Today’s owner operators and lease operators of industrial production facilities frequently employ service providers for projects and upgrades, as well as operations and maintenance. These contractors often travel to many sites, carry their own copies of source code and files, and use multiple PCs with multiple engineering tools for the automation platforms they support.
What quality practices does the contractor have in place to keep their client’s networks from being exposed to a virus or other vulnerability? How is downloadable content (e.g., drivers, firmware) that the contractor brings on site for the ICS system managed? And how does the contractor handle portable media?
What are the limits of authority allowed to the contractor? How is access to the network granted? How are access rights approved, removed, and audited?
Every facility is different, but it’s important to have these policies and procedures in place.
Before hiring ICS service providers, owner operators should:
- Assess your ICS service provider’s commitment and approach towards cybersecurity.
- Establish a training plan or quick tutorial for your service providers.
- Establish an audit program to ensure compliance.
- Establish clear procurement or supply chain guidance regarding cybersecurity for all on-site contractors.
And before bidding, ICS service providers should:
- Define cybersecurity policies, practices, and methods of operation.
- Create a cybersecurity management system (CSMS).
- Establish a cybersecurity program to protect your employees and clients.
A vendor–client relationship requires both parties to take a proactive interest in the safety and cybersecurity of the community, employees, plant, and companies that work together.
Go here to learn more about how exida can help you establish a robust cybersecurity program that includes ICS service provider access.