Implementing NIST's Governance Function to Boost Cybersecurity in Small Facilities

Thanks for coming out. I know governance probably isn't the most sexiest topic ever you'll hear this week, but there are a few things I hope you take away from it. As I was thinking about how to put together this deck and what I wanted it to be called, another term I was thinking about was calling it Grassroots governance, where the focus of this talk is really about how some of the smaller organizations as they're looking to deal with governance can kind of bubble up some of the actions and the activities into more of a longstanding and sustainable effort. So if you haven't heard the news, NIS CSF 2.0 was came out of draft and was released as a final version last week, February 26th, which means I was a couple days late submitting my final slides because I was hoping to get the publication data in here. So, I'm thankful for the leeway I got in some late slide submissions, but the big intro or the big change with this CSF 2.0 obviously is the introduction of that govern function and as you see there from the graphic, really in circles or has the other function Circle it and touches on all those different areas.

So when you're thinking about governance, the mindset I want you to be in for at least the next 20 minutes is kind of related to the quotes I'm pulling up here on screen now. When you think about cyber security and you think about some of the things that people may say or some of the sources I may be pulling quotes from, you wouldn't expect a couple presidents to pop up, but as it relates to governance I thought they were pretty apt. John F Kennedy stated quote "There are risks and costs to a program of action but they are far less than the long range cost of comfortable inaction and governance certainly is action and if you have inaction you certainly do pay that price cyber security is not a set of products it is a set of practices and that's really key here getting into that habit of good practices and good efforts." And one I like from Dwight D. Eisenhower "We will bankrupt ourselves in the vain search for absolute security, anyone out there in the vendor space, anyone who's saying they have absolute security sorted out, has quite a bri to sell you, I'm sure."

But if you're not familiar with what N CSF 2.0 brings in regards to govern, a very high-level overview of that is, it wants to establish and monitor your organization's cyber security risk management strategy, its expectations, and its policy. It wants to address the strategy, it wants to address the risk management, the policies, the processes, the procedure all that fun documentation that no one bothers to write that is asked for year after year and is on that list of things you'll get to eventually, you know right after waxing the floor and doing some other things that are equally as important. Getting into those roles and responsibilities and figuring out who's actually going to do what and how we're going to gauge that they're actually getting those things done consistently. And as that picture showed, governance integrates into the five other functional areas and it's kind of the glue that pulls it all together and makes it a cohesive cyber security strategy, quite a tongue twister instead of five topit actions and activities.

I'm not going to bore you with the details, but within that govern category there are six areas we're going to touch on some of them today, some of them I'm going to exclude I don't really have time to talk about supply chain risk management that could be a whole other talk. Supply chain is a very interesting space especially with some of the clients I deal with and the consumer goods and package space where you're dealing with a lot of third parties for your success, but organizational context risk management strategy roles policies all those things we'll be touching on here today. Now this talk is not for the super huge organizations that probably already have governance in place. If that's you, hopefully, you can still take some things away from this, but for those large organizations they already have governance in place, they've had governance in place for multiple years, it's part of their way of doing business, partially because they may be publicly traded and have oversight requirements in other spaces.

But when I look at large organizations that I've consulted with, they typically have a governance organization, an actual legitimate governance body, and that's a big difference from small organizations that I work with where governance may exist on paper if it exists at all. That large governance organization has defined accountability, defined responsibilities, they have enforcement capabilities that's a big difference, they can sway the bonus of other people, they have sticks that actually hurt when they are applied, but they also have carrots they can hand out as well. Again, these large organizations when it comes to governance have the budget, they have the headcounts, they have the technologies that empower them to do this well, to do this with not as much effort as you might think it needs to be, but they also expect results with all those efforts and resources applied to them, if they come out with a new initiative, if they come out with a new control they expect to see results with 6 to 12 months if not sooner.

For some of the smaller organizations I work with, coming out with a new change and propagating that across a handful of sites is definitely more than a 12-month Journey just because of the challenges they face and trying to get those types of things going. So what are some of those smaller challenges in organizations? Well, for a lot of the smaller organizations we work with the risk appetite is unknown or undefined, find and we'll get into that in more detail and the rest of these here in a few slides. Another common theme is that the cyber security strategy is in a constant state of flux and that's a horrible recipe to try to get anything done. Another prevailing theme is a lack of accountability and a lack of ownership at the higher levels within that organization regardless of how small it is, coupled with the lack of checks to evaluate compliance to evaluate conformance and you have a very murky picture of how well your company is doing from a cyber security strategy and security standpoint.

