Your company has had a cyber incident that impacts OT and Operations. You may need to communicate with your customers, investors, media, regulators, government agencies and others. While the details of the cyber incident will affect what is said, your company should have a cyber narrative that is the backbone of this communication.
There is one clear data point from cyber incidents in companies that have OT. Crisis communications at almost all these companies were inadequately prepared.
This task is not to make you an expert in crisis communications, or to imply that you should be responsible for media, investor, or customer communications. Crisis communications is a specialized field. You are no more qualified for crisis communications than a crisis communications expert would be in determining how to restore OT cyber assets.
What you know best is the impact of a cyber attack on the ability to deliver a product or service to customers, to damage high value equipment, to jeopardize human safety or the environment. You learned and documented this in Weeks 14 – 18.
You task this week is to make sure that your company’s crisis communications understand this at the level they need to for their job. Some common examples of information crisis communications should know are:
- Safety and protection systems that prevent a hazard to the community, such as contaminated water or manufactured product.
- Safety and protection systems that prevent an attacker from destroying critical physical equipment that could cause a long term outage.
- The proven ability to deliver product and service in the case of a cyber incident.
- The time it will take for the system to recover (your RTO).
The cyber narrative should include a statement such as: “While we have a proactive cybersecurity program to prevent cyber incidents, we know it’s not possible to stop all attacks. We have a tested plan in place to continue to meet our commitments to our customers and the community in the event of a cyber incident.”
If your company has a cyber narrative, review the narrative and make sure it incorporates OT’s ability to continue and recover operations in the face of a successful cyber attack. Having a meeting or lunch with crisis communications will benefit both you and them.
If your company doesn’t have a cyber narrative, write up a one to two page document that addresses the four bullet points above. Avoid technical details and jargon. Your writing should focus on the benefits of what you have in place and how this minimizes the impact of the cyber incident.
_________
Key points related to OT and Operations in our cyber narrative: