Our new Biannual ICS Risk & Vulnerability Report is the most up-to-date look at CVEs disclosed in OT devices.
Check it out!
10 Things to Think About Right Now in This New Normal
By Admiral (Ret.) Michael Rogers | Apr 16, 2020
We’re now about six weeks into this global crisis and you’ve managed to create a new normal. Working with your IT and OT teams, you have a set of capacities, capabilities, and processes in place to ensure the connectivity of your virtual workforce. But with only days to prepare, you didn’t have the time to plan and incorporate the full range of redundancy, resiliency, and security measures that are typically months in the making.
Given this reality, here are 10 things you should think about as you operate within this new structure.
Ensure the well-being of your workforce and yourself. You and your teams have been driving hard to create this new normal, but you can’t just focus on equipment and infrastructure. You need to consider the well-being of the men and women who generate value for your team and make this new normal work for them and for you. You’re relying on this team to go the distance, but we all have new stressors in our lives. Be flexible as they may be home-schooling children, helping older parents stay healthy, or assisting others who have lost their jobs, all while ensuring the health and well-being of themselves and their families.
Expand your definition of communication. Related to the first point, your workforce needs to know that their managers understand their situations and have empathy. To do this effectively, think about how you communicate with employees. You may not need to talk more, but instead listen and ask questions. Proactively reach out, connect with them as individuals, and work together to devise solutions.
Go back and review the basics of cyber hygiene. You have to admit, you created this new normal in a hurry. Scratch below the surface and you’ll probably find that some of the basics of cyber hygiene aren’t there. Now is the time to review the structure you have created and make sure the processes and capabilities you have put in place address the cybersecurity fundamentals and there are no holes.
Assess what risk looks like in this new world. Your framework, structure, and the world around you look different now – and so does risk. Your workforce isn’t physically together, and data and systems are now being accessed by a massive number of endpoints you’ve added. Risk is different when you have a fully-staffed organization versus a skeletal staff counting on automation to pick up the slack in capacity. Assess the risk within the context of this new normal and develop plans for how to mitigate it.
Take a fresh look at opportunity. Where there is risk there is also opportunity. Think about what those opportunities might look like and come up with a plan for how to take advantage of them. Throughout my uniformed career, my goal was always to come out stronger after going through adversity. You should have zero interest in maintaining the status quo since it wasn’t ready for this crisis.
Recast your definition of resiliency and look at how to create it. In the rush to create new structure that prioritized productivity and business outcomes in a dispersed world, you didn’t have the luxury of building it to account for failure. But if you think outages were bad before, think about the impact in this new world where we are working from home and reliant on power and telecommunications. Now is the time to focus on resiliency and how to maximize it within the new structure you created.
Think about crisis response. Your standing set of procedures was put in place for a different work environment, when data and systems were supported by personnel that could rapidly convene face-to-face if needed, for example. Pull those plans off the shelf and review them in detail within the context of a dispersed workforce. Revise your plans to ensure you can respond quickly and comprehensively if, for example, an outage, cyber penetration, or ransomware attack happens now.
It’s not too early to start planning for the transition. Every day we are getting closer to the next stage of this crisis. I doubt we will flip a switch and simply return to what had been normal. There will be a period of transition where companies, business units, and teams will sustain this current, virtual approach as they also reconstitute some form of the physical piece. Take advantage of this time to prepare for a hybrid environment that you can sustain for weeks or months and that includes redundancy, resiliency, and security, to ensure business continuity.
Envision a new normal after the pandemic. Our highly inter-connected world drives tremendous economic efficiency and growth, but it also makes us more vulnerable in some ways, as this crisis has shown. What happens in one part of a world won’t stay there. If your business has to flex like this again, make sure you are ready and start thinking about the investments you can make now. For example, should your supply chain look different, meaning should you plan to build capacity in new areas and pull back in others?
Identify and start to build the new skill sets required. As you’ve created this new normal, chances are you’ve discovered some skill sets that you did not have or at least not in sufficient quantity. Identify the training you and your teams need and how to deliver it in a more dispersed world, because it’s likely that many organizations will maintain a higher percentage of remote workers even after this pandemic is over.
The bottom line is that most IT and OT teams have never been more valuable to the organization. Boards are realizing that IT and OT networks form the digital spinal cord that holds the business together, enabling them to make decisions, act, and ensure the well-being of the workforce during disruption. There’s a short time window to translate that value to a better end state for next time.
Take advantage of the goodwill coming out of this crisis and identify and go after leadership support for the investments you need to make to position yourself for success in a post COVID-19 future.