as meaningful, what it does not contain.
Figure 8-1 A good place to start as you set boundaries may lie within the Purdue Model. An OT Cybersecurity vendor should be responsible for all aspects downstream from the DMZ and influential at the enterprise level.
- Scope – Include a high level scope for the effort. This scope of work should contain the basic steps to gather the information necessary, assess and report on the results as well as include a path forward for remediation. Any suggestion made must address business continuity, budgets, or risk tolerance strategies. Include a preliminary schedule (Level 1 only) to clearly indicate the plan and buy-in that will be sought.
9. Present the high level cybersecurity plan (more buy-in)
Armed with the information gathered and a greater understanding of the work ahead, a new buy-in session is coordinated. This time, however, your objective is to gain acceptance of the high level plan developed. Remember that you are looked to as the resident expert for OT Cybersecurity. Present your suggested approach from a business perspective. Be prepared to answer questions like, “How much will this cost?” or “What if I do nothing?” The leaders of your organization may well be weighing the return on the investment for what you are proposing as a risk mitigation strategy. Expect some adjustments and pushback to the final product but hopefully nothing that would totally derail your recommended path forward. This step may take only one or multiple meetings to garner the team’s support.
Once the plan is agreed to by all parties, It is crucial that those who approved it are in total alignment with the approach and are willing to defend it in writing and in action if necessary. Total support of your OT Cybersecurity initiative provides its greatest chance for success. Anything less can put its effectiveness at risk.
10. Develop a Detailed OT Cybersecurity Action Plan
1. Darius Foroux, “Procrastination Study: 88% Of The Workforce Procrastinates”, https://dariusforoux.com/procrastination-study/