Dave opened describing how the focus on control system security over the past decade has changed from bothersome to imperative.
The five stages of cyber grief include denial, frustration, bargaining, burn out and finally acceptance. Burn out is the phase where a person or small team is trying to do it all, before acceptance that they need help from their suppliers to develop and implement a sustainable approach.
A worst practice is not to know everything that is physically connected to the network. Walk around and physically check everything that is plugged into the network. A $30 Raspberry Pi and cellular modem can be a point of attack into the system.
Another worst practice is hiding the issues you may have from your auditors or security consultants. The issues don’t go away by hiding them.
Balkanizing your information security by country can pose problems for global companies. If you have to buy US security solutions for US sites, Chinese security solutions for sites in China, etc. will cause a mishmash that raises security risks.
Generic security compliance that is not fit for the intended application is just wasting money. It’s important to understand the requirements and what fits it best. Also, there may be no incremental benefit for overspending on cyber security. Again, understanding the risk and the solution that will address that risk.
Another worst practice is not properly monitoring. There may be monitoring equipment, but if there are no work practices to pay attention and address the data, it’s of no value.
All the security technology in the world is great but if they are bypassed by work practices, they are of no benefit.
Dave closed with best practices—physical & technical inventory of your system, integrate solutions that fit your environment, invest in your people, and have an ongoing plan.