October is a month of change. The leaves begin to change color; the weather gets cooler; and the daylight hours shorten as the days progress. As the month comes to an end, I still fight the need to wear a jacket, not wanting to fully give into the idea of winter.
The other place in which I deal with constant change is the cyber security landscape. So, it’s fitting that Cyber Security Awareness Month is identified as October. Change meets change.
In my work helping to protect industrial control systems around the world from cyber threats, one of the most common questions I hear from operators in the oil & gas industry is: How do I get support from c-suite leadership for a robust cyber security program? Cyber security is a relatively new concept and headlines tend to drive leadership to ask for protection without understanding the full set of resources that need to be secured to execute.
The first step in your approach should be a site vulnerability assessment. This is a simple way to get a view of your operations’ security posture. An assessment will review the behavior of employees, your network architecture, your plant’s physical security and more.
With prioritized results of the assessment in hand, it’s time to compare your risk vs. investment. Quantify what the impact of a breach would be vs. what an investment would be to proactively protect against it. Calculate the cost of being down or losing visibility to operations. This could include lowered productivity and additional resources deployed to respond to an incident.
Finally, put it in terms they can understand. Most of us have experienced a breach in our personal lives: our home computer has been compromised, our banking data has been exposed, etc. We rely on systems in place to both protect us and inform us when they happen. The same needs to be done for our critical infrastructure. Look for solutions that can be scaled based on your operation’s needs.