The difference between compliance and security is part of an old debate. Management systems that seek to meet certain standards (to the point of being certified by accredited bodies, as a reward for such compliance) provide the organization with, particularly, order -i.e., they serve to "bring order" -; but it usually is an administrative order which replaces or, at least, improves the customs institutionalized within the organization. However, these management systems are not an impenetrable wall that offers full guarantee of protection. (At least, not necessarily).
In this context, some recipes could help you to increase the value of cybersecurity management systems in an attempt to "promote new benefits of current practices" used in the implementation of such systems.
With, or without, the discipline management systems provide, the fact is that the technology supporting the activities of energy companies are still object of desire for all sorts of attackers. The repeated case of Ukrainian power plants is another example; the nth since, for the first time, these war games took advantage of the possibilities offered by cyberspace. For such a reason, and beyond administrative solutions, the electricity and O&G industries require wise, appropriately focused, investments to protect grid stations and pipelines. [By the way, perhaps TACIT (or TACIT-like) solutions help define such investments. Do not forget to try it!].
But as we have insisted from this column, when it comes to “cyber", it is not all attacks: lack of software quality, poor choice of physical equipment and system architectures, or obsolescence, also do their work. Problems provoked by such causes -some of them actually unfortunate- have been following the events of the Arianne 5 (1996), Comair (2004), Orly Airport (2015), etc.
Deepen these and other topics in our weekly "Newsletter". Subscribe here and enjoy reading!