Cybersecurity incidents will have serious ramifications if today's workforce is not better trained to deal with them. The Automation Federation thinks this issue is even more acute in the operational technology (OT) world.
Despite widespread awareness of cybersecurity issues and the availability of training courses on the topic (e.g., ISA's IC32 course Using the ISA/IEC 62443 Standards to Secure Your Control Systems), competency and preparedness remain varied throughout the industrial landscape.
The electricity sector is strictly regulated, and the oil and gas industry has spent a decade improving its cybersecurity posture. The water industry is generally less well prepared than those industries, with neither the regulatory requirements of the electricity industry nor the funding and resources of the oil and gas industry.
Even in industries where cybersecurity has been tackled, awareness is still not what it should be. Statistics show that there is a problem with cybersecurity awareness and adoption. Many generally still either do not believe there is an issue or do not believe they themselves need to worry about it.
One of the possible causes for this complacency is cybersecurity fatigue. The National Institute of Standards and Technology (NIST) found in a 2016 study that respondents had "a general weariness or reluctance to deal with computer security." In the paper "Security Fatigue" in IT Professional, one of the study's research subjects said, "I don't pay any attention to those things anymore …. People get weary from being bombarded by 'watch out for this or watch out for that.'"
Organizations need to do more than just issue policies and procedures. They also need to provide clear guidance and support to help users make the right decisions and to make it easy for them to do the right thing. This is a key aspect of training that is often overlooked in favor of technical or procedural issues.
An example of the problem, according to the NIST researchers, is how a person today is expected to remember 25-30 passwords, compared to just one not long ago. There is a lack of good guidance on how to manage cybersecurity. While there are standards and guidelines that tell you to have complex passwords and to ensure you do not write them down, often there is little or no guidance on how to manage this. Remembering 25-30 complex passwords is not practical, so there is a temptation to either record them somewhere insecure or to try to bypass some of the complexity or update rules (e.g., use the same password for multiple applications). However, using a secure password manager tool, which can store everything and even generate new, complex passwords, will not only be more secure but also save time.
ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:
- ISA Global Cybersecurity Alliance
- Cybersecurity Resources Portal
- Cybersecurity Training
- IEC 62443 Conformance Certification
- Family of Standards
- ISA/IEC 62443 Cybersecurity Certificate Programs
- Suite of Security Standards
With this in mind, The Automation Federation is continuing to raise awareness across industry sectors, in business and academia, and around the world. Key activities in 2017 include:
- National Rural Water Association (NRWA): NRWA is a nonprofit organization dedicated to training, supporting, and promoting more than 31,000 water and wastewater professionals serving small communities across the U.S. NRWA members are eager to learn more about cybersecurity threats and how to defend against them. An Automation Federation-delivered webinar in November 2016, covering basic cybersecurity concepts, received record registrations and live attendance. The Automation Federation plans to work with NRWA, an Automation Federation member since 2016, during 2017 to provide more awareness training at regional and national meetings.
- Northern Virginia Community College (NOVA): NOVA is the second-largest community college in the U.S., comprised of more than 75,000 students and 2,600 faculty and staff members. The Northern Virginia region has a very high concentration of mission-critical operations, particularly 24/7 data centers. NOVA is developing, with the support of The Automation Federation, a mission-critical operations program. In addition, The Automation Federation and NOVA are hosting a high-profile one-day seminar on mission-critical cybersecurity to raise awareness with regional industry leaders.
- British government: The Automation Federation is working with the British government on an OT-specific cybersecurity seminar to take place in London immediately following the Security Innovation Network 2017 annual conference. This event will bring together many key stakeholders from U.K. and U.S. government and industry leaders with an interest in OT.
In addition, The Automation Federation continues to contribute to industry-wide cybersecurity and workforce development initiatives. The NIST Cybersecurity Framework has recently received an update (to version 1.1). Changes include a section on cybersecurity measurement, a more detailed description of applying the framework to supply-chain operations, more clarifications on authentication and authorization, and a better explanation of implementation tiers and profiles.
We continue to review and update of the Automation Competency Model. The Automation Federation first started working on this model in 2007. Reviews involve subject-matter experts and the U.S. Department of Labor, will ensure that the latest thinking on knowledge and skills required for the automation professional, including the crucial element of OT cybersecurity, is incorporated.
The Automation Federation will continue to work, with its member organizations, to raise awareness of OT cybersecurity throughout government and industry around the world.
Learn more about industrial security and mission critical operations. Click this link to download a free 48-page excerpt from Mission Critical Operations Primer.
A version of this article also was published at InTech magazine.