A few years ago I overheard a group of security professionals at a conference discussing the difficulties of implementing security solutions within control networks. One person stated that the operations staff at his organization was incorrigible and didn’t have a clue about what they were doing. Another stated that he was overruled by the plant manager when trying to implement IPS in their Distributed Control System environment. This pontification and outrage of how the electric sector was doomed because the security teams were being crushed by the ignorance of various mucky-de-mucks went on for quite a while. About the time I was convinced sanity was lost forever, a young lady spoke up and said, “Well, my company has implemented a robust security program with all the bells and whistles at all our control centers and plants. We did it in 6 months with the full cooperation of the operators, their technical support staff and the plant managers.”
[insert dead silence here]
Then…the barrage of disbelief began.
“I bet you didn’t establish role-based access management in their EMS.” Yes we did.
“You couldn’t have possibly locked down the ACLs on the firewall properly.” Ratcheted down to only two necessary ports.
“I’m guessing you don’t have a functional security logging system.” Guessed wrong.
“They won’t let you scan for vulnerabilities though.” Yes they do. Multiple times a day as a matter of fact.
After exhausting their list of couldn’t-have-happened remarks, there was a sigh and then someone asked. How’d you do it?
Her answer: I used the secret sauce. To my chagrin, she let that just hang there. Obviously she was enjoying this banter as much as I was.
What was the secret sauce? None other than a powerful mix of ingredients designed to open up the communication channels between IT and operations. The magic was in listening, talking, finding common ground and listening some more. She was a master of encouraging people to be open to new ideas and different ways to accomplish what was perceived to be impossible. She insisted that each department participate in job shadowing so that they could spend time first hand in the “world” of the other group. A lexicon was agreed upon that bridged the gap in understanding. And the list went on.
Bottom-line: Continued conversation and determination to solve a problem led to success.
It isn’t important about the details (to be frank, I can’t recall them anyhow), what is important is that walls can be broken down and that solutions can be reached by way of learning about each other’s working environments and not just concluding that the others are jacked up on some new drug.