8 Key Aspects for Developing Operator Security Plans (PSO) and Specific Protection Plans (PPE)

As mentioned in previous entries, within the regulatory framework associated with industrial cybersecurity, the Law on the Protection of Critical Infrastructure (PIC Law 8/2011), complemented by Royal Decree 704/2011 and successive additional provisions (the latest of September 18, 2015), is of particular importance in Spain.

The two main objectives of this standard are to catalog the set of infrastructures that provide essential services to our society and to design a plan that contains effective prevention and protection measures against possible threats to such infrastructures, both in terms of physical security and in terms of the security of information and communication technologies.

There is no doubt that, following the latest news reported by a national newspaper, which described that 63 ‘cyberattacks’ have occurred so far this year against critical state infrastructures, this Law is becoming a mandatory framework for action for companies designated as critical operators and a set of best practices to be deployed for any company that is concerned about protecting its assets.

As is known, those companies that are designated as critical operators are obliged to submit an Operator Security Plan (PSO) within six months and, after its approval by the Secretary of State or delegated body after a report from the CNPIC, a Specific Protection Plan (PPE).

The development of PSOs and PPEs is a complex task that requires the coordination and involvement of different areas of an organization. In addition, although the time provided to submit these plans (6 months for PSOs and 4 months for PPEs) seems reasonable, the daily tasks linked to the critical operator may mean that these plans are not carried out in the determined time or with the most complete and appropriate scope.

For this reason, in this entry, we want to collect eight key aspects that, from our point of view, must be taken into account when a critical operator carries out the process of developing and delivering the Operator Security Plan (PSO) and the Specific Protection Plan (PPE).

• The development of PSOs and PPEs is a process, not a project. The regulatory framework invites you to carry out a continuous improvement cycle based on the PDCA process. In addition, the plans must be reviewed every 2 years, requiring an almost constant update.
• The integral nature of security must be taken into account. Physical and logical security (IT and OT).
• The involvement of senior management is mandatory. In fact, the Law helps to bring security closer to the top decision-makers of organizations.
• People assume specific responsibilities when signing the contents of the PSOs and PPEs. For this reason, it is essential to carry out training actions prior to the start of the process.
• Training and awareness is a key aspect. For the team that performs the PSOs and PPEs and for all the people involved in increasing the security of the designated critical infrastructures.
• The identification of essential services and interdependencies is a very important task. Above all, the part of interdependencies is key in the process.
• The risk analysis methodology used is a cornerstone for the contents of the PSOs and PPEs to be adequate. In this sense, the Law points out that threats with a low probability of occurrence and high impact should be treated in a unique way.
• The measures to be adopted for the prevention of attacks must be of a different nature. Technical, operational and organizational

For more information on how Logitek Industrial Cybersecurity by Logitek helps critical operators develop Operator Security Plans (PSO) and Specific Protection Plans (PPE) associated with compliance with Law 8/2011 on the Protection of Critical Infrastructure, you can access our whitepaper.