While cybersecurity is a relatively new topic for operational technology (OT), the information technology (IT) field has been combating malware and related hacking activities for decades. Thus, IT professionals are better versed in cybersecurity than operators of OT networks. However, OT networks have a few key differences of which IT professionals need to be aware.
It is recommended that the IT group create a formal OT cybersecurity guidance document for their OT network installation. This will be useful in setting expectations for the project and for operations of OT network equipment, OT components, and the integration of IT and OT networks.
It also is recommended that the existing hospital cyber-risk management framework is coordinated with an OT project cyber-risk assessment to manage the cyber-risks of the new facility OT systems.
During the creation of the OT cybersecurity guidance document, it’s recommended that all standards and configurations are approved by the IT group’s software and hardware review committee. This committee can ensure that the hardware and software selected for implementation are supportable within the IT organization. It is also recommended that the IT findings and recommendations from the OT project cyber-risk assessment be incorporated into the OT cybersecurity guidance document.
The generation of this OT cybersecurity guidance document is best coordinated and generated by the OT/IT cyber protection engineer. The OT cyber subject matter expert (SME) is IT savvy. If the owner does not have an OT cyber SME, it is advisable to designate and train an individual, or reach out to an OT cyber SME organization for their help.
Considering a health care facility where the cost of failure can affect patient safety, at minimum the person acting as the lead project OT cyber SME should possess the Global Industrial Cyber Security Professional certification.
The guidance document is distributed internally to the health care organization and may be edited for specific construction projects.
For more information, IT staff should access the American Society for Health Care Engineering’s monograph, "Best Practices Framework for Health Care Cyber-Physical Protection: For the Construction Project Team."