Increase communication between OT and IT staffs. Ensure that there’s routine honest and constructive dialogue between process operations technology (OT) teams, and IT and cybersecurity teams. Process engineers know more about operations than cybersecurity specialists ever will, and vice versa. It’s important for them to collaborate.
Evaluate the organization’s industrial processes. At a high level, understand the industrial processes that occur in your organization, what safety and operational concerns surround them, and the potential consequences of process and safety device failure.
Understand how OT and IT evaluate risks. Top management should understand that OT personnel typically have different (and valid) health and safety, security, and risk management priorities than IT personnel. An infection or vulnerability might not mean anything if it can’t result in a serious consequence. Alternatively, it may be a huge concern if it may cause a life, safety, or production disaster.
Develop an incident response plan that includes both OT and IT. Ensure that documents critical to cybersecurity such as an incident response plan, asset inventory, collection management, and network maps exist in the operational environment, and are tailored appropriately for them with process engineer input.
Determine the most realistic cybersecurity posture. Understand that industrial control systems often consist of complex technical integrations which may limit modern cybersecurity tactics. For example, downtime can cost a lot of money. Systems may require legacy or unpatched components to function safely and remain under warranty. Security teams should also explore mitigations such as passive monitoring, system isolation, data diodes, and access controls.
The CIO of Artesia General Hospital in rural Southeast New Mexico shares the ongoing staffing and resource challenges he faces on a daily basis, and how his IT team tackles risk and workforce training.
The Federal Energy Regulatory Commission is asking input on information collection regulations for how energy companies secure bulk electric systems while its CIO speculated earlier this month that regulated energy utilities will likely need to follow recent government actions around implementing zero trust architectures.