9.3 Considerations prior to a tender procedure
In preparation for a tender procedure, the client will have to think about cybersecurity. This may include the following aspects:
In the context of a wider sense of security, it is essential to create awareness of cybersecurity. Both the client and the contractor must be prepared to have cybersecurity ‘flowing through their veins’. A similar process is often used in auditing security in general. What this teaches us is that it is not enough merely to take all sorts of precautions. Without a real appreciation of security as a whole, individual measures can easily be circumvented.
Cybersecurity has its own life cycle that often differs from the technical life cycle of the OT system in question. Today, threats come and go in less time than it takes a system to become obsolete. There is always the possibility that a system has to be replaced before the end of its service life for cybersecurity reasons. Although it may well be possible to come up with measures to prolong the life cycle within the system’s service life.
Cybersecurity demands an integrated, multi-disciplinary design, with a focus on life-cycle costing (LCC). Only then is it possible to make a proper selection of the measures to be taken in terms of process or technology. LCC is important because cybersecurity measures demand attention throughout the entire life cycle of the system. In that context, the availability of the system is also certainly worth attention. A nightly update, as is customary in the IT world, is not always acceptable.
Management and maintenance
Cybersecurity demands management and maintenance. The work this involves is of a different type than ‘regular’ management and maintenance activities for the object. It demands different know-how and expertise, and is sometimes at odds with the level of availability required. Outsourcing maintenance in relation to cybersecurity is a cybersecurity risk in and of itself. From the perspective of cost and the required know-how it is understandable, but it requires very clear guidance.
Cybersecurity demands proper information security, as the unintentional release of information forms a cybersecurity risk in its own right. This is an aspect that needs attention during the tender procedure, as it is at that point that it is important to share information with potential contractors. Openness surrounding the existing situation is the only way to achieve the right solutions.
New build or renovation?
New build and renovation both have very different dynamics. Not least because the latter is often subject to the precondition that the highest possible availability is guaranteed. In addition, where elements are built from scratch, the cybersecurity aspect is often a blank canvas to be filled to the required level of resilience. Where renovation is concerned, the existing situation may, from the start, impose several limitations that make it impossible to achieve a specific level of resilience within the budget allocated.
Many objects were built in a time in which there was little attention for cybersecurity (although it was already an issue). Where this is the case, it may be wise, in an integral context, to consider reverse engineering, with the aim of arriving at a new design that can then form the basis for further expansion.
Resilience throughout the chain
The starting point for the design is the resilience level to be achieved. This will have to be viewed in terms of not just the infrastructure in question, but also for the chain of which the infrastructure forms a part. After all, a chain is only as strong as its weakest link. Of course, the question that has to be addressed is whether or not to outsource the process of determining the level of resilience.