Page 91 - Cyber Defense eMagazine December 2022 Edition
P. 91
tools have gotten significantly better, cheaper, and more effective, the biggest challenge has been
managing and executing highly advanced programs with the existing talent pool. A workforce that we
didn't train to use or understand IT software and executives that don't see the return on investment of
these types of initiatives.
Painful as it has been, the NERC CIP standards have been widely successful in their goal to help protect
critical infrastructure. The subject of how safe power plants are may be up for a deeper analysis in the
future, but at least it is safer than before and gets better with every iteration. It has been so successful
that it has become an international reference for others to follow. Canada and Mexico have adopted it,
as well as several parts of Europe and many countries in Central and South America. It's a great starting
point for any nation seeking to improve its resilience and reliability. And given that NERC revises the
standards frequently for improvements, the trend will likely continue in years to come. But how does this
translate into actions for a program manager to avoid the growing pains?
Understanding the usual challenges of a program manager
Let's start with what seems logical. A newly hired program manager gets support from management to
roll out a program using a limited budget. The program manager knows he needs software to make it
work, so he walks into a store with every possible cybersecurity software on the market. He thinks of the
easiest possible solution to the problem. Can he buy cutting-edge software and ask his IT team to install
and support it at the power plant? Sure. But that's a big mistake. Who is going to support it? Does IT
know how the control system works? Will the control system vendor support you when things break? As
it turns out, support is the keyword here and is crucial for your program's success because, otherwise,
you are on your own. And soon after, you will have to become an expert in things you should not be an
expert on. This approach rarely works in OT because it is very slow and costly. The program manager
relies too heavily upon their ability to quickly become subject matter experts and get and retain top talent
to create a customized program that works. The reality is that IT methods don't translate well into the OT
world, vendors won't support your decisions, and your program will suffer greatly each time an employee
leaves for a better job.
We have learned that the least expensive and most effective way to manage a cybersecurity program is
by having a long-term relationship with key vendors and learning to develop three internal competencies
that scale well for power plants. Those competencies follow three career paths in compliance,
engineering, and operations.
Why working with vendors is important
To expand further, you are not looking for the lowest price when working with OT vendors. Instead, you
are looking for a reputable cybersecurity strategy, guaranteed integration to your control system, and
phenomenal customer support to get your teams the support they need. Having a long-term relationship
with vendors will also help alleviate issues of talent attrition or training needs. Lastly, unlike IT vendors,
OT ones have experience with power plant personnel and their operational realities.
Cyber Defense eMagazine – December 2022 Edition 91
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.