Operations and facility managers have a level of responsibility that requires a great deal of judgment, technical understanding, and the ability to make the right call when managing risk.
Safe, secure, and profitable plant operations are the cornerstones of how a plant manager is judged. The plant manager relies on a team of experts that provide the facts of what the risk is—the probability, and the plan(s). (Providing a single option to a plant manager is usually an invitation for a series of questions that dive deep into the issues.)
Safety is the keystone. Without safe operation, a plant manager would not sleep at night, as no one wants to be responsible for negatively impacting the quality of someone’s health and life.
Cyber differs slightly, because here the plant manager has options. Depending on the risk, the technical staff usually develops a Plan A, Plan B, and Plan C to be deployed.
- Disconnect the plant from the network.
- Lock down the system.
- Reach out for vendor support.
- Reach out to other plant with similar automation gear and processes.
The key to selecting any of the items listed above is having a proper understanding of them, including the qualification of the risk. For example, the automation support team must be able to define, in clear terms, What to Patch, Why to Patch, How to Patch, and When to Patch. Not all patches are equal or relevant, and if the patch requires the revalidation of a safety system, it can mean extended downtime. Therefore, other mitigation factors should be presented to the plant manager to make an informed decision.
exida and our team of experts have experience with operational risk-based approaches. We help operating plants with simple pragmatic work processes, procedures, and best practices. This approach is part of our guiding principles to pragmatic cybersecurity.
To learn more about control system cybersecurity, watch exida’s new webinar, Managing Cybersecurity Risks in Wireless Control Networks and be on the lookout for the upcoming exida book, Implementing IEC 62443: A Pragmatic Approach to Cybersecurity.