Integrating Cybersecurity Into Change Management for Critical Infrastructure

In the complex and sensitive environments of chemical plants, refineries, pipelines, terminals, and manufacturing facilities, robust management of change (MOC) processes are indispensable. They safeguard operational integrity, ensure long-term safety, and protect the well-being of surrounding communities and economies. However, with the escalating threat landscape, a critical question arises: how effectively do these traditional MOC processes address cybersecurity risks?

What is Cyber MOC?

A cyber MOC is a specialized management of change process designed to integrate cybersecurity disciplines into operational changes. It engages subject matter experts from your IT team, OT team, and other relevant domains to ensure a comprehensive evaluation from a cybersecurity perspective. The primary objective is to proactively identify and mitigate potential vulnerabilities before equipment installation, process modifications, or facility construction. This proactive approach ensures that changes to systems, software, or networks do not introduce new security risks.

The cyber MOC specifically targets changes affecting connected and configurable technologies, such as PLCs, IIoT devices, and network switches. The specific implementation of this process will vary depending on the organization’s structure and operational needs, as will the composition of the teams responsible for its execution.

The reality is that many existing MOC frameworks were conceived before cybersecurity became a critical concern. Consequently, they often prioritize physical safety, leaving a significant gap in addressing potential cyber vulnerabilities. Traditional MOC tools, designed to support these processes, lack the necessary mechanisms to evaluate changes that could compromise cybersecurity. This oversight is a significant risk, particularly as infrastructure organizations become increasingly reliant on interconnected technologies.

To bridge this gap, a fundamental shift is required. MOC tools and workflows must be revamped to incorporate cybersecurity considerations. While preserving core data fields and attributes, new fields must be introduced to capture cyber-related information. Similarly, RACI (responsible, accountable, consulted, and informed) matrices, which define responsibilities, must be expanded to include cyber risk accountability.

The urgency for this re-evaluation cannot be overstated. Change management processes must evolve to ensure cybersecurity is not an afterthought but a core component. This necessitates involving individuals and teams with the expertise to assess and mitigate cyber risks. To this end, the implementation of a dedicated cyber MOC process is imperative for every infrastructure organization.

What Should a Cyber MOC Process Look Like?

While the exact steps may differ, a robust cyber MOC process should include the following key components:

• Cyber MOC ownership: Establishing clear ownership of the cyber MOC is crucial. Whether it resides within IT, OT, EHS, or a combination thereof, a designated cyber MOC coordinator is essential. They will ensure adherence to the process and guide the organization through the cyber change management protocol. Overcoming organizational silos is vital for effective implementation.

• Risk assessment: A thorough risk assessment is paramount. This involves asking critical questions such as, “Could this change create a safety hazard?” and “Could it impact the logical security of devices or facilities?” Physical security concerns must be given equal weight to logical security aspects.

• Risk identification and documentation: All identified risks, including those related to physical security and potential facility impacts, must be meticulously documented. This includes assessing cybersecurity concerns such as network connectivity and software/firmware vulnerabilities. Questions like, “Is the device connected to a network?” and “How can the device’s software or firmware be updated or modified?” must be addressed.

• Mitigation strategies: For each identified risk, appropriate mitigation strategies must be developed and documented. Networked and configurable devices require heightened cybersecurity scrutiny.

• Task assignment: Specific tasks associated with implementing risk mitigations must be clearly defined and assigned.

• Independent review: A “cold eye review” by an independent party ensures no potential risks are overlooked.

• Training and documentation: Comprehensive training and documentation should be provided across the organization to ensure the value of the MOC analysis is understood and accessible.

When is a Cyber MOC Warranted?

For infrastructure organizations, understanding the triggers for a cyber MOC analysis is essential. Drawing upon OSHA PSM MOC guidelines, the following events or changes typically necessitate a cyber MOC:

• Technology changes: Any modifications to technology supporting plant operations, including ambient monitoring, process sensors, logic solvers, final control devices, network devices, and engineering/operations PCs.

• Equipment changes: Any alterations to equipment supporting subsystems or systems within a larger operating unit, such as pumps, valves, VFDs, soft starts, MCCs, analytical systems, and supporting subsystems like scrubbers, waste heat recovery boilers, reactors, and waste treatment systems.

• Procedure changes: Revisions to standard operating procedures or written governance that define the fundamental principles of operations within industrial facilities.

Beyond Compliance: Fostering a Culture of Security

Cyber MOC is more than just a possible compliance requirement. It is about embedding cybersecurity into the fabric of change management. This integration yields significant advantages, notably an enhanced security posture through proactive vulnerability identification and mitigation. It fosters improved accountability by clearly delineating cybersecurity risk responsibilities. The process also facilitates enhanced cross-team collaboration, bridging departmental silos between IT, OT, and other relevant teams, cultivating a unified comprehension of cybersecurity risks. Ultimately, the implementation of cyber MOC signifies a crucial progression towards a mature operational safety framework.

In conclusion, integrating cybersecurity into change management through cyber MOC is not merely a best practice; it is a necessity. By adopting this approach, infrastructure organizations can effectively mitigate cyber risks, enhance operational safety, and build a resilient security culture. The time to evolve traditional MOC processes is now, ensuring cybersecurity is not an afterthought but an integral component of change management.

ABOUT THE AUTHOR

Dave Gunter

Dave Gunter is an accomplished professional in the field of industrial cybersecurity and process automation, currently serving as the OT cybersecurity director at Armexa.