As the year starts to wind down we’ve been pleasantly surprised at how much progress many owner/operators have made in their security posture. The plants and SCADA systems that have made the most progress have devoted manpower to security. They have people implementing security patching programs, monitoring security logs, implementing recovery testing and incident response, focusing on making written procedures a reality and more. Not really a big surprise, but still a majority of asset owners are trying to have existing staff work harder and longer to improve security.
Starting from no security, the first dollar or euro should be spent on perimeter security. But after that technology purchase, the next money should be spent on people who can implement and manage the security program. We’ve seen success with hiring dedicated security people and by making multiple people have part of their job be security – – if they are relieved of some of their pre-security tasks. Recently we saw a great example where the firewall log review, emergency remote access review, patch monitoring, anti-virus monitoring and other daily tasks rotated between a designated engineer of the day. It was highly effective and great for security awareness and learning.
Unfortunately headcount is the most difficult money. Often security is another task that is assigned on already fully allocated people. They can work longer in spurts or neglect other work for a while, but it is not sustainable. These organizations tend to have great security documents and plans that are not actually implemented.
NERC CIP is the most vivid example where a number of organizations are deluding themselves on implementing security controls and onerous documentation requirements without the additional manpower. Huge efforts were put forth to meet deadlines, but it is a continuous process and the work they left to do NERC can’t be ignored without consequences. My guess is some of musical chairs being played with CIP jobs is people knowing it is going to end badly soon at their current organization and they would be the fall guy/gal.
If you want to make security progress next year, put on your salesman’s hat and start working on that security headcount.