Managing Repair Access and Cybersecurity Risks

If the highest-consequence cyber risk in manufacturing sits at the OT/IT boundary, governance has to start there. Not in a policy document. Not in a quarterly review. In how the environment is actually operated. In stronger environments, three operating disciplines tend to stand out. First, there is clear ownership of the boundary. Not vague shared responsibility. Clear accountability for how access, identity, and control are managed across IT and OT. Second, access is governed through a defined operating model. Engineering workstations, vendor remote access, and remote support tools are not treated as one-off exceptions. They are brought into a standard approach for provisioning, review, monitoring, and removal. Third, controls are continuously validated. Not simply documented. Not assumed to be effective because they exist. Access is reviewed. Configurations are tested. Privileges are challenged. Assumptions are revisited. This is not about adding more tools. It is about operating the boundary as a system. When governance is clear, controls become more effective. When governance is fragmented, controls become inconsistent, and inconsistency creates exposure. Resilience is not built through individual technologies alone. It is built through disciplined ownership, controlled access, and consistent operation across the environments that matter most. For little deeper dive on this topic, check out my substack at: https://lnkd.in/eTGubqEP #Cybersecurity #Leadership #Governance

Supply Chain Management → Third-Party Risk Management After my post about logistics translating to cybersecurity, someone asked: "How does supply chain experience help with security?" Simple: Every vendor is a security risk. In military supply chain, I had to: → Vet vendors before giving them contracts → Control their access to our facilities and systems → Monitor their performance and compliance → Ensure they followed our security protocols → Have backup vendors in case one failed In cybersecurity, I have to: → Vet vendors before giving them data access → Control their access to our networks and systems → Monitor their security posture and compliance → Ensure they meet our security standards → Have incident response plans if they're breached Same process. Same risk calculus. The 2023 MOVEit breach? Third-party vendor compromise. The Target breach? Third-party HVAC vendor. The SolarWinds attack? Third-party software supply chain. 70% of significant breaches involve third parties. Yet most cybersecurity programs treat vendor risk as an afterthought. My supply chain background taught me: → Your security is only as strong as your weakest vendor → Access control matters more than trust → Continuous monitoring beats one-time assessments → Always have contingency plans If you've managed vendors, negotiated contracts, or coordinated supply chains, you already understand third-party risk management. That's a $140K-$200K cybersecurity skill. Wednesday: How change management prevents security incidents.

An organization is only as secure as its weakest link. Understanding, assessing, and mitigating third-party risks is essential. According to SecurityScorecard 75% of third-party breaches targeted the software and technology supply chain in 2024. This statistic underscores the critical need for organizations to adopt a proactive and comprehensive third-party risk management framework. Spanning from third party assessments to implementing continuous monitoring, organizations must ensure that contracted third parties adhere to the same security and compliance standards. A proactive Third party risk management program would involve: 1. Pre -engagement due diligence. This would incorporate vendor assessments, data protection due diligence checks, security compliance certifications, contractual safeguards and attestations(where needed). 2. Continuous monitoring and risk assessments. Instead of having vendor risk assessments as a one off thing, consider conducting periodical assessments(work with a period that bests suits your needs as a company). 3. Strong access and vendor controls. Restrict the vendors access to only necessary systems and data. Also, ensure data shared with third parties is encrypted and properly managed. 4. Compliance and regulatory alignment. Ensure that the third parties comply with the relevant laws and standards. A key step in achieving this is clearly defining vendor responsibilities through well-structured contracts and agreements. Regular audits, assessments, and continuous monitoring should then be implemented to verify that vendors adhere to legal and regulatory requirements, mitigating potential risks before they escalate. 5. Least I forget, Business Continuity planning is important. Have an incident response plan that accounts for risks arising from third party relationships. Additionally, have a vendor exit strategy, this will ensure that when partnerships end, data is securely handled, access is revoked, and operations remain unaffected. Document credits: MoS #VendorSecurity #ThirdPartyRiskManagement #RiskManagement #Cybersecurity #Governance #Compliance #CybersecurityGRC

The evolving threat landscape underscores the urgent need for organizations to rigorously evaluate their cybersecurity strategies and ensure accountability by their MSPs. In February 2023, the Sacramento law firm Mastagni Holstedt, A.P.C., faced a major ransomware attack by Black Basta, leading to a complete loss of network access. The firm has since filed a lawsuit against its Managed Service Provider (MSP), LanTech LLC, seeking over $1 million in damages. The lawsuit claims LanTech failed to deliver adequate cybersecurity measures, resulting in data encryption and the deletion of cloud-based backups. This case underscores the severe legal and financial repercussions when service providers do not fulfill their cybersecurity responsibilities. While you can outsource IT support, you can't outsource risk. The case is still pending, but here are some things organizations can look into to ensure service providers are accountable. To mitigate cybersecurity risks, organizations should focus on these critical elements when drafting contracts: -Detailed Security Responsibilities: Clearly define the provider's cybersecurity duties, like regular updates, patch management, and network monitoring, to ensure mutual understanding and accountability. -Performance Standards and SLAs: Set specific performance metrics and Service Level Agreements (SLAs) to outline acceptable service levels and response times for security incidents, providing a basis for performance evaluation. -Incident Response and Reporting Protocols: Establish detailed incident response protocols, including timelines for breach notifications, to enable swift action and regulatory compliance. -Regular Security Audits and Assessments: Mandate regular security audits and assessments, with reports to the organization, to proactively identify vulnerabilities and enhance security measures. -Indemnification and Liability Clauses: Clearly outline indemnification and liability terms to protect against financial losses due to negligence, specifying liability circumstances and caps. -Data Protection and Backup Responsibilities: Define responsibilities for data protection and backups, including encryption and regular backup testing, to ensure data recovery in case of ransomware attacks. -Termination and Exit Strategy: Specify conditions for contract termination due to unmet security obligations and include an exit strategy for a smooth transition to another provider if needed. Need assistance? The Cybersecurity team at Buchanan Ingersoll & Rooney PC is here to help. Check us out here: https://lnkd.in/e3B2HsB5 #cyber #cybersecurity #cyberlaw #ransomware Bowhead Specialty AmTrust Financial Services, Inc. AIG Coalition, Inc. Crum & Forster Cowbell Beazley NetDiligence® AXA XL Arch Insurance Group Inc. Travelers Chubb MSPs for the Protection of Critical Infrastructure

