What are the top three pieces of advice you would give a CISO to make the plant OT/ICS environment more secure from cyber-attacks?
As the Chief Industrial Information Security Officer for Total Marketing and Services, Christophe Rey-herme was responsible for increasing his colleagues’ security awareness and improving security for the business. He offers this advice.
1. Make everyone aware of the importance of cybersecurity to themselves and the plant.
Rey-herme and his team pursued a variety of strategies for raising security awareness among their colleagues, including making training videos as well as hacking and cybersecurity demonstrations to show their colleagues how easy it is to gain control over a system when it’s not secure. “When people see the risk and what can happen if they don’t secure the system, they become interested in the subject. Then, they begin to look for solutions for improvement,” he says. “Once I have a partner at the plant who is interested in improving our solutions, that’s a key point enabling me to move forward. I have too many plants to do everything on my own. I absolutely need to have at least one or two people in each plant in charge of cybersecurity who are really aware of the risk. I get that through various awareness campaigns."
2. Cybersecurity has to be a business enabler.
This includes helping acquire and deploy solutions that plant operators want and consider realistic for their real-world environments. When he first started working at Total Marketing and Services, Rey-herme noticed that the cybersecurity team tended to focus mostly on whether the company’s plants were complying with the rules. “Now, we show the plants not only why and where they are not compliant, but we also provide a technical solution that ensures the business needs while complying with our cybersecurity rules,” he says. To streamline the process going forward, Rey-herme and his team built a catalog of solutions that can assist plants in fulfilling both objectives.
3. Collaborate with enterprise IT security people when determining risk exposure, especially in areas where there are connections between the plant and enterprise networks.
“Part of our risk is coming from the connection of some of our plants to the enterprise network,” he says. This presents a challenge because OT engineers are often unaware of the risk such connections pose to ICS systems, and IT people are often unaware of the connections, or they do not know how to evaluate the risks those connections create, or both. Rey-herme finds it valuable to collaborate closely with his colleagues in the enterprise IT security team so that they can effectively address both sides of the equation.
Ensuring adequate security is challenging in a plant environment, since OT tends to focus first and foremost on safety and operational continuity. As a result, OT engineers need to see security as a threat to operational continuity in order to take it seriously. This is why Rey-herme considers security awareness a top priority, as it enables the business to come together more effectively in support of a unified strategy. By raising awareness, communicating the importance of compliance, and collaborating with enterprise IT colleagues, he believes security organizations can go a long way toward achieving improved security.
This blog is one of many essays in the eBook Advice for CISOs: How to Approach OT Cybersecurity. Download the full eBook for more strategies from experts who are on the front lines of OT cybersecurity risk mitigation.
Download » Advice for CISOs: How to Approach OT Cybersecurity