Questions to be asking this Cybersecurity Awareness Month

1. Am I taking a targeted approach?

Implementing a good OT cyber programme is contingent upon a deep understanding of operations with a view towards operational availability and uptime. Even operators who have invested in OT cybersecurity technology must consider what is helpful and what is dispensable.

Working with internal experts like engineers and technicians can help operators develop relative asset criticality rankings (ACRs). These rankings work off the master asset list (MAL) to denote the value of each piece of equipment to the base critical function of the business relative to one another. Undertaking this exercise can help pipeline operators gain a better understanding of the inner workings of their equipment. Further, this approach can lead to a more targeted, more effective, and less costly cybersecurity programme.

2. What level of visibility do I have into my supply chain?

Attacks on already-troubled supply chains have been a hot topic this year, and for good reason. Despite initiatives at the government level, many global supply chains remain vulnerable. Supply chains are, after all, only as strong as their weakest link. Pipeline operators must ask: “Do I know which link is my weakest?”

If the answer is no, operators may want to review their performance acceptance testing, authentication, and anomaly monitoring procedures to ensure they have a thorough understanding of the cyber hygiene of their upstream suppliers.

3. Am I moving beyond compliance?

Unfortunately, compliance-based security protocols will generally fall short when put into practice. Being compliant means a business has achieved a baseline set of standards, but it does not necessarily mean the business’ operations are secure or protected from interruption. Furthermore, those baseline standards are often designed to apply to the widest possible range of businesses, and often lack the subtlety to address the specific needs of a single organisation.

Comprehensive OT security is tailored and targeted. It accounts for the specifics of the facility it protects. If your business is basing its OT cyber on simply meeting compliance standards, chances are your operations are at risk. Rather than focusing on compliance, pipeline operators should spend time outlining best practices dictated by the demands of their business and specific threat landscape.

4. Have I adjusted my programme to account for new technology?

As dispersed legacy equipment becomes connected to remote monitoring technology, the potential for attack skyrockets. Each connection point is another possible door through which a bad actor can enter. Pipeline operators must review their cyber hygiene practices to make sure they’re accounting for any vulnerabilities modern advancements might have introduced into their operations.

Read the article online at: https://www.worldpipelines.com/special-reports/20102022/questions-to-be-asking-this-cybersecurity-awareness-month/