CISA has released its new Operational Technology (OT) Cybersecurity Guide, and it deserves board-level attention. For years, OT systems, the technology behind our power grids, water systems, manufacturing plants, and pipelines, were designed for reliability and safety, not cybersecurity. But as IT and OT environments have converged, the attack surface has expanded dramatically. We’ve already seen what this means in practice: ⚠️ Colonial Pipeline (fuel supply disruption) ⚠️ Oldsmar Water Plant (attempted poisoning) ⚠️ Ransomware groups are increasingly threatening physical operations to force payment. The CISA guide is a practical step forward, outlining what every OT-dependent organization should do: ✔️ Know your assets. Visibility is the foundation of OT security. ✔️ Segment IT and OT networks. Strong separation is essential. ✔️ Secure remote access. Enforce MFA, monitor, and log everything. ✔️ Patch with care. Use compensating controls when downtime isn’t possible. ✔️ Prepare for incidents. OT-specific monitoring, response plans, and recovery options must be in place. ✔️ Build resilience. Backups, redundancy, and even manual controls as a fallback. ✔️ Train people. Both IT and OT teams need a shared understanding of cyber risk. This isn’t just a technology problem. It’s a resilience problem. For executives, OT risk belongs on the same agenda as financial, legal, and regulatory risk. The impact of failure isn’t just data loss; it’s downtime, safety hazards, and national security implications. CISA’s guide is a reminder that OT security is no longer optional. It is a core part of modern business continuity. Please feel free to contact me if you need help or want more information on this. 🔔 Follow me for more real-world takes on cybersecurity, leadership, and tech strategy ♻️ Useful? Share to help others! #CyberSecurity #OperationalTechnology #RiskManagement #CriticalInfrastructure #CISA #BusinessContinuity

𝗦𝘁𝗮𝗿𝘁𝗶𝗻𝗴 𝗮𝗻 𝗜𝗻𝗱𝘂𝘀𝘁𝗿𝗶𝗮𝗹 𝗖𝘆𝗯𝗲𝗿𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗣𝗿𝗼𝗴𝗿𝗮𝗺 𝗳𝗿𝗼𝗺 𝗦𝗰𝗿𝗮𝘁𝗰𝗵? 𝗛𝗲𝗿𝗲’𝘀 𝗠𝘆 𝗥𝗼𝗮𝗱𝗺𝗮𝗽 Industrial operations run our daily lives—think metro trains, water systems, power grids, even the checkout at your supermarket. All of this is powered by Operational Technology (OT), which directly impacts physical processes and public safety. But OT systems are under attack more than ever. Many still run on 20-year-old software, are tough to update, and can’t just be “patched” like regular IT systems. Real-world consequences can be huge: from power outages to critical failures in hospitals and transport. So, where do you even begin with OT security? Here’s my take (as discussed with Prabh in his latest podcast): 1. Understand What You Have: Start with an asset inventory. Visibility is everything. You can’t protect what you don’t know exists. 2. Identify Risks: Figure out what could go wrong. Every asset, old or new, has its own risks—especially those running legacy software. 3. Involve Your Operations Team: OT staff are focused on keeping the plant running. Bring them into the conversation from Day 1. Awareness and buy-in are key. 4. Tailor Your Approach: There’s no copy-paste. Every factory, plant, or substation is unique. Build processes that fit your environment, not just what the textbook says. 5. Prioritize the Basics: ✏️ Incident response plans: Who does what when things go wrong? ✏️ Control remote access: Limit those USB sticks, dongles, and remote sessions. ✏️ Access control: Don’t give everyone full admin rights. ✏️ Network segmentation: Create “islands” to limit the spread if something goes wrong. ✏️ Training: Make cybersecurity real for your OT staff. One weak link can break everything. 6. Use the Right Frameworks: IEC 62443 is a great start, covering people, process, and technology. Pair it with industry guidance like NIST 800-82. 7. Continuous Improvement: Cybersecurity isn’t a one-off project. Monitor, learn, and adapt. OT threats evolve—your defenses should too. Why does all this matter? Because OT is critical. Downtime isn’t just about lost money—it can risk lives. And with more cyber threats targeting OT, our collective vigilance matters now more than ever. I’ve built the OT Security Huddle community for this reason: to share, discuss, and solve real OT security problems together. Whether you’re just getting started or deep into your journey, you’re not alone. Watch my full conversation with Prabh Nair for all the details—link below! https://lnkd.in/gjYCnt7j #OTSecurity #Cybersecurity #IEC62443 #CriticalInfrastructure #IndustrialSecurity