04/13/2022
OPSEC isn’t just for the Office
Creating cyber OPSEC Programs: Overall support from management to users is critical for prevention and protection of any cyber security program.
This doesn’t mean a cyber-program can only be implemented at work; remember OPSEC is everyone’s responsibility, such as “user accountability.” This is where a user can be held individually accountable for their actions. If accountable, a user is less likely to make mistakes or take other actions that might disrupt or compromise operations. Familiarization of cyber OPSEC programs can assist in the protection of cyber vulnerabilities at home.
At work, there are many cyber security consequences that an organization with an IT enterprise system and automated control network needs to consider, including disclosure of data, corruption of control data, interruption of services, etc. Recently there’s been extensive literature released pertaining to potential cyber-attacks on control networks by terrorists, nation-states, hackers, and insider threats. In addition, we continuously hear about the do’s and don’ts of social media and how those same threats are willing to take your information.
Let’s look at the resources available to mitigate these attacks at work and home; there is a considerable amount of training available for the “user” to enhance their knowledge, such as free tutorials on cyber security, technology/software, or just simply applying applicable measures when creating an at-work cyber program or home plan that can protect and counter cyber vulnerabilities and safeguard any critical or personally identifiable information. Help your workplace — help your family.
From some management perspectives, certain nuances and cultural differences can make the management of the cyber security program challenging. Some nuance examples may include rules governing the use of personal devices (employees’ use of their own devices for company business opens the door to a variety of online risk), complex policies (may drive people to shortcuts), and finally culture difference: placing security culture into a corporate environment with proactive steps that include processes and education.
Thus, the challenge becomes how to reuse appropriate OPSEC fundamentals from the IT domain in the control systems environment.
To mitigate these issues, managers must be able to instill a program that accounts for the unique needs, capabilities, and operational requirements of those users. Such programs often have the following key components:
☞ Generate a cyber OPSEC program for users
☞ Define management responsibilities
☞ Define OPSEC management boundaries for control systems
☞ Write a cyber-security OPSEC policy for control systems
☞ Ensure control system operator/user input on development of the security culture
☞ Implement and monitor a control system OPSEC program
Moreover, an effective cyber OPSEC program or plan that includes training, response and management practices as applied can reduce system downtime and increase overall security posture in the workplace and at home.
OPSEC elements can be unique; observing standards and practicing OPSEC is an excellent start to promoting vigilance required to establish and maintain this culture.
By Cynthia Flores-Wilkin
Installation #OPSEC Program manager, DPTMS @U.S. Army Fort Carson
Creating cyber OPSEC Programs: Overall support from management to users is critical for prevention and protection of any cyber security program.