The tasks in April are the most important, and the most rarely done, tasks in OT security and cyber risk management. This should be clearer after March when you learned about your company and its risk management program.
In a perfect world, systems would work 100% of the time. There would be no unscheduled outages. No integrity, quality, or yield issues. Many Operations groups run their OT impressively near this level of perfection year after year.
What you hopefully learned last month is the company regularly lives with imperfect operations across all areas of the company. If these faults are of a limited size and frequency, it is a risk and loss that the company accepts. Patrick Miller has an applicable quote in the OnRamp training:
“It’s not their (executives) job to manage risk. It’s their job to take risk. It’s their job to take as many risks as they can and hopefully nothing bad happens. Because that makes them more profitable.”
What executives shouldn’t and won’t accept are risks that could lead to high and catastrophic consequence events. Well, they won’t accept them if they know about these risks. OT cyber related risk has remained hidden or at best poorly stated in most asset owner companies. You’re going to help change that this month.
You will begin by understanding how Operations uses safety and protection systems to prevent high consequence events. Next you will determine if a cyber attacker on OT could disable the systems that should prevent high consequence events (hint: the answer is often yes).
Once you identify OT cyber failure scenarios that can lead to high consequence events, we will step you through finding the solution and presenting it to executive management. It’s a busy and important month.