Integrating Cybersecurity into Change Management: The Case for Cyber MOC

By Dave Gunter

The Management of Change (MOC) processes employed by chemical plants, refineries, pipelines, terminals, and manufacturing facilities are crucial in today’s environment. They ensure not only the organizational health of these entities but also their long-term safety and the well-being of surrounding communities, sectors, and economies. Infrastructure organizations, given their complex missions, are no strangers to change management processes. However, an important question remains: To what extent does cybersecurity risk factor into their MOC processes?

The reality is that many organizations’ change management processes were developed long before cybersecurity became a widely understood concept. As a result, traditional MOC tools, designed to support and sustain change management, focus predominantly on physical safety and often overlook cybersecurity vulnerabilities. These tools are not equipped to address changes that could impact cybersecurity.

To address this gap, MOC tools and workflows must be revised. While some core data fields and attributes should be preserved, new fields must be introduced to account for cybersecurity considerations. Additionally, the RACI (Responsible, Accountable, Consulted, and Informed) matrices used in these processes often lack the necessary fields, data, or responsibility sections to incorporate cyber risks effectively.

Change management processes are urgently in need of re-evaluation to ensure that cybersecurity is appropriately factored into change management landscape, and that they involve the people and teams best able to bring a cyber lens into the mix. For this reason, it’s imperative that a Cyber MOC should become a part of every infrastructure organization’s security and change management protocols.

A Cyber MOC is a purpose-built Management of Change process designed to incorporate cybersecurity disciplines, engaging subject matter experts from IT, OT, and other relevant areas as needed. Its primary goal is to ensure that operational changes are thoroughly evaluated from a cybersecurity perspective before equipment is installed, processes are modified, or facilities are constructed. This ensures that changes to systems, software, or networks do not introduce new vulnerabilities and that comprehensive risk assessments are conducted prior to implementation.

The Cyber MOC specifically addresses changes impacting connected and configurable technologies, such as PLCs, IIoT devices, and network switches. These processes will vary between organizations, as will the composition of the teams or individuals responsible for executing the Cyber MOC.

What should a Cyber MOC process look like?

There are a few key components to a Cyber MOC process. While the list below is not comprehensive in nature, here is an overview of some of the primary components:

  • First and foremost, ensuring someone “owns” the cyber MOC (whether it is IT, OT, Environmental Health & Safety (EHS), all three). In reality, the structures of organizations can often serve as a major hurdle to addressing cybersecurity and to creating a Cyber MOC process. For that reason, the ideal scenario is one in which an organization will designate someone as Cyber MOC coordinator to ensure adherence to the process, and—vitally—to shepherd the organization through the cyber change management protocol;
  • Asking the questions, ‘Could this change or implementation create a safety hazard?’ and ‘Could it impact the logical security of devices or facilities?; (In this step, it is vital that physical security concerns are given equal weight as logical security aspects);
  • Identifying and documenting risks associated with the change, including those pertaining to physical security, as well as the potential facility impacts associated with each risk. This involves asking questions to ascertain whether there are related cybersecurity concerns. For example, ‘Is the device connected to a network?’ and ‘Does the device run software or firmware and how can it be updated or modified?’;
  • Identifying and documenting mitigations for each risk, networked and configurable devices require additional cybersecurity scrutiny;
  • Listing each task associated with changes that need to be performed to mitigate the risk;
  • Having another party take a second look or conduct a cold eye review to ensure nothing has gone unnoticed;
  • Providing the necessary tools, training and documentation across the organization to ensure the value of the MOC analysis is understood and accessible.

When Is a Cyber MOC Warranted?

For those working in infrastructure, it’s important to know what events or changes would warrant an in-depth Cyber MOC analysis.  According to OSHA PSM MOC, five instance types—both the virtual and the physical—typically serve as triggers for the process. The triggers for a Cyber MOC would be:

  • Technology: Any changes to technology that supports plant operations, like ambient monitoring, process sensors, logic solvers, final control devices, network devices, and PCs for engineering and operations;
  • Equipment: Any changes to equipment that supports a subsystem or system assigned to a larger operating unit (e.g., final control elements like pumps, valves, VFDs, soft starts, MCCs, analytical systems, and supporting subsystems like scrubbers, waste heat recovery boilers, reactors, and waste treatment systems);
  • Procedures: Changes to the standard operating procedures of written governance that sets the basic principles of operations within industrial facilities.

Cyber MOC is about ensuring that cybersecurity isn’t just an item on a checklist but is an integrated part of the change management process. However, it also offers other organizational benefits. Namely, the process also helps to create a stronger culture of security, accountability, and cross-team collaboration, no matter the type, size, or mission of an organization. It can offer any entity the chance to evolve to a more mature level of operational safety, while ensuring cybersecurity measures are comprehensive and robust.

Contact us to learn how we can help your organization develop and implement a Cyber MOC program) : Cybersecurity Program Governance | Armexa