So let's dive into some of those. When it comes to the risk appetite being unknown or undefined, typically small organizations just try to get widgets out the door, whatever that widget may be, could be a load of grain, could be some animal food, could be the snack food you enjoy on your road trip, but there are a lot of things that are occurring in those organizations today that we can latch on to and kind of repurpose or Dual Purpose to help us understand what risks are where they may be and what to do with them. As a system integrator, one of the things we've done is we've tried to identify risks at times of installation. If you have an HMI platform you're putting in for a new line and the client says oh we just want Operator, Operator we'll call out that risk. If you run a line or you run a plant you should be requesting, you should be asking information from your si what are the risks you have given me with this installed system platform, if they can't call those out you may want to reconsider who your si are.

You could also have one-time or annual exercises where you discuss or work to identify your risks, maybe that's an internal effort, maybe that's a paid engagement with outside resources, or perhaps that's part of an ongoing support agreement with whoever is supporting your control system platforms. Other areas in which you can help yourselves identify risk or the consequences of those risks are things like a process Hazard analysis PHA, a failure mode effect, and effect analysis or business continuity exercises just like we heard talked about in the last session. Once we understand what some of those risks are, where they may be, what they're present within, we can then begin to have a conversation about the consequences of what happens when those risks are actualized, what happens when that unprotected asset has something bad happen to it, or do the HSN impacts is it just a line going down, is there a release of a dangerous chemical or product if the line goes down, what's that monetary impact how much does that line cost per hour per day.

If I have some sort of event that leads to a recall, what is my impact to my image, to my brand, to my customer loyalty, and finally if there's some regulatory impacts at play what happens there is it a fine, is it multiple fines I'm sure there are people in your organization who have those answers, you just need to work with them to figure out what they are. One of the biggest challenges I have when working with small organizations is quantifying their appetite for risk. It's a very challenging conversation, it's an answer that doesn't have a lot of good easy to find answers, but they are necessary exercises to undertake. How much risk exposure is okay, is it okay to spend $1 to mitigate $1 of risk or does that balance need to be 10 to 1, 20 to 1, how much do I, how much risk do I need to avoid or mitigate or transfer per dollar spent to be reasonable for my organization, are there any absolute C must have no exceptions, right? If I really care about the Integrity of the lunch menu because lunch is Pinnacle to my employees' happiness, then maybe that's something I don't budge on, but probably not.

One of the other trends I see a lot in smaller organizations is that the cybersecurity strategy really fluctuates all over the place and there are a lot of reasons for that, there's a lot of conflicting priorities, there's a lot of lack of alignment, people want to do this one thing one quarter or this year, then they learn something else is hot or fun next year and they shift without getting the first one implemented all the way. There's turnover within the professional people that have cybersecurity skills at your organization so you're constantly onboarding and it just really delays projects what I call boom-bust budgeting. So for those companies that are very boom and bust and they sell a lot one year and maybe not a lot the next year, it's very difficult to plan for and budget strategies that take multiple years to put into place. Another big one is products not living up to OT compatible claims, you buy a product you think it's going to solve all your problems, you actually put it into play, and you then realize there's about 17 asteriks behind what it claims to do and you know you're not really doing what you want it to.

Some of the successes I've seen in the space playing out to kind of minimize that flux are to obtain alignment again on that bare minimum, those absolutes, what do we need as our core strategy for cybersecurity, what is our core program constitute of and if you look at all of the controls within the cybersecurity framework, all the things that it's asking you to do that core that bare minimum may only be five, it may only be three or maybe it's ten but you as an organization decide that this is the bare minimum regardless of it's an excellent year or the worst year on paper that we're going to make sure continues to happen. Once you have those few things you want to do, focus on them and do them extremely well, don't try and be a rock star at 300 different things, it's not going to work, focus on as little as possible and do it well. From a budgeting standpoint, I know this is very challenging with everyone moving to subscription-based services, but work to minimize ongoing operational expense if you can kind of piggyback things into capital projects if you can kind of latch things on as things come up as a one-time cost I encourage you to do that, it's a lot easier to get that funding released than going back for a 20% increase this year and a 30% increase next year and just the subscriptions get out of line.

