Industrial Control Systems (ICS) in a plant are now modernized using commodity hardware and software with networking capability to enhance overall efficiency, business analytics and to standardize skillset in plant operation plus support. With network, remote diagnostic and support are also possible to cut down the turn around time without waiting for engineer on site.
Some cybersecurity practitioners put focus only on the cyber portion of the plant. This is not wrong provided that the physical aspects are equally considered at the compatible level. This is because the ICS is just a portion of the entire plant. The physical and mechanical plant conditions must also be secured.
If background check is deemed necessary for O&M teams to reduce insider threat, this should also extend to the service crews (e.g. delivery, janitor), physical security guard service, contractors, vendors or even management. Most often, management level is by default granted with physical access. If O&M workforce must be hired as permanent staff of the organization, then the physical security guards must be under the same approach too. Notwithstanding all these are in place, how much insider risk reduction is questionable.
A more practical achievable means is to raise awareness to avoid negligence and enforce disciplinary action or contract obligations against misbehavior with litigation as the last resort.