Today, we are going to talk a little bit about Contractor Cyber Training.  What's in a good contractor cyber training course?  Why do you need one?  Why aren't policies, practices, and contract language enough?

Today's operators of industrial production facilities frequently utilize contract labor.  This means a number of contractors have physical access to the site.  Contractors could include your electrical contractor, your process automation contractor, your instrument and control technicians, or your electrical technicians.

As a point, remember contractors serve many clients, travel to many sites, have their own engineering tools, files, and copies of code.  If you grant contractors access to your network, you need to provide a level of due diligence to understand what they are going to access, why they're going to access, and how they're going to do it.  When working with contractors, it's important to ask the question, what quality practices do they have in place in regard to cybersecurity and your network.  Important items to discuss with the contractor are access, authorization, and audit.  Additional items can include portable media, downloadable content, limits of authority,  use of subcontractors, and how does the contractor respond to anomalies that are experienced on the site that can effect the cyber protected system?

exida recommends a simple JCA – Job Cyber Analysis.  The Job Cyber Analysis is similar to the Job Safety Analysis.  The Job Safety Analysis is the process that governs personal safety as a work process that allows the worker to take personal accountability and responsibility for the tasks being performed.  For the Job Cyber Analysis, you will work with the contractor to answer the following questions:

• How is access granted?
• What skills are required?
• What are the limits of authority?
• What network classification that's going to be accessed?
• Downloadable content
• Portable media
• Sign off and Closeout

These are some of the key elements in a JCA that a contractor and a client can work on together to reduce the exposure to their cybersecurity system.  The JCA is a critical component in pragmatic cybersecurity having the right level of detail to control the risks in a meaningful manner. 

This is just one more way that exida brings pragmatic solutions to meet your cybersecurity needs.