Even if the working technology is properly isolated and hackers cannot access through other corporate systems, simple security procedures should be in place. There is no network security without physical security – physical access to any machine creates opportunities for hacking. So while network security can prevent hackers from reaching halfway around the world, physical security can outsmart local saboteurs and hackers.
But your own operators need to have access to the data on these machines and the operational management technology that controls them, and your business needs to minimize the risks associated with this process. For example, most companies with strong security systems keep machines available on-site to perform checks on USB drives that operators use to interact with company systems. Insert the USB drive, run diagnostics to confirm that it does not contain malware or open unwanted communication channels, and record the results before the drive is inserted into corporate operating systems. For minimal cost in time and money, a major risk is mitigated.
When it comes to risk management, nothing beats personal responsibility. Only one person in your organization should be responsible for protecting operational systems and should report at least to senior management, and possibly the board of directors, at least annually, on the progress of securing this asset. essential of the business.
And nothing supports personal responsibility like a budget. The assigned Operational Security Owner must also propose a budget and receive corporate funds to achieve corporate security goals. Designating someone to handle the problem without funding the priorities can be used by adversaries in litigation or by regulators to show that a company is not taking the problem seriously. It is always difficult to argue for additional security with the company’s CFO, but a company’s budget is one indicator of its priorities. Adequately funding resilient operations will always be important.
Many other operational protections are specific to the types of machines and the hazards they deal with. Protecting a factory will always be different from fighting fires in an office complex or protective pipelines. Complexity cannot be an obstacle to prioritizing protections. We have talked for two decades about the importance of data security. It’s time to shine the spotlight on the equally important task of sustaining resilient, technology-driven operations.