Even if the functional technology is correctly air-gapped, and hackers can’t reach in through the other company systems, simple security procedures need to be in place. There is no network security without physical security – physical access to any machine creates opportunities for hijacking. So while network security can keep out the hackers from half-way around the world, physical security can foil saboteurs and local hackers.
But your own operators need to access the data from these machines and the operational management technology that controls them, and your company should minimize the risks involved with this process. For example, most companies with strong security systems keep machines available onsite to run checks on thumb drives that operators use to interact with company systems. Insert the thumb drive, run diagnostics to confirm that it does not contain malware or open unwanted communications channels, and log the results before the drive may be inserted into the company’s operational systems. For minimal cost in time and money, a major risk is mitigated.
For risk management, nothing beats personal accountability. A single person within your organization should be assigned responsibility for protecting the operational systems and should report at least to senior management, and probably to the board of directors, no less than each year, on the progress of securing this critical company asset.
And nothing supports personal accountability like a budget. The assigned operational security owner should also propose a budget and receive company funds to meet the company’s security goals. Assigning a person to manage the problem without funding the priorities can be used by adversaries in litigation or by regulators to show a company is not taking the problem seriously. Additional security is always difficult to advocate for with the company CFO, but a company’s budget is a proxy for its priorities. Adequately funding resilient operations will always be important.
Many more operational protections are specific to the kinds of machines and risks they address. Protecting a factory will always be different from fire-control in an office complex or protection pipelines. The complexity cannot be an impediment to prioritizing protections. We have talked for two decades about the importance of data security. It is time to shine the spotlight on the equally important task of maintaining resilient technology-supported operations.