Cybersecurity Master Planning User Guides for - Process Industry

The following diagrams provide an overview of four Cybersecurity Master Planning Guides:

1. an Owner/Operator,
2. an EPC (Engineer, Procure, Constructor),
3. a Vendor, and
4. a Service Provider.

The intent is that experienced Managers, Engineers, and Systems Integrators in a given Industry use these PERA Master Planning Guides to produce a Cybersecurity Master Plan for their enterprise.

These diagrams show important interfaces between each of these 4 Principal Roles in an industry. Interfaces are the most challenging part of enterprise integration, and PERA User Guides helps each organization to define:

• "Deliverables",
• what professional role will prepare Deliverables, and
• when in the enterprise life cycle to complete them.

The process begins with the Owner/Operator.

Using Master Planning User Guide 1, the Owner selects cybersecurity standards that it will include in its Operating practices and procedures.

Examples might include:

• international standards such as IEC/ISA 62443 and ISO 27000,
• regional standards such as NIST 800 and NAMUR,
• industry-specific standards, such as Nuclear or Electrical Industry standards, and any
• enterprise standards.

User Guide 1 describes the production of a Cybersecurity Master Plan for that Owner/Operator's enterprise, including reconciliation of conflicting or inapplicable standards, selection of Opportunities, Costs and Benefits, Implementation Projects, training, etc., as described in "What is PERA Master Planning".

User Guides 2, 3, and 4, are used by EPCs, Vendors, and Service Providers (respectively) to create their own Cybersecurity Master Plans. The Deliverables in these plans correspond to the requirements of a Process Industry Owner/Operator. These include specification sheets, Architecture Diagrams, and definition of Professional Roles responsible for creating or responding to Deliverables.

Ideally, EPCs, Vendors and Service Providers will have already produced their own Cybersecurity Master Plans. Several Process Industry EPCs and Vendors already have such plans to match requirements of their main clients. However, if they have not, Deliverables corresponding to Owner/Operator requirements must be agreed before beginning any project or contract.

Each section below also shows a link to an example User Guide for the main enterprise phases of that organization (e.g. Master Planning, Implementation, Operation and Maintenance/Upgrade).

1. Owner / Operator

PERA User Guides are available for Process Industry Owner/Operators including:

• Creating a Corporate Cybersecurity Master Plan
  This includes establishing corporate and site cybersecurity policies, standards, and practices for a new or existing Enterprise. It also includes implementation of projects approved as part of the Cybersecurity Master Plan.


• Cybersecurity Program Implementation and Ongoing Operations
  These Implementation Plans may include large projects such as new plants, or samller projects such as upgrade of an IACS control system. In either case, it is assumed that an approved set of cybersecurity policies, standards and practices exist, that may be followed with only minor corrections or updates.

Each User Guide provides a list of relevant standards, Professional Roles, Typical Opportunities, example Master Planning Reports and other "starter materials" to help with creating the Master Plan.

2. EPC (Engineer, Procure, and/or Construct Contractor)

PERA User Guides are available for Process Industy EPCs including::

• Creating a Corporate Cybersecurity Master Plan
  This includes establishing corporate and site cybersecurity policies, standards, and practices for a new or existing Enterprise. It also includes implementation of projects approved as part of the Cybersecurity Master Plan.


• Enterprise Project Master Planning
  These may include large projects such as new plants, or samller projects such as upgrade of an IACS control system. In either case, it is assumed that an approved set of cybersecurity policies, standards and practices exist that may be followed with only minor corrections or updates.

Each User Guide provides a list of relevant standards, Professional Roles, Typical Opportunities, example Master Planning Reports and other "starter materials" to help with creating the Master Plan.

3. Vendors

PERA User Guides are available for Process Industy Vendors including:

• Creating a Corporate Cybersecurity Master Plan
  This includes establishing corporate and site cybersecurity policies, standards, and practices for existing products and services. It also includes implementation of projects approved as part of the Cybersecurity Master Plan.


• New Product Master Planning
  It is assumed that an approved set of Vendor's cybersecurity policies, standards and practices exist that may be followed with only minor corrections or updates.

Each User Guide provides a list of relevant standards, Professional Roles, Typical Opportunities, example Master Planning Reports and other "starter materials" to help with creating the Master Plan.

4. Service Providers

PERA User Guides are available for Process Industry Service Providers including::

• Creating a Corporate Cybersecurity Master Plan
  This includes establishing corporate and site cybersecurity policies, standards, and practices for existing services. It also includes implementation of projects approved as part of the Cybersecurity Master Plan.


• Implementation of documented Client cybersecurity policies, standards, and practices.
  These may include remote access to client systems and networks, or physical presentce at Client site. In either case, it is assumed that an approved set of Client cybersecurity policies, standards and practices exist that may be followed with only minor corrections or updates.

Each User Guide provides a list of relevant standards, Professional Roles, Typical Opportunities, example Master Planning Reports and other "starter materials" to help with creating the Master Plan.

Note other Principal Roles may be relevant for that Industry, including Regulators and Standards organizations, Educators, and Insurers. If you have, or plan to develop one or more of these please leave a comment below.