Electricity + Control December 2017

CONTROL SYSTEMS + AUTOMATION

Lesser developed countries and smaller organisations are often less prepared to handle these events than more de- veloped countries and larger organisations, but with less com- plex operational needs and criti- cal infrastructures, there are many steps national organisations may be able to take more easily. Thus, it is vi- tally important that you consider how to protect your business. Furthermore, small organisations often see cybersecu- rity as too difficult or that it requires too many resources. It is true that there is no easy, one-time solution to cybersecurity – it takes time and careful consideration with all relevant stakeholders. However, when viewed as part of the national and organisa- tional strategy and regular processes, cyber- security does not have to be intimidating, it does not have to be complex and it does not have to be expensive. Cybersecurity is not a luxury, and every organisation, no matter the size and industry sector, should develop its own cybersecurity manage- ment program. Cybersecurity is not about expensive technology, it is more about people and processes. There are no excuses for not having a cyberse- curity program in place. Cybersecurity is rather free than expensive. And

Cybersecurity risk is a function of threats, vulner- abilities, the likelihood of a cyber event, and the potential impact such an event would have on na- tional critical infrastructure and organisations. By understanding cybersecurity risks, we will know where to focus our efforts. While we can never completely eliminate risks, the goal of a cyberse- curity program should be to provide reasonable assurance that we have made informed decisions related to ICS cybersecurity. It is impossible to completely understand all the risks perfectly. There will be many times when we will have to make a reasonable effort when trying to understand threats, vulnerabilities, like- lihood and potential impact. For this reason, it is important to utilise all available resources, includ- ing information sharing globally and nationwide, in- dustry best practices and frameworks. In order to manage cybersecurity risks, a clear understanding of the organisation’s business drivers and security considerations specific to its use of IT and ICS is required. Because each organisation has a unique set of risks, along with its use of IT and ICS, the tools and methods used to achieve the outcomes will vary. Risk-based cybersecurity frameworks have emerged as the most effective approach for the organisations to achieve cybersecurity im- provement. Working closely with compliance and policy goals, a risk-based approach helps critical in- frastructure to manage risks based on the security profile of each site, and select controls determined by informed decision-making. Industrial cybersecurity risks are definitely on the rise, and reducing them is critical for opera- tional and production goals. Stand up to cyberse- curity risks. Cybersecurity waits for no one, so do not wait for cybersecurity. Get started today with developing a cybersecurity program for your or- ganisation. It is imperative that organisations that rely on ICSs assess their current security health, understand potential cybersecurity risks, and de- velop effective cybersecurity mitigation strategies. The ultimate goal is to enhance the security and resilience of national critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity

even if your organisation never ex- periences a cybersecurity attack, you will become a better organ- isation for caring about people and public health and safety.

6 Electricity + Control DECEMBER 2017