Small organizations don't have the luxury of being bleeding edge, small organizations don't have the luxury of being even leading edge, don't remain still but do kind of be a laggard right let other people test things out and figure out what works and what doesn't work. Talking about accountability, talking about ownership in small organizations that managerial team may not be the most knowledgeable, they might not know what cybersecurity does, why it's important, why they should care, as long as it's not happening to their competitors or other similar industries they don't think it's going to happen to them and they may not have anyone or the knowledge to really take ownership or drive that and without highight ownership it's very tough to get things moving and finally if the board or the investors aren't asking about cybersecurity, you're not going to see a lot of prompts to take action so make events and information more relatable, if you see a story about a similar industry having a bad day, bring that up, don't do it as a scare tactic but do it as an educational opportunity, say this is what happened here's how we could have avoided that here's what we're doing today to help try and minimize that but we need to do more and here's the things that we need to do that goes into taking a proactive position with good communication. One of the things I see in smaller organizations with folks really trying to get cybersecurity going is they're missing out on that communication part of the process, they have all the technology figured out, they all these plans they want to do but they're not able to communicate that upstream and they just keep hitting wall so work through to break those barriers, build that ground support as I said I was Al almost wanting to name this Grassroots governance.

Another thing that's I've seen work well if your industry has it if it exists is to join peer groups, join industry associations, attend industry events see what other people are doing and talking about and again bringing that information back and sharing it trying to make it more relatable from a compliance standpoint, there's a lot of controls you know if you are just starting out as an organization trying to get your hands around this cybersecurity framework and it's your first go at it you're going to be overwhelmed and rightfully so there's a lot to do there, there's a lot to check, there's a lot to understand even how to check it, there's a lot of education to understand how to do the checks in order to have them completed and you don't even know how you want to record or report that information again to have some of those communication streams start small again prioritize the controls of significance there's over a 100 controls you don't have to do it all in one go pick a handful out of each of those categories that's really important and focus on those first let those controls be the way you build up confidence build up good practices build up good data collection techniques that then allow you to scale up and scale out the number of controls you take on year-over-year.

Governance is not supposed to be a one-and-done it's a continual journey it's a continual path towards a sustainable practice that keeps you secure to the risks that you're trying to meet and mitigate some of the things that can help with those checks as part of everyday processes are checklists be more checklist driven if you have a process to deploy a new PLC where's the checklist, if you have a process to put a new switch into place where's the checklist, if you have a process to onboard a new user for a manufacturing line where's that onboarding checklist, there's a lot of industries that have found that when checklists come into play mistakes drop dramatically, consistency increases dramatically and if you fill out that checklist and complete it you have your proof of following your processes and procedures if you don't have that checklist now you got to scou through emails and look through other things and it's it's don't do it spend the time upfront to deliver those checklists to the people doing the work, work with them to figure out what those checklists need to have in them them but also treat them as living documents right your technology changes your processes may change even your procedures may change so if you have a checklist make sure to review it to make sure it's legitimate at least every couple of years. If you have an IT group that's separate from your OT group maybe it is, maybe it isn't but they have some reporting capabilities, if they have some governance they're doing on their own I also recommend latching on to them seeing what they're doing and how you can leverage their reporting capabilities for your reporting capabilities don't try and double up the work when it isn't necessary.

When we're talking about how to integrate culture and governance together there's several things that we can talk about I talked about the HSN impacts of risk right Safety and Security as a culture has really latched on in a lot of manufacturing space right no one enjoys being hurt no one enjoys things that that happen unintentionally and by talking about governance and how it allows us to further minimize some of those potentials for unsafe activities for unsafe events to occur we can further tie that into the culture of safety that a organization may already have we're just augmenting it with these other aspects. If you're concerned about how to start rolling with some of these checklists how to start implementing some of these processes and things that exist today don't start with a platform upgrade start with a green field installation start with a brand new project incorporate that into the project definition the scope of the work so that you can have a better understanding of what the effort involved is to meet those governance requirements again if you have an IT group Ally with them as much as you can to figure out some of the more technical security side of things.

