When modernizing your network cybersecurity infrastructure and virtualized digital assets with processes and technology, don’t ignore the people factor.
By Katherine Brocklehurst, senior director, Claroty
Much like the first industrial revolution in the early 20th century, we are now fully in the midst of a modern industrial transformation that’s changing all facets of how business is done. The utility, convenience and competitive advantages of the Industrial Internet of Things (IIoT) is why connected devices are being used by employees, contractors, vendors and supply chains to drive improvements to business bottom lines. This is true across any industrial or critical infrastructure segment you care to consider.
However, cyber risks are real, and security researchers worry that the pace of IIoT transformation is increasing cyber risk faster than is immediately visible. Cybersecurity has become a global priority, critical to the overall well-being of every business.
The classic "golden triangle" of people, process and technology illustrates critical factors and best practices for successful business transformation. Authorities say that when organizations undertake transformative change initiatives, such as modernizing industrial networks and adopting virtualized digital assets, they often concentrate on process improvement and new technology, and unfortunately ignore the people factor.
As a result, approximately three quarters of business transformation and re-engineering efforts fail to achieve desired results. The most commonly cited cause for the failure is lack of focus on the organization’s people and culture.
Certainly, the technology factor is leading the way as seen in sweeping changes taking hold in IIoT business transformation. However, the people part of the equation is lagging, at least for industrial organizations.
The “Human Attack Surface”
People make up a significant component of any organization’s cyber risk, and “securing the human” is easy to overlook in plants where the environment typically is very open and operates in a high-trust framework. The term attack surface is security jargon for the sum of your security risk exposure. It’s the aggregate of all known, unknown, reachable and potentially exploitable weaknesses and vulnerabilities across the organization. All firms, regardless of industry, have an attack surface, and the IIoT is expanding that surface by the minute.
For industrial and critical infrastructure organizations, the human attack surface must include the sum of all exploitable security holes or gaps created by the humans within your industrial control system (ICS) operations environment.
Plant employees, consultants and contractors, ICS manufacturers, field application vendors and supply chain providers are all people who interact with the production side of your business and may introduce cyber risk. Together, their behaviors, habits, work and social interactions, decisions and simple human strengths and frailties comprise the total of your organization’s “human attack surface.”
Blind Spots in the Plant
Industrial sites, plants, factories — are all made of equipment, materials, process controls and of course people. Admittedly, plant personnel don’t welcome or embrace change. In large part, this is a natural outcome of working for decades on tested and known working process controls prioritized to sustain worker safety, meet production and reliability requirements, and maintain a network of sometimes fragile legacy equipment.
Plant personnel also intrinsically know that change is bad — a tongue-in-cheek generalization, but more accurately, “unplanned change” is bad. Whenever something goes wrong on the production line, the first question everyone asks is, “Who changed what?” Ideally, changes are infrequent, carefully planned and executed.
Cybersecurity is not prioritized in the plant, and as far as they’re concerned, it’s the least of their daily worries. Plant teams like their networks flat, their default passwords shared, and their processes left alone. Corporate IT wants to patch? Fuggetaboutit. “It ain’t broke, so don’t fix it” is one way of saying, “If you touch that system without the manufacturer’s approval on that change, you’ll void the maintenance warranty and the consequences are on you. I’ll send the bill to your CISO.”
In fact, if asked, plant teams sometimes will tell you that they don’t know and don’t want to know about cybersecurity. Asked why, here’s a short list of answers as heard from operational technology (OT) professionals.
- “I don’t have enough time to do my regular job, let alone try to take on something more — I just don’t have the time.”
- “I’m retiring in a few years, and it’s too late to teach old dogs new tricks.”
- “Industrial cybersecurity is too difficult — too complex (and besides, things have worked well enough for decades without it, what’s all the fuss about?).”
- “We’re all family here — we barely lock the doors and are a pretty small organization; who would want to bother us?”
- “I prefer not to know about it — let corporate IT do whatever needs to be done — that way their jobs are on the line, not mine if something happens.”
- “Yeah, I have an interest and wouldn’t mind learning more or even taking on some responsibility for ICS cybersecurity in our plant, but our company doesn’t really have the culture to support it.
5 Starter Suggestions to Reduce Your IIoT Blind Spots
Here are five suggestions developed from working with industrial organizations seeking to prioritize the human factor — their people – during the massive wave of IIoT change while minimizing cyber risk.
- Begin with cybersecurity education and awareness for plant personnel. What physical and cybersecurity policies do you have, if any, and has any training occurred to educate and reinforce those policies? Many will hire an outside firm to provide the appropriate content, conduct periodic training, and certify or report on training completed. Topics to begin with should include likely risk areas such as email, phishing/spear-phishing, remote access, physical access and others.
- Hold a review of incident response. When a cybersecurity incident occurs, what’s your plan of response? Who in the organization is involved and in what roles? What happens first and who’s really responsible? Examine this closely from the plant floor to the executive offices. The review and findings will be invaluable to help your organization have the right reporting structure, roles and skills in place for a swift recovery.
- Hire an outside firm to do a security assessment. Get a security assessment and understanding of your security gaps for the plant. But you may want to consider doing a full assessment of both corporate IT and ICS security, because this approach will yield much stronger results, particularly when it comes to deciding top priorities based on the assessment report.
- Use the “Department Cross-Train” strategy. “Embed” at least one IT person in the plant for at least six months if not a year, with reporting and job evaluation (at least in part) to come from plant management. Consider doing the same in reverse by “embedding” at least one person from OT into the IT department. Determine and agree on how performance will be measured especially for the ICS environment. Stakeholders should participate, including executive sponsors.
- Consider potential business risks from the “Silver Tsunami” or “Gray2K.” With massive baby-boomer workforce retirements at the rate of about 10,000 workers per day as of June, 2018, what is your mitigation plan for hiring and training replacement personnel with the right skillsets?
Get a 20/20 View
Many OT organizations view future benefits of the “industrial revolution of things” skeptically. The promise of otherworldly efficiency and profits through IIoT technology can leave the people factor out of the success equation.
The reality is, industrial and critical infrastructure cybersecurity for the OT environment can be a big blind spot for many who are focusing on the transformative capabilities of IIoT technology. Organizations will be stronger and more prepared for the future by assuring they equip and prepare their plant personnel for the journey.
Claroty, based in New York City, is a participating Encompass™ Product Partner in the Rockwell Automation PartnerNetwork™ program. Claroty provides comprehensive cybersecurity solutions for industrial control systems (ICSs).
The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.