The sudden onset of the nation’s shift to work remotely has kept us scrambling to develop productive, successful methods for staying connected while keeping apart. Emerging from this shift is the increasingly vital role cybersecurity plays in the remoteoffice.
This significance was underscored recently, by John Cusimano, vice president of cybersecurity at aeSolutions, in "Remote Security Working in World of Coronavirus", published by Industrial Safety and Security Source (ISSSource) in March. “One lesson the ICS community can learn from COVID-19 is that if we are going to be called upon to periodically work remote during some type of disaster, then your remote operations had better be robust, resilient and secure . . .The technology has been available for a while, and it is definitely more cost effective to do things remotely. The only thing that may have slowed this is making sure it is secure.”
No remote worker’s toolkit is complete without strong cybersecurity safeguards. Most of us start with the basics, such as those outlined by the Federal Trade Commission:
Keep security software up to date, and usestrong, unique passwords on all devices and apps
Lock computer screens in sharedspaces
Be suspicious of emails asking to check or renew passwords/login credentials
Be suspicious of emails from unknownpeople
Securely store sensitive files and disposeof sensitive data securely
Follow your employer’s securitypractices
I also suggest utilizing the Cybersecurity & Infrastructure Security Agency (CISA) as a cybersecurity information source. Their Stop-Think-Connect Toolkit offers excellent guidelines everyone needs to apply to work cyber-securely. Review and download materials by topic at www.cisa.gov/stopthinkconnect-toolkit.
However, more than this is truly needed to ensure powerful cyber protection, and our mindset plays an important role in minimizing risks. In the process industry, we have historically had a “set-it and forget-it” behavior. This means that what was intended to be temporary becomes permanent, and that ‘work remote’ practices implemented during COVID-19 could easily become the new norm for going forward.
The decision to connect remotely to operations and basic process control needs an appropriate risk assessment to determine how deep and how wide the connectivity will be allowed. It should also determine which systems should be avoided, such as the SIS safety systems and third-party packaged units that include critical utilities requiring greater accountability. These systems are typically integrated with the basic process control system, making remote access more complicated when the mission is safety above production. The mission is — and will always be — safety over production.
As previously stated, remote operations must be robust, resilient and secure. All three are a necessity, and we must fully understand and commit to the fact that the security for these systems is vital. Connectivity to these systems, if allowed, must have a strong business case other than for convenience, especially if risk outweighs the reward.
I have long been an admirer of the late Dr. Trevor Kletz, a leading expert on process safety. One of his most notable quotes was: "There's an old saying that if you think safety is expensive, try an accident. Accidents cost a lot of money. And, not only in damage to plant and in claims for injury, but also in the loss of the company's reputation."
Safety and cybersecurity are hand-in-hand now. When compounding safety and security with remote connectivity deeper into the actual process control, we need to stop and thoroughly think things through as remote access to plant safety systems are considered.
Automation engineers, safety managers, IT managers, and site managers should perform a risk assessment and follow the MOC (Management of Change) process with multiple sign-off, regardless of industry sector. In addition, corporate leadership should be performing a CM (Change Management) review. They are different but needed.
You might be asking why both? It is because the MOC process is in place for the technical aspects of the change at the systems component level. The CM is designed for the people and organizational aspects which encompasses training and coaching of the access control change, feedback, and corrective actions typically performed by the IT help desk team. I believe we must do both and not just “wing-it”. Not right now. Not ever.
As industry seeks to add more remote connectivity, I highly recommend partnering with a company that fully understands industrial cybersecurity risk management, how to securely implement remote access, is functional safety focused, and is a cybersecurity leader. Above all, keep your remote operations robust, resilient and secure industry.