Podcast: Episode #21 - Michael Welch: Tying Resilience, Availability, Compliance and Cybersecurity Together Into a GRC Program

May 25, 2023

In a recent episode of the PrOTect OT podcast, we had the distinct honor of hosting Michael Welch, a veritable luminary in the fields of risk management, compliance, and critical infrastructure. Currently at the helm as the Director of GRCaaS within the T&D Governance, Risk, Cybersecurity & Compliance group at Burns & McDonnell, Welch's credentials are as striking as his vast experience. Boasting over 25 years in the industry, he has shared his expertise with the OSI Group as their global chief information security officer and has been associated with leading entities like Duke Energy Corp and Florida Power & Light.

Compliance vs. Cybersecurity Posture

One of the pivotal discussions that stood out was the distinction between compliance and cybersecurity posture. Welch shed light on compliance as the basic threshold or, in his words, the "general cyber hygiene." This represents the minimum standard companies need to attain to ensure protection. Security, conversely, goes beyond this foundation, embracing a myriad of layers and measures implemented by an organization.

However, governance is the linchpin. It binds compliance and security, ensuring they align. In sectors like electric utility, there's a predominant framework that most entities target. But Welch wisely noted that relying solely on this framework might not comprehensively address the subtle risks a company might encounter.

The current landscape reveals a division where groups such as engineers, cybersecurity experts, and auditors often operate in isolated silos. Each, while crucial in its own capacity, pursues different objectives. Welch underscores the importance of aligning their endeavors to form a united front, striving for the overarching goal of holistic risk management.

Security’s Role in Operations

It fundamentally comes down to reliability and availability. As consumers, we anticipate the lights to turn on at our command. Asset owners tasked with supplying power to millions recognize the criticality of ensuring such reliability. Resilience in this context means the system remains operational, despite deliberate attacks or inadvertent disruptions. Discussing resilience means examining protective measures and preparing for potential negative outcomes if a system is breached.

Challenges of Retrofitting Security in Existing Infrastructure

Michael champions the 'security by design' philosophy in engineering, procurement, and construction projects. But not all setups afford this forward-thinking approach. In scenarios where facilities have operated for years, security measures are reactive and entail retrofitting. Cooperation with Original Equipment Manufacturer (OEM) vendors is pivotal here. The focus isn't on imposing conditions but fostering dialogue.

Bridging Operational and Cybersecurity Understanding

Achieving true security rests on mutual understanding and collaboration, not just advanced technology. Discussions should revolve around top-tier security standards, not just the bare minimum, with an emphasis on prioritizing based on risk.

Emphasis on Safety in OT

Security and safety in OT (Operational Technology) are intertwined. It's paramount to plan for potential incidents, keeping in mind the evolving technological landscape and its inherent challenges. Effective planning and continuous communication are key, especially given the swiftly changing threat landscape.

Navigating the Maze of Compliance Initiatives

Handling compliance initiatives and staying updated with evolving frameworks is challenging. Organizations should ideally streamline efforts, avoiding redundancies. As challenges evolve with technological advancements and changing regulations, so should our strategies. While compliance provides a guide, security should be the primary goal, underscoring the industry's evident shift towards risk management.

Listen to the full episode here: