In recent months, industrial and critical infrastructure managers have been hearing a steady drumbeat to implement more robust cybersecurity controls. Since WannaCry and NotPetya, management teams and boards have been asking their teams “How do we make sure this doesn’t happen to us?”
A quick industry scan might point to new technology as the sure way to monitor for and prevent such attacks in the future. Continuous OT security monitoring can significantly reduce the risk — but technology alone isn’t sufficient to create a strong OT security posture. We often forget that organizations need “PPT” — “People, Process and Technology”— to transform their organizations.
I know — it’s an old adage (and it’s corny).
But if you look at how the vast majority of industrial organizations have successfully created a culture of physical safety to prevent workplace accidents and injuries, it was by mastering all three dimensions.
Here’s why creating a culture of ICS cybersecurity is the new imperative for industrial organizations.
Stronger OT security beyond perimeter controls is no longer optional
While the industry has known for years that most OT protocols and devices are “insecure by design” — lacking many of the controls we now take for granted in IT such as authentication, endpoint security, and regular patch cycles — most management teams justified their minimal focus on security by invoking outdated concepts like “air-gapped networks” and “security by obscurity.”
And unlike electric utilities which are mandated by federal laws to be compliant with NERC-CIP, most organizations in other verticals have treated security (beyond simple perimeter security) as “optional.”
All that changed a few months ago with WannaCry and NotPetya. Leveraging an advanced NSA exploit called EternalBlue released by the Shadow Brokers in April 2017, these attacks quickly spread from the Internet and IT networks to OT networks across ordinary SMB connections.
The result was large-scale disruption to manufacturing and production operations: Maersk’s costs– $300 million; Reckitt Benckiser’s – £110 million; Mondelez’s -$150 million; Saint-Gobain’s – €220 million; and Merck cited “disruption of worldwide operations” in their most recent financial statement.
Read this additional resource from January 2017 on the global implications of stolen NSA hacking tools: 7 Cyber Scenarios We’ve Never Seen Before
Give everyone in your organization a reason to care. Then equip them to act
The dream for every industrial plant owner or operator is to have employees care so much about the company and its culture that they give a 110% effort to help it succeed (think Southwest Airlines and its famed customer-centric culture).
So how do you change a culture of “not my problem” — or “it’s an IT problem” — to “this is the way we do things around here” and “OT security is everyone’s job.”
It’s one thing to mandate a focus on OT security by edict; it’s quite another to create a culture that makes everyone prioritize cybersecurity in their routine actions. It starts with educating all employees – from plant managers to control engineers, SCADA managers, and field employees — that the risk is real and it can have a devastating impact on your ability to service customers, and ultimately, on everyone’s livelihoods .
Next is to educate everyone on how they may be contributing inadvertently to risk and what they can do about it. The first step is educating plant personnel (not just corporate workers) about the risk of clicking on phishing emails. Symantec (Dragonfly 2.0) and Cisco Talos recently showed how cyberattackers are targeting control engineers to steal their VPN credentials, enabling them to bypass perimeter defenses and gain direct access to OT networks.
But it goes far beyond that, to explaining the risks of:
- Plugging laptops and USB drives onto the OT network
- Opening Internet connections to third-party vendors to facilitate remote maintenance
- Dual-homing OT workstations between IT and OT
- Installing Wireless Access Points to make your day-to-day job easier (shadow IT)
So where do you start? Follow these seven best practices to get you on the safe path.
7 best practices for developing an OT security culture
- 1. Set the tone from the top. Every type of business has rules and regulations on how it must work. Executive management must set this new “OT security is everyone’s job” direction and get behind it 100%. That includes allocating the people, time and resources to make all workers aware, to educate and equip them to make OT security a priority in everyone’s work. Get executive buy-in and make sure their support is visible to all – through company-wide bulletins, town hall meetings, quarterly addresses from leadership, etc.
- 2. Define clear ownership. OT personnel have traditionally had primary control over OT networks, stemming from well-founded caution that IT personnel with limited knowledge of OT could make big mistakes that impact production. But given the growing OT cyberattack vector and sophistication of adversaries, increasingly CISOs and their teams are being tasked with OT security. (After all, CISOs have been battling sophisticated adversaries for many years now.) Facilitate educational cross-training sessions for your IT and OT teams — but make sure there’s a clear distinction regarding who’s ultimately responsible for OT security.
- 3. Work collaboratively as a team. IT and OT teams have a lot to teach each other about their respective disciplines. The culture must foster the belief that “we’re all in this together, so let’s help each other.” Get people to understand that if malware infects the plant, everyone suffers — downtime can lead to work stoppages, a decline in stock price, and slower growth and hence opportunities for career advancement.
- 4. Provide motivation. Recognize employees when they exemplify the actions you want everyone else to take. And as described above, make reducing cyber risk relevant and contextual to everyone: “We have to prevent cyberattacks to protect our jobs and the communities around us.”
- 5. Provide ongoing awareness training. Your personnel need frequent and repetitive awareness training to learn what cyber risks their plant might face, how to spot a suspected threat, how to report it, etc. This type of training is common in corporate environments; now it needs to be translated to your industrial setting. Managers need to focus on specific steps people can take such as reporting suspicious emails, using complex passwords, not sharing credentials, etc.
- 6. Encourage open communication. Open communication must include recognition for doing the right thing, and acceptance if mistakes are made. For example, a worker who opens a phishing email and clicks on the malicious link needs to feel safe to report it rather than cover up their mistake.
- 7. Stay aligned to the business. Stronger OT security aligns perfectly with long-standing business goals and corporate values such as safety, quality, and customer satisfaction (because when production stops, customers suffer). Consistently articulate this alignment so that OT security becomes another foundational element of your corporate culture.
What are your best practices for creating an organization-wide culture supportive of OT security? What insights do you have on how to best educate and enable everyone to care and contribute to a stronger OT cybersecurity posture? Please share your tips by commenting on this post.
Interested in learning about the second P and T in the PPT model for cybersecurity? Register for the SANS webinar with Mike Assante, SANS Director of Critical Infrastructure & ICS/SCADA Security, as he discusses “NotPetya, Dragonfly 2.0 & CrashOverride: Is Now the Time for Active Cyber Defense in ICS/SCADA Networks?” on Thursday, October 12th, 2017 at 1:00 PM EDT.