Believing that a stack of technology products alone can bring you perfect security is akin to believing that a set of expensive equipment, such as the latest fad running shoes, an ultralight aerodynamic bike, and a sleek wetsuit will get you across the finish line of a long-course triathlon. It’s wishful thinking, at best; harmful, at worst.
While equipment and technology can certainly help, true cyber success will come through a shift in mindset and acceptance of the fact that process, coupled with product and reinforced with hard work, will get you where you need to be.
Let’s start with some level setting on what security is, and what it is not.
Security is not something you buy, like a product or silver bullet—it’s not something you set and forget. It also doesn’t assure 100% protection. And finally, security is not compliance. Those are two separate things.
So what is security?
Security is more like a living, breathing, and dynamic organism. It’s a process that requires time, effort, technology, and people—each and all of which need to come together to achieve a successful security strategy. Only with this understanding can you begin to develop a robust defense-in-depth strategy to protect critical assets from cyber threats.
Planning: Create a Roadmap from Start to Finish
To begin this process, you need a plan; you need support for that plan; and you need the time, patience, and know-how to execute the plan.
A long-course triathlon consists of 2.4 miles of swimming, 112 miles of biking, and 26.2 miles of running. That’s no Sunday walk in the park. But even if you’re an amateur athlete, the potential is there to become a long-course competitor. It’s all about taking one step at a time, and beginning with a good plan. Your program will go through several evolutionary changes and initiatives across a multitude of disciplines, organizational structures, policies, processes, etc., and should also include a period of reflection to establish what is working and what is not.
Similarly, when developing your security strategy, begin by finding out where you are as an organization, where you have policy, process, or technology gaps in relation to industry standards and best practices. Based on these findings, decide what your goals are, the risks, and where you want to be in a year—or two. Often, this is completed by pre-determining the end state by evaluating your organization against an industry standard such as those published by NIST (National Institute of Standards and Technology) or IEC (International Electrotechnical Commission).
Initially, you might consider planning steps that include:
- Developing situational awareness and determining your current security posture
- Evaluating desired end state for both short- and long-term initiatives
- Prioritizing findings from the security posture assessment
- Determining stakeholders who need to be involved in improvement efforts
- Establishing a preliminary roadmap and action plan
Engaging: Involve the Right Stakeholders Early
While competing in a triathlon is a solitary act, getting to the race takes a support team (often, your friends and family). Likewise, engaging the right parties in the organization is of utmost importance in gauging the ability of your organization to realize meaningful change in cyber security, in any discipline. It is critical to determine your key stakeholders—they should include leaders, engineers, vendors, and maintenance personnel, among others. Get them involved early in the planning, especially upper management (in each segment), who need to understand that security is a process that takes time. Also include your OT team, who will be the organizational unit responsible for implementing change and putting new security practices, policies, and training into action.
All stakeholders must have a singularity of purpose so that they row together and in the same direction. So think like them by tying security efforts to each and everyone’s bottom line. For OT personnel, this includes safety, reliability, and ease of recovery. For plant managers and those in similar roles, this includes asset availability and reduction of unplanned downtime due to cyber attacks. And for senior leadership, this includes protection of brand reputation and shareholder value.
At this stage, you will update and modify your plan, which should include this initial engagement as the first step. Operational personnel or other stakeholders may bring up issues or concepts that were not initially identified or suggest other stakeholders who should be involved. These engagement activities will help refine the action plan and determine a level of ownership attributable to the additional stakeholders.
At this point, be ready for some selling of the strategy and change management techniques. Many times, an organization’s functional units are not interested in either changing the way they work or absorbing the potential financial burden of new technology or processes. Likewise, they might simply not understand the need for or ROI on cyber security. However, this should not be unexpected when attempting to make changes in an organization.
The support and engagement by upper management is often highlighted as a keystone concept in many security implementation documents and program recommendations. In realizing the changes that you will need to make, it is key to have their support in program initiation and maintenance.
Executing: Stay the Course
To be ready for race day, you have to reach and maintain peak condition. To do that, it’s important to have a plan and stick to it. Remember, progress rarely happens in a straight line. So accept that there will be ups and downs along the way. That said, beware of too many changes in course and direction. Minor lessons learned along the way and pivoting are okay, but watch for detractors that can cause you to take too many steps back or waste work.
Results likely will not come in a week or a month—so be careful with setting expectations for large gains to be realized quickly—but, with effort, they will come. And in the long run, you will end up saving more time and effort while increasing the quality of your desired output. What’s paramount is sticking to the plan and reaching the finish line with the proper levels of support and direction, even if the result is not perfect (e.g., winning the race).
In the case of OT security, any number of factors—leadership shake-ups, fluctuating priorities, and changes without ensuring proper resources—could cause project fatigue or the potential to cave to internal pressures to execute more quickly. However, at the end of the day, the end goal—to improve your overall cyber security posture along with the resiliency and safety of your OT systems—should remain paramount and unchanged.