When I turned 7, I got my first BMX bike. Of course, within a week my best friend and I built a ramp with plywood and cinderblock. I remember the first jump vividly. I sped down the street like a miniature Evil Knievel and hit the ramp at a pretty good clip. A moment after I caught “big air,” my front tire hit the road, and I went over the handlebars – leaving a fair amount of skin on the road.
Clearly, the operational process of pedaling the bike up a ramp and into the air and landing was not done the right way. The data was clear. All I had to do was look at the blood on my knee and my stinging hands and recognize that I needed guidance. Fortunately, there was another older kid on his bike who was watching the whole thing and with the wisdom of Socrates said, “you have to lean back when you jump.”
This was the moment I learned about resiliency. I not only found out that I could endure adversity, but I now had knowledge to recover and make sure that the next time I went off that ramp I would likely stay on the bike…though wearing knee pads also would probably not be a bad idea.
Over the last 18 months, we have all learned more about resiliency. Large corporations have gone remote practically overnight, and our critical industrial sectors have had to adjust as well to limited travel schedules, while also needing to protect OT assets and interdependent IT systems from nefarious threat actors.
Recent shutdowns of these systems due to cyber-attacks and the cascading effects on society cannot be understated. Most of us have now experienced first-hand the fragility of operational processes that don’t have proper logical access safeguards in place. We all need the “older kid” who knows how operational processes work, so we are not crashing the bike or leaving it unlocked in an open area.
There are a lot of folks, including politicians and many in the media, talking about the problems with aging insecure infrastructure and the need for more money and resources for upgrading systems and putting in cybersecurity tools.
Unfortunately, this money is often spent on politically aligned companies who implement expensive and complex technology – resulting in solutions that are not effectively integrated and handed off to people who are not trained or much too busy with other tasks such as operating a power plant. This approach will not make our critical infrastructure resilient, and many times, it can lead to misconfiguration and exposure of critical systems to cyber-attack.
Getting to resilience requires the older kid experience with simple solutions that can make managing critical operations less expensive and more secure. The right resources are in almost every control room – the challenge is to put operational processes and technology in place that enables more effective operational management and reduces cyber risks simultaneously.