Efficiently implementing a cybersecurity effort within plant documentation is critical to the long-term success of a project. Cybersecurity documentation could be anything from a new policy or operational procedure to risk assessment or a record of process performance. These types of cybersecurity documents are only as good as their accuracy, which is why we must make sure they stay up to date. As cybersecurity becomes more engrained in our daily tasks, more documentation is required—and all of it needs to be updated regularly. How are we supposed to remember the vast number of documents that we have developed along the way?
It can be challenging to not have the right documentation when you need it. It’s important to keep it current and accessible to your team. The first step is to create the documentation in the first place. If your organization has standard procedures for requesting the implementation or procurement of a new system, make sure that any required documentation is created at the initial point of implementation. Depending on the requirements dictated within your industry, these documents could be required by the department, organization or through government regulations, so the documentation types will vary.
Once we have created our initial documentation for our systems, we should never have to modify them again, right? Wrong! Even though changes in our control system environment are made much less frequently than in the IT environment, they will still occur. Therefore, as part of any good change management procedure, there should always be a step that verifies if documentation needs to be updated with the change. There is a chance that no documentation changes are needed, but it is good practice to confirm.
For the most part, things stay static in the control system world. However, we should still have an annual review of documentation. With any procedure, such as change management, it is the responsibility of an individual to follow the procedure and review existing documentation for updates. You can eliminate the risk of human error by using software that will remind you to review documentation. Document management software can be used to upload documents and send review reminders. Alternatively, calendar invites can be created in advance based on the required review schedule with a link to the storage location of the document. Based on the sensitivity of the document, you could also attach the current version of the document to the meeting invite.
Finally, to ensure documentation is kept up to date, try not to leave the task to one individual. The review could be done by one system owner, but it should have a dedicated group review and approve the document after the document review period. Once the group has reviewed and approved any changes, the lifecycle of documentation review should start all over again.
Ensuring that documentation is up to date is a critical part of a successful cybersecurity program within an organization. These tips should assist you in assuring your organization uses the most accurate documents.
Brandon Bohle is MIT analyst III at Interstates Control Systems Inc., a certified member of the Control System Integrators Association (CSIA). For more information about Interstates Control Systems, visit its profile on the Industrial Automation Exchange.