Raúl Hernáiz Ortega

In the cybersecurity world we are used to the release of packages that fix vulnerabilities detected in business software. One of the releases that has established a periodicity and continuity to this process is what Microsoft has called "Patch Tuesday". But it is not the only one. Designating a specific day for the release of security updates is very useful for defence teams, who have a list to review which fixes to apply based on the criticality of the risk and the applicability to their systems. This practice is therefore considered a good reference for the market. More cyber threats to industrial equipment In this last year, where the industrial operations sector has been involved in a growing wave of cyber threats, it is essential for industrial cybersecurity teams to start adopting this type of practices that allow a more proactive management of the threats found in the equipment used in the industry. Industrial sector have started to follow in the footsteps of the IT world in terms of publishing the threats detected in their different products or systems. There are several governmental entities in the world that have portals where it is possible to find daily alerts on the weaknesses found. The most recognised in the industrial world is the CISA publication, but in Spanish, INCIBE has undoubtedly gained a lot of strength. Other sources that link IT and OT are VDE in Germany and ZDI in the United States. This trend has meant that two large companies in the industrial sector have started to follow in the footsteps of the IT world in terms of publishing the threats detected in their different products or systems. This publication is not something new for these companies, but they have adopted the good practice of making this publication jointly on a single day of the month, and following Microsoft, they took Tuesday as the ideal day for this publication. CYBER SECURITY Where is your company on the cybersecurity journey? May 5, 2022 The origin of “Patch Tuesday” The first company in the industrial sector to adopt this practice was Siemens, which created a team called ProductCERT, which has been integrating all of the company's security publications since 2011 and where on the second Tuesday of each month it publishes the vulnerabilities detected or updated in each month. This practice began in the first months of 2021, consolidating itself as the publication expected by industrial security teams and which, on average, publishes 30 vulnerabilities each month, including new ones and updates. In July 2022, 34 alerts were published, of which 20 are new and 5 of these new ones are classified as critical risk. Photo: This is Engineering RAEng The other company in the sector that has joined this practice is Schneider Electric, which has had its own security publication portal since the beginning of 2020, but which a few months ago started publishing vulnerabilities in a unified way on Tuesdays. In July 2022, they published 8 critical alerts on various devices. These are not the only ones published. If a critical alert arises within the established period, it is published on the portal and announced in various ways on the Internet, which also ensures that the cyber defence teams of the companies have a clear understanding of the importance of the immediate application of these patches. Conclusion In conclusion, the best practices that have worked in the IT world are now being adopted by the OT world, although the approach to vulnerability management and remediation is completely different, being able to have this source of early warnings allows the incident recovery plan to be much more preventive than just reactive. The industrial sector is rapidly migrating to systems and services that are increasingly similar to those traditionally used in IT, with several differences and particularities of the sector, but where the advantages of the good practices that have evolved in IT cybersecurity can be implemented and taken advantage of.

Confuncio said “what I hear, I forget; what I see, I remember; what I do, I learn”. By communicating we learn, and from Data Governance team we understand that generating an suitable communication plan in accordance with a set of expectations will mark the successes of the organizations and maximize the investment made, even more so in these troubled times where new working circumstances will require a deep change. The implementation of any service is not only based on technology, processes, and best practises, but also on people as the driving force in the evangelization of existing changes regarding as time goes on. The communication plan A communication plan can bring about a cultural change and speed up the processes of digital transformation in companies. To create from scratch synergies, to spread pills to those sponsors participating in the initiatives and lines of Data Governance will be key to add resources and to obtain supports and alliances that allow the generation of a return of investment (ROI) and knowledge as premature as possible. For its disclosure, it will be necessary to prepare several guidelines to give a Data-Driven company approach and to understand the data through its Metadata-Centric model as the main business asset. Figure 1: Dissemination, communication and training I( View large ) Guidelines These guidelines are: Identification of the change: As in all inception of a Data Governance project or service, it will be essential to carry out an initial analysis and detailed evaluation, offering a misleading picture as close as possible to reality in order to make the communication campaign as effective as possible. This will help to identify the target audience, its current maturity, groups to which a member belongs and their clustering, as well as the way in which to head up the target necessary to develop a tailor-made action plan. Proposal of initiatives: Assuming that the customer will be the one who ultimately defines the SMART objectives referring to the communication plan, from Telefónica we understand that the strategic vision must be to create a business culture focused on data, establishing in a guided and gradual way covers a series of insights or KPIs that allow to follow up the progress of the agreed measures. Designing the action plan: Here comes the time to take real action. The approach proposed by Telefonica on how to become the content of the message to all over the organization is based on the generation of: Manuals or guides Circulars and mailings Intranet newsletters Workshop planning Participation in events Figure 2: Dissemination, communication and training II ( View large) Monitoring and evaluation: After the execution of the plan, there will be a maintenance phase, contingency plans and continuous follow-up, which will make it possible to know the scope and satisfaction level among the group and to carry out mitigating actions in case of risk or anomaly. Likewise, and closely linked to the art of communication, we draw from a baseline of resources and training needs that can be adapted to the target audience to which the knowledge is leading. This thread pipeline given the moment we find ourselves, may be used either in person or remotely. In either case, a calendar will be established, as well as a location through the reservation of an appointment or space, and support (physical or multimedia documentation) to be offered to the stakeholder. Conclusion All these facilities make new learning opportunities, democratize access to quality knowledge, and establish the foundations for social and ethical corporate growth. And as our president says: “we are not facing a time of change, but a change of era” José María Álvarez-Pallete It is essential to be in a continuous process of adaptation as people, as a society, and, as companies. Only those who know how to offer their best essence and adapt to this reality will survive in this new digital world. Writen by Raúl Hernáiz Ortega To stay up to date with LUCA, visit our Webpage, subscribe to LUCA Data Speaks and follow us on Twitter, LinkedIn o YouTube.