- Provide easy-to-digest reading that explains the possible risks and impact of cyberthreats in industrial environments. Two suggestions are Andy Greenberg’s article in Wired on NotPetya’s impact on Maersk and Rob Smith and Rebecca Berry’s article in the Wall Street Journal on the security “back door” into the U.S. power grid. For a longer read, try Kim Zetter’s book Countdown to Zero Day about Stuxnet.
- Introduce manufacturing cybersecurity into current planning exercises. In almost all industrial or critical infrastructure organizations, there are a range of processes that attempt to quantify and prioritize risks – from business continuity planning to hazops planning. Instead of trying to create an entirely separate effort from the start, get people to agree to include cyber as a key component of these exercises. This will not necessarily get you a full assessment, but it can raise the awareness enough to begin a deeper dive.
- Bring OT/ICS representatives into the cybersecurity leadership team. In many organizations, chief information security officers (CISOs) and security leadership are aware of the risk, but they receive pushback from process control or operations leadership. A good solution for this is to bring experienced, well-respected controls system leaders onto the cybersecurity leadership team, exposing them to the security risks on information technology (IT) so they can help translate them into the OT environment.
- Engage in an assessment. Obviously, this requires budget and time. The good news is that even a very small, inexpensive assessment can carry significant weight. It is a fast, inexpensive way to demonstrate with hard data how the ICS/OT risks compare to the overall cybersecurity risks in the organization. If more budget is available, you can pursue a more comprehensive assessment, but you don’t need to be stymied if budgets are slim initially.
- Explain the potential revenue benefits; not just the costs. In many cases, new regulations are placing greater emphasis on cybersecurity. Getting out in front of these requirements will enable organizations to potentially save costs and get ahead of competitors in potential contracts. Perhaps the most obvious area here is in the defense industrial base, where the Cybersecurity Maturity Model Certification (CMMC) standards will soon be in effect. Companies with processes in place and in compliance stand to reap significant benefits.
Original content can be found at verveindustrial.com.