If you take nothing else away from my 25 minutes of rambling I'm going to plead with you to incorporate governance and security items into your request for proposals and request for quotes, if you don't build the security requirements into what you're asking people to provide you and then you evaluate them on a cost versus cost basis the less secure option is generally the cheaper option but if you start to work to incorporate security into your requirements now everyone has the same Apples to Apples comparison with the things you need in them in place and it's going to cost less than trying to shoehorn and on after the fact. Getting that ground support, finding an advocate or an ally in management to help with governance helps make governance and cybersecurity strategy a standing item in leadership meetings, if it's not being talked about it's not going to be acted on so you need to continue to bring those topics up continue to educate people continue to communicate things that are happening you kind of need to be the squeaky wheel in order to get the grease necessary to get things moving correctly again governance is a year-over-year journey it is not do it once and we got it all figured out start small get successes communicate those successes and then build upon those successes year over-year it may take you four five doesn't matter how long but as long as you're maturing as long as you're growing your capability as long as you're helping the organization with its risk in an appropriate fashion you're going to continue to find Advocates within the company to help you continue doing that one of the big challenges I've seen is people try and take on too much at the beginning they get way overworked way overwhelmed and the entire effort just stalls out and then I go in and talk to them and I'm like hey what happened they like oh we just couldn't keep up this was too much we couldn't get the head count and the project fell flat a manageable workload is more likely to become a sustainable workload now I know everyone's tied for resources and tight for budget and capital but again if you have alignment on that bare minimum if you have that alignment on those absolutes and everyone's agreed to that we need to work to make that at least a manageable workload if you can't if you have the Buy in then that should be a relatively straightforward conversation communicating accountability communicating successes and communicating shortcomings are all important parts of this governance has accountability aspects into it so if some team if some person if some third party is dropping the ball we need to be able to identify that to to measure just how far the ball dropped and to figure out what is going to become of that event are they going to lose our business is this person getting fired are we hiring someone else in to do the work instead what have we learned from that experience and how are we going to do better as we continue to grow a governance program as we continue to identify additional workload that needs to be taken on for the new level of absolutes for the new level of bare minimums more people are going to become involved in that effort the roles may change the responsibilities people take on may change and we need to make sure that we're planning for that growth planning for changes in roles CH planning for changes in responsibilities as we grow that program you may have a cybersecurity person today who has a well-defined role of making sure the plant runs and viruses don't happen well as governance Moves In And We Grow that capability they may now be expected to perform internal self assessments they may be expected to perform assessing someone else's work as a means of checking a lot of documentation is going to be generated as a part of this processes need to be developed procedures need to be updated or developed and all of that has a life cycle that it needs to live through so making sure that you have a good process in place to collect your documentation review it keep it up to date and make people aware of where it is is another important thing that I think a lot of people Overlook I go and ask for documentation they're like ah it's somewhere I don't know where well if people don't know where your stuff is it's it's like it doesn't exist it it has served no purpose other than filling someone day that's not the purpose of what these documents should be doing so trying to wrap it up and to a contrite little list of dos and don'ts do establish a set of prioritized and aligned controls that's going to be the basis of your governance program don't become overwhelmed in panic although that may be your first step regardless of what I talk about do try and get engaged and buy in from your leadership and management teams as soon as possible if they're asking for you to do you know make us n CSF compliant and they have no idea what that means um one I'm glad they know about it but two you need to get some intelligent engagement and educated Buy in to that not just a a blanket go do it statement that also means not taking the entire effort on by yourself identifying who else is going to be needed to be brought to that part to make it successful do emphasize sustainable efforts over one-time efforts I did talk about you know trying to bring things as part of capital projects which is good but a governance is a long-term Journey so keep after it and again don't let an organization's risk appetite remain a mystery without knowing what risk is acceptable without knowing where risks lie without knowing what the assets are that carries those risks it's very very hard to do anything else I talked about so if you're just starting out there and you don't know what those are that's your first step.

So with that I have a couple questions or I would say I rather I have a couple minutes for questions. I do appreciate your time and I hope you enjoy the rest of S4 got one question coming up.

I just want to um uh thank you for the talk and again uh really appreciate your pragmatism and the approach it's uh it's really refreshing I think in our OT security space obviously interstates you kind of come from the OT side of the world but we find again a security mindset often as IT lead um when we've got those different cylinders of Excellence or silos within an organization how do you find those kind of Champions to drive that govern mindset and uh achieve those outcomes?

So what I've found when I have sort of different Champions or or knowledge domains is that the IT personnel can help us with more of the formalities of a governance program how to do the recording how to do the assessing but what to evaluate and how to evaluate it has to come from the OT side so it really does need to be a collaborative effort because again I we've all experienced what it people do when they try to evaluate a PLC right they don't even know what to do but you know without the it people having to help fill in some of the blanks on well what does a good governance program look like act like sound like they do a lot of stumbling around and it really slows down the program until they can kind of get their act together.

All right thank you everyone enjoy the rest of your show