How to implement industrial security as a CEO

For many executives and board members, cyber security is a new area of risk management. Here are some suggestions for chief executives on how to communicate effectively with management about cyber security.

07/12/2015


Remember the good old days when the control network stood on its own and no one but engineering could touch it? There were no connections to the enterprise network or the Internet.

In those days, cyber attackers were happy focusing on financial institutions, and the operations staff was free to just get on with making products.

Well, those days don't exist anymore.

The stories of reputable organizations falling victim to disastrous cyber attacks are regularly covered in the mainstream press. And, industry is not being spared. Attacks on manufacturers and energy providers are happening all too frequently.

There's no escaping the push to secure industrial applications. With the Industrial Internet of Things (IIoT) driving connections to more devices and more external people and systems, protecting control networks is more difficult than ever.

The challenge is how to go about ensuring industrial security. In particular, what are the roles of various groups such as IT, operations and top management in making sure your facility is protected and ready to act if there is a breach?

To help with one part of this challenge, let's take a look at how to communicate with non-technical executives about cyber security. The goal is to make you an effective cyber security leader in your organization.

Security from the CEO perspective

In order to communicate effectively with management about cyber security, you need to consider it from their perspective. Two years ago, US-CERT issued a document that still resonates today called Cyber Security Questions for CEOs. Here are the top five questions US-CERT suggested chief executives should be asking:

  1. How is our executive leadership informed about the current level and business impact of cyber risks to our company?
  2. What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
  3. How does our cyber security program apply industry standards and best practices?
  4. How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
  5. How comprehensive is our cyber incident response plan? How often is it tested?

Cyber risk management concepts

For executives and board members, cyber security is a new area of risk management. Here are the key cyber risk management concepts they need to understand, again according to US-CERT:

Incorporate cyber risks into existing risk management and governance processes. Cyber security is not implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization's governance, risk management, and business continuity practices provides the right strategic framework for it throughout the enterprise.

Elevate cyber risk management discussions to the chief executive. Chief executive engagement in defining the risk strategy and levels of acceptable risk enables more cost effective management of cyber risks aligned with the business needs of the organization. Regular communication between the chief executive and those held accountable for managing cyber risks provides awareness of current risks affecting their organization and associated business impact.

Implement industry standards and best practices; don't rely on compliance. A comprehensive cyber security program leverages industry standards and best practices to protect systems and detect potential problems. It also provides processes for understanding current threats and enabling timely response and recovery. Compliance requirements help to establish a good cyber security baseline to address known vulnerabilities but do not adequately address new and dynamic threats, or counter sophisticated adversaries. Using a risk-based approach to apply cyber security standards and practices allows for more comprehensive and cost effective management of cyber risks than compliance activities alone.

Evaluate and manage your organization's specific cyber risks. Identifying critical assets and associated impacts from cyber threats are critical to understanding a company's specific risk exposure—whether its financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investment decisions, and develop policies and strategies to manage cyber risks to an acceptable level.

Provide oversight and review. Executives are responsible to manage and oversee enterprise risk management. Cyber oversight activities include the regular evaluation of cyber security budgets, IT acquisition plans, IT outsourcing, cloud services, incident reports, risk assessment results, and top-level policies.

Develop and test incident response plans and procedures. Even a well-defended organization will experience a cyber incident at some point. When network defenses end up penetrated, a chief executive should be ready to answer, "What is our Plan B?" Documented cyber incident response plans exercised regularly help to enable timely response and minimize impacts.

Improving Security Dialogue with Executives. Additional tools for improving the cyber security dialogue with executives are available from Tripwire. Tripwire was recently acquired by Belden. Tripwire has some handy cyber literacy tools like:

  • A workbook on how to communicate about cyber security to executives and board members. By answering the questions in this workbook and reading its tips you will be able to present your existing cyber security measures from an executive's point of view. The questions in this document are more extensive than the ones suggested by US-CERT and will aid in the thoroughness of your preparation.
  • A white paper that explains the gaps in cyber literacy amongst executives and between executives and IT.

- Heather MacKenzie is with Tofino Security, a Belden company. This content originally appeared on ISSSource. Edited by Joy Chang, Digital Project Manager, CFE Media, jchang@cfemedia.com.



Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Engineers' Choice Awards
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers.
System Integrator Giants
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
System Integrator of the Year
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
Design of Safe and Reliable Hydraulic Systems for Subsea Applications
This eGuide explains how the operation of hydraulic systems for subsea applications requires the user to consider additional aspects because of the unique conditions that apply to the setting
How to Maximize Factory Automation Efficiency with Low Cost Machine Vision
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Wireless Reliability in Harsh Environments
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
September 2018
Optimize controls via cloud software, ladder logic simulation, industrial wireless best practices
August 2018
Augmented reality and virtual reality education, autotuning PID control, cybersecurity advice, educating engineers
July 2018
Ladder logic best practices and object-oriented programming, safety instrumented systems, enclosure design issues and challenges, process control advice
Edge Computing
This article collection contains several articles on how today's technologies heap benefits onto an edge-computing architecture such as faster computing, better networking, more memory, smarter analytics, cloud-based intelligence, and lower costs.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
PLCs
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. Featured articles in this digital report compare PLCs and programmable automation controllers (PACs), industrial PCs, and robotic controllers.
SIDB

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

August 2018
SCADA standardization, capital expenditures, data-driven drilling and execution
June 2018
Machine learning, produced water benefits, progressive cavity pumps
April 2018
ROVs, rigs, and the real time; wellsite valve manifolds; AI on a chip; analytics use for pipelines
John O. Ayuk, PE, CFSE, PMP, CAP
Automation Engineer; Wood Group
Doug Baker
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me