Page 93 - Cyber Defense eMagazine December 2022 Edition
P. 93
computers. However, in the OT world, your operations team has to be co-responsible for information
security because they will eventually need to enable or disable features to complete their work. Install
new software. Work with vendors. In general, experience has shown that relying on external engineers
results in security gaps, long waiting times, and a lack of oversight and accountability.
Here's a thought experiment we can use to frame it in terms of what we already know. Most employees
have no medical training, and it stands to reason that it would be dangerous for them to make medical
decisions for themselves or others. However, it is a well-established practice to train employees to provide
CPR and a series of first-response techniques to care for others while medical professionals get on their
way. Similarly, we have to teach a subset of the power plant employees on first-response procedures to
keep their systems safe because we have limited resources. The same reason we don't have doctors
sprinkled around the office. That is not to say that every employee has the same level of access.
Operators, I&C Technicians, and DCS Engineers may all have different access levels. And some
features, like access to the firewall configuration, may not be accessible to anyone at the site. You give
access to people based on what they can protect.
What does the Program Manager do?
Finally, the program manager's role is to understand the big picture. Allocate capital resources to keep
the program running. Find the right talent- which is a tremendous challenge- and communicate to them
what the team's vision is so they can go out and do their jobs. Also, program managers will negotiate
with vendors over time to compensate for temporary talent gaps and customize their software offering to
reflect changing realities. Awareness of these realities leads to another very tough challenge for the
program manager: to be realistic about what the cybersecurity program can accomplish for the
organization.
That last idea is often left unexplored. As advanced as your cybersecurity program may be, a great
manager understands that there are many moving parts that a sophisticated attacker could exploit in
ways we can't even imagine. For example, they know that they cannot have engineers deploy patches in
real-time. There is a lag. And end-users can be sloppy from time to time. And no one in their organization
may have the tools or expertise necessary to block or even detect a zero-day exploit. Hence it is vital to
enable event logging, often to an external server, and have a contingency plan. The logs will be your
black box to help you write a post-mortem and work with vendors to understand what happened. And the
contingency plan will help you contain a problem as soon as it is detected. Sometimes the contingency
plan is as simple as an identified uplink cable to the firewall that plant operators disconnect in an
emergency to isolate the control network.
Conclusion
We've come a long way. Many companies are still trying to figure out the roles for their employees, and
many are still writing exceptions because they can't keep up with patching even once a year. A few still
believe they can merge OT into IT. And several others are taking advantage of the opportunities
presented by the Biden administration to improve their cybersecurity programs in new ways. Some
Cyber Defense eMagazine – December 2022 Edition 93
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.
