Everybody has a different mindset. No matter how extreme your level of vigilance is, an industrial facility cannot be a one-man band. People from different backgrounds, levels of education and awareness surrounding industrial cyber security are operating your critical infrastructures on a day to day basis. Operations Technology (OT) personnel are often unaware of potential dangers, as the elevated level of relevance regarding cyber security has been a recent shift in industrial environments over the last decade.
As dedicated as your team may be – by not understanding basic cyber security practices, employees could be welcoming security threats with open arms unbeknownst to themselves and your company. Whilst your workforce is often targeted as the weakest link within security – by introducing the correct practices, it has the potential to become one of the strongest.
Open Eyes to Security
An understanding for management needs to be reached that security for Industrial Control Systems cannot be fixed with a one-size-fits-all technology solution. In the CISCO 2018 Annual Cybersecurity Report, only 26% of security issues could be addressed by technology alone, leaving 74% requiring people or policies to form a solution to these issues. There is no single best way to enhance security; The best approach is a combination of technology, policies and training. Without employee education, an organisation is leaving themselves open to a range of security issues.
In traditional IT environments, emphasis usually placed on confidentiality as a priority, whereas availability of systems takes precedence in an OT environment. This means it is particularly important to pay attention events with the potential to disrupt any production processes. Corporate networks have the privilege of being more accessible to system patching for up-to-date protection, whilst availability issues in updating industrial devices causes patching to occur far too infrequently. This is also discouraged by many device vendors, who refuse to provide ongoing support if initiative to update systems is taken internally.
People operating systems in an industrial environment need to be regularly made aware of the elements of an attack and to report suspicious behavior through correct channels. Basic security practices such as understanding the importance of password policies, leaving around sensitive documents, processes for connecting external devices and scanning removeable media need to be explained to employees in a loud and clear format and reinforced with periodic awareness programs.
Seemingly Harmless, Potentially Harmful
Employees may not be able to understand how sharing information online could be assisting potential attackers. Disclosing experiences with systems online in the form of LinkedIn profiles or job listings on public websites could allow external parties to gain an understanding about frameworks, protocols and devices used inside facilities. By educating staff to understand the potential consequences of disclosing seemingly harmless information online, an organisation can become one step closer towards cyber secure operations.
More sophisticated social engineering approaches can be utilised against staff to access facilities. Spear phishing takes the form of a heavily targeted communication scam designed to steal company information. Campaigns are carefully researched and individually tailored to lead recipients to believe they are receiving communications via a trustworthy source. Tailgating (often referred to as piggybacking) revolves around gaining access to the premises via trailing behind employees through security checkpoints – something not even a retina scanner may prevent. Bringing awareness to these methods will empower your workforce to speak up when suspicions arise and reduce the chances of an incident slipping through the cracks.
For employees interacting with critical OT systems, security trainings should be mandatory to ensure a competent front-line defense against cyber threats. In industries such as nuclear power, qualified personnel are necessary to operate and maintain nuclear facilities in all modes of operation; requiring regular training and certification of personnel. This sets a precedent for safety standards, although a similar approach can be taken to ensure your personnel are qualified to identify and handle potential security risks - keeping staff prepared and effectively lowering risks to your operations.
A Secure Company Culture
There are no effective bandage solutions for security. Security awareness needs to be a rolling snowball from the top management levels, all the way to people on the ground level operating facilities. A top down approach is critical and the proactive role of a Chief Information Security Officer (CISO) is crucial for this to take responsibility for security. Without it becoming part of everyone’s job, principles are easily sidelined until a security incident serves as a reminder.
The rise of safety culture has protected the wellbeing of employees and against events that could potentially jeopardies organisations, such as fatal occupational accidents. The mindset that safety is a priority is often seen embedded within company values, although the security of operations technology is yet to see the same level of treatment. The impact of a major security incident has the capability to put the continuity of a business at risk and therefore it should be reflected as such in the mentality of management and workers alike.
If cyber security is recognised as a company value with everyone held accountable, your team is more likely able to spot the risks and take the correct course of action. Physical security is often taken very seriously, although less emphasis is placed on the equally as important cyber counterpart. Employees should be encouraged to intervene with actions that have the potential to jeopardize industrial operations and report near misses to prevent similar actions from taking place in the future.
The First Steps To Awareness
Introducing safe computing discipline for system operators should be a priority. Limiting the information shared in publicly available locations and enlightening employees in regard to techniques which may utilised against them in the future is essential. Without the correct training, it is unreasonable to expect suspicious or accidentally harmful activity to be detected and thus providing greater opportunities to malicious threat actors to impact your systems. As availability of systems becomes a priority in an ICS landscape, allowing security incidents to go unnoticed could lead to financial, reputational and safety damages upon exploitation, which are of upmost importance to prevent.
Applied Risk is a provider of on-site and online ICS Security Awareness programs and can help your staff handle sensitive data and interact with your industrial control systems on a secure basis. Find out more about our Online ICS Security Awareness Training and see how we can help implement programs to enable your workforce to become a strong security asset.