Cybersecurity, protecting operational technology
By Steve Mustard, PE, Eur Ing, CEng, CAP, GICSP
Cybersecurity incidents will have serious ramifications if today's workforce is not better trained to deal with them. The Automation Federation (AF) thinks this issue is even more acute in the operational technology (OT) world.
Despite widespread awareness of cybersecurity issues and the availability of training courses on the topic (e.g., ISA's IC32 course Using the ISA/IEC 62443 Standards to Secure Your Control Systems), competency and preparedness remain varied throughout the industrial landscape. The electricity sector is strictly regulated, and the oil and gas industry has spent a decade improving its cybersecurity posture. The water industry is generally less well prepared than those industries, with neither the regulatory requirements of the electricity industry nor the funding and resources of the oil and gas industry.
Even in industries where cybersecurity has been tackled, awareness is still not what it should be. Statistics show that there is a problem with cybersecurity awareness and adoption. Many generally still either do not believe there is an issue or do not believe they themselves need to worry about it.
One of the possible causes for this complacency is cybersecurity fatigue. The National Institute of Standards and Technology (NIST) found in a 2016 study that respondents had "a general weariness or reluctance to deal with computer security." In the paper "Security Fatigue" in IT Professional, one of the study's research subjects said, "I don't pay any attention to those things anymore …. People get weary from being bombarded by 'watch out for this or watch out for that.'"
Organizations need to do more than just issue policies and procedures. They also need to provide clear guidance and support to help users make the right decisions and to make it easy for them to do the right thing. This is a key aspect of training that is often overlooked in favor of technical or procedural issues.
An example of the problem, according to the NIST researchers, is how a person today is expected to remember 25-30 passwords, compared to just one not long ago. There is a lack of good guidance on how to manage cybersecurity. While there are standards and guidelines that tell you to have complex passwords and to ensure you do not write them down, often there is little or no guidance on how to manage this. Remembering 25-30 complex passwords is not practical, so there is a temptation to either record them somewhere insecure or to try to bypass some of the complexity or update rules (e.g., use the same password for multiple applications). However, using a secure password manager tool, which can store everything and even generate new, complex passwords, will not only be more secure but also save time.
With this in mind, AF is continuing to raise awareness across industry sectors, in business and academia, and around the world. Key activities in 2017 include:
- National Rural Water Association (NRWA): NRWA is a nonprofit organization dedicated to training, supporting, and promoting more than 31,000 water and wastewater professionals serving small communities across the U.S. NRWA members are eager to learn more about cybersecurity threats and how to defend against them. An AF-delivered webinar in November 2016, covering basic cybersecurity concepts, received record registrations and live attendance. AF plans to work with NRWA, an AF member since 2016, during 2017 to provide more awareness training at regional and national meetings.
- Northern Virginia Community College (NOVA): NOVA is the second-largest community college in the U.S., comprised of more than 75,000 students and 2,600 faculty and staff members. The Northern Virginia region has a very high concentration of mission-critical operations, particularly 24/7 data centers. NOVA is developing, with the support of AF, a mission-critical operations program. In addition, AF and NOVA are hosting a high-profile one-day seminar on mission-critical cybersecurity to raise awareness with regional industry leaders.
- British government: AF is working with the British government on an OT-specific cybersecurity seminar to take place in London immediately following the Security Innovation Network 2017 annual conference. This event will bring together many key stakeholders from U.K. and U.S. government and industry leaders with an interest in OT.
In addition, AF continues to contribute to industry-wide cybersecurity and workforce development initiatives. The NIST Cybersecurity Framework has recently received an update (to version 1.1). Changes include a section on cybersecurity measurement, a more detailed description of applying the framework to supply-chain operations, more clarifications on authentication and authorization, and a better explanation of implementation tiers and profiles.
The year 2018 will see the third review and update of the Automation Competency Model. It will be 10 years since AF first started work on this model. The review, involving subject-matter experts and the U.S. Department of Labor, will ensure that the latest thinking on knowledge and skills required for the automation professional, including the crucial element of OT cybersecurity, is incorporated.
AF will continue to work, with its member organizations, to raise awareness of OT cybersecurity throughout government and industry around the world.