"To operate an effective, sustainable cybersecurity system, you first need to think about what your process requires," says Bill Cotter, senior engineering specialist at 3M, who spoke at ARC Industry Forum 2017 in Orlando. "Do you have intellectual property (IP)? Do you need security or operations security? You'll definitely require management support, and then focus on the connections needed to protect your particular business model. 3M has many different locations, and so it's not monolithic, but it's a collection of different facilities and applications.
"The problem in big companies is figuring out who's responsible for what, dealing with constant changes, and deciding who's going to do what. It can be a monster job to know all the details of what you have. Remember Y2K when we had to list everything? Now, we need to know more about status of devices and how they're protected. It can be overwhelming, but we do the research, and develop stretch goals."
Cotter adds that, "Cybersecurity also means doing a lot of reading about standards, bad incidents happening, and reevaluating and adapting to what's needed. Sometimes the most important security task isn't the newest, such as simply checking if you've backed up data and making sure it's recoverable. We're also not keeping what we learn about cybersecurity to ourselves. We talk and email a lot at 3M, and use Wikis and SharePoint tools to share best practices. It's also important to measure outcomes after setting goals. This can be hard, but just pick something you want to refine, and apply some metrics."
Cotter reports it's a good idea to use:
- The National Institute of Standards and Technology's (NIST) framework for cybersecurity contained in its "Guide to Industrial Control Systems (ICS) Security"; and
- The U.S. Dept. of Homeland Security's Industrial Control Systems Cyber Emergency Response Team's (ICS-CERT) Cyber Security Evaluation Tool (https://cset.inl.gov).
However, Cotter explains it's equally important for information technology (IT) and operations technology (OT) to cooperate on cybersecurity issues. "I can't afford to have OT and IT split," says Cotter. "We have and we recommend having a partnership and working together. IT can give us tools like two-factor authentication that we can implement. Similar to everything else we do, cybersecurity is also about keeping our plants running and making money. It just has to be integrated with our operating systems and their particular issues. Security is all about the lifecycle, too."
Visit the full story here:
You can be a cybersecurity badass - part 1 and part 2