I had a wonderful opportunity this past weekend to gain some insights into the cyber security priorities and concerns out in the real world – beyond the Beltway and being implemented in real life.
I was invited by a friend to tour his plant facility, and discuss the cyber security concerns of his enterprise. (I cannot give full identification of the facility, but suffice it to say that it is a key link in the business chain for the energy sector, and would be considered a part of America’s critical infrastructure.) It is a production facility that is owned by a large multinational corporation, and has multiple users of its products in America, and all over the world.
We began the day by navigating the physical security of the facility (gate guards, ID checks, multiple permissions for an outsider to get a tour). All of these were fairly rigorous, and as up to date as one would expect. I next had a superb tour and briefing on how the plant does its job. From receiving the materials needed for its stage in the refinement process, to the packaging of the end product and assembling all the components needed by its end users. The information was enlightening, educational, and provided the perfect backdrop for my discussion on cyber security. The main point to me was the criticality of IT in the manufacturing process. It was not just the computer guided machines (way too little tolerance for variations to do it “all human”), but the requirement for extraordinary accountability of materials at every step along the way. If the IT goes down, the entire process stops. If there is a mistake, the results can be catastrophic.
This company is very similar to the majority of large entities, both private and public. They have cyber security at the corporate level (several states away), and responsible for everyone in the company, IT support locally, responsible only for this facility, and operations, driven by corporate goals/metrics, but managed on-site. In this particular situation, the company is better served than normal, due to the fact that my friend is much more savvy and aware of cyber security issues than most local IT managers. While he cannot control the security policies of his corporation, he has developed a good relationship with the centralized security group, and pushes for security measures constantly. Even with the extra connectivity my friend’s forward looking attitude provides, there is still an inherent disconnect with this separate three tiered organization.
Unless a company, or government organization for that matter, can organize to meld these three parts together, they will have problems. Operations are the meat and potatoes of any company, it is enabled but top notch IT processes, and it is all protected by cyber security policies and practices. As long as they stay separate, with separate budgets and separate leadership, vulnerabilities will arise. A perfect example is training for cyber security. The corporate office directs certain mandated training packages. This training, besides being too little, too seldom, is so generalized that it does not always apply to the individual facilities. Everyone has to go through the online training, but it does not provide enough specificity to fill all the gaps. The local IT office could mandate more, but he has no budget for security issues, only for general IT. He can make the case to his facility bosses (the operations guys) for more money and time to conduct real training and even exercises, but in a tight economy, they see cyber security as an “insurance policy” against a threat they do not understand or feel is possible “today.”.
Please do not misunderstand me. This company and this facility is probably way ahead of most organizations. They have a good system to push out patches and software updates. Because of their sector, they get help monitoring internet usage and even chasing down cyber probes launched against them. They operate some legacy systems, but are generally up to date as far as hardware goes. They at least have a training system that is tracked and can be validated. However, even this excellent company, with a conscientious and knowledgeable IT manager, has identifies enormous areas of vulnerability. The threat is not theoretical; they are attacked, probed everyday, and are under surveillance continually. The threats include nation states, competitors, criminals, terrorists, and political activists.
They do not want the Government to dictate cyber security measures, but they would like some leadership. They would also like a National effort to publicize the threat, and raise awareness. They are ready to do their jobs, but they need help in doing them as well as they know is needed.
Cyber security is not a fad, and it is not a passing fancy. It is something we need to get serious about, publicize, train our people, and fund. My weekend visit showed me that outside the Beltway they are waiting for the Campaign to begin.