Page 90 - Cyber Defense eMagazine December 2022 Edition
P. 90
Managing Cybersecurity for Critical National
Infrastructure
General guidelines and realities of managing a cybersecurity program for critical national
infrastructure
By Juan Vargas, Cybersecurity and Engineering Consultant, Artech, LLC
What's the reality of managing a cybersecurity program for critical national infrastructure? Twenty years
ago, we had no idea. Companies didn't have to get serious about protecting infrastructure until the North
American Electric Reliability Corporation (NERC), in the wake of the attacks on 9/11, forced power
companies into mandatory compliance with its Critical Infrastructure Protection (CIP) standards. Or an
early version of them. But that change effectively created an entire ecosystem of products and services
for the world of Operational Technology (OT) we didn't we needed.
While the definition of critical infrastructure may change in the future- it's been circulating in the news that
the United States may expand the definition to include water plants- my background is where it all started-
in power generation. Over many years I've witnessed many organizational iterations to keep up with the
ever-changing nature of regulation. And it is only fair for new people to have a proper introduction to what
has worked and what hasn't.
A common misconception about managing an OT cybersecurity program is that it is mostly about
choosing the right software. Or the newest software. Or the most powerful software. While the software
Cyber Defense eMagazine – December 2022 Edition 90
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.