Cybersecurity incidents will have serious ramifications if today's workforce is not better trained to deal with them. The Automation Federation thinks this issue is even more acute in the operational technology (OT) world.
Despite widespread awareness of cybersecurity issues and the availability of training courses on the topic (e.g., ISA's IC32 course Using the ISA/IEC 62443 Standards to Secure Your Control Systems), competency and preparedness remain varied throughout the industrial landscape.
The electricity sector is strictly regulated, and the oil and gas industry has spent a decade improving its cybersecurity posture. The water industry is generally less well prepared than those industries, with neither the regulatory requirements of the electricity industry nor the funding and resources of the oil and gas industry.
Even in industries where cybersecurity has been tackled, awareness is still not what it should be. Statistics show that there is a problem with cybersecurity awareness and adoption. Many generally still either do not believe there is an issue or do not believe they themselves need to worry about it.
One of the possible causes for this complacency is cybersecurity fatigue. The National Institute of Standards and Technology (NIST) found in a 2016 study that respondents had "a general weariness or reluctance to deal with computer security." In the paper "Security Fatigue" in IT Professional, one of the study's research subjects said, "I don't pay any attention to those things anymore …. People get weary from being bombarded by 'watch out for this or watch out for that.'"
Organizations need to do more than just issue policies and procedures. They also need to provide clear guidance and support to help users make the right decisions and to make it easy for them to do the right thing. This is a key aspect of training that is often overlooked in favor of technical or procedural issues.
An example of the problem, according to the NIST researchers, is how a person today is expected to remember 25-30 passwords, compared to just one not long ago. There is a lack of good guidance on how to manage cybersecurity. While there are standards and guidelines that tell you to have complex passwords and to ensure you do not write them down, often there is little or no guidance on how to manage this. Remembering 25-30 complex passwords is not practical, so there is a temptation to either record them somewhere insecure or to try to bypass some of the complexity or update rules (e.g., use the same password for multiple applications). However, using a secure password manager tool, which can store everything and even generate new, complex passwords, will not only be more secure but also save time.
ISA offers standards-based industrial cybersecurity training, certificate programs, conformity assessment programs, and technical resources. Please visit the following ISA links for more information:
With this in mind, The Automation Federation is continuing to raise awareness across industry sectors, in business and academia, and around the world. Key activities in 2017 include:
In addition, The Automation Federation continues to contribute to industry-wide cybersecurity and workforce development initiatives. The NIST Cybersecurity Framework has recently received an update (to version 1.1). Changes include a section on cybersecurity measurement, a more detailed description of applying the framework to supply-chain operations, more clarifications on authentication and authorization, and a better explanation of implementation tiers and profiles.
We continue to review and update of the Automation Competency Model. The Automation Federation first started working on this model in 2007. Reviews involve subject-matter experts and the U.S. Department of Labor, will ensure that the latest thinking on knowledge and skills required for the automation professional, including the crucial element of OT cybersecurity, is incorporated.
The Automation Federation will continue to work, with its member organizations, to raise awareness of OT cybersecurity throughout government and industry around the world.
Learn more about industrial security and mission critical operations. Click this link to download a free 48-page excerpt from Mission Critical Operations Primer.
A version of this article also was published at InTech magazine.