Editor's Note: This is a guest Blog Post from Tim Conway,Technical Director for the ICS and SCADA programs at SANS. Below Tim shares his thoughts on Engineering Cyber Safety.
For many organizations that run security awareness programs, the question eventually comes up "how do I make our program more relevant and interesting to our audience". For operational organizations that have teams of engineers and remote field technicians who interact with Industrial Control Systems, the question is a very challenging one.
Cyber reliance, cyber interconnectedness, and cyber secure engineering have been growing areas for many industrial environments over the past 10 to 15 years, yet many who interact with, operate, or rely on these technologies do not receive cybersecurity training that relates to their job. It would be like putting me in the cockpit of a 747 after having me watch the movie "Snakes on a Plane" as my pre-flight training video, and wishing me the best of luck as I fly off into the sky. So how do you connect ICS engineers to security awareness training that really hits home, I suggest you start with what matters most to them — Safety! Safety programs have dramatically reduced safety incidents throughout history, we need to achieve the same goal with our cybersecurity programs.
Oh, I miss the days of the Safety Meeting. It was a time to focus on the well-being of yourself, your co-workers, and your customers, this safety culture is core to Industrial Control System environments. Focus on this cultural strength and implement a training program that relates poor cybersecurity behaviors and their impact on a safe work environment. I have developed three "safety thoughts" for you to consider how they can be implemented in your awareness programs and I encourage your thoughts.
1) Everyone can be a Cybersecurity Ambassador - Industrial environments strongly enforce PPE (Personal Protective Equipment) and all who work in those areas know what it is, (hard hat, eye protection, ear protection, rubber soled shoes, flash resistant clothing, etc..) and will stop someone who is not wearing it. When your teams understand how poor cybersecurity practices (unapproved removable media, sharing account credentials, working on devices without proper notification and approval, un-approved mobile devices in a process environment, etc?) can affect their work environment and their own safety, they will stop someone when they see it as well. There is likely a sign somewhere that says — "This site Accident Free for 380 days and counting" — you will know you are winning when you have a sign that says, "This network has been malware free for 752 days and counting".
2) Knowledge is Power - In the unfortunate event that there is a reportable safety incident, it is no secret to anyone. Actual events, and near misses become full-scale root cause analysis efforts and after action lessons learned guidance communications, which in many cases shape operating procedures. We will be heading in the right direction when we ask the same questions: How many cyber near misses have happened at a facility? How well are we sharing our actual cyber incidents so we can improve across the company and the industry? Have we really identified the root cause of the cyber incidents that have occurred, and have the cyber lessons learned influenced how we engineer and operate our systems? When an individual comes into a safety meeting and explains an incident that has affected their life directly and provides the details of what happened and in many cases how simple the mistake was that caused the incident, it becomes very personal and easy to associate to your own behaviors. We need to have the same type of professional information sharing for cyber incidents and the impacts they had to an operating environment.
3) An Ounce of Prevention? - Safety protections exist in many forms throughout industrial environments and are engineered into the process to provide event detection, operator alarming, fault containment, and rapid process recovery. ICS cybersecurity needs to be intentional in system design and in operator behavior to achieve improved cyber incident detection, alerting, containment, asset recovery capability, and overall system impact reduction if an event occurs. Bottom line, Safety is a planned activity that is engineered into the process, Cybersecurity should be no different.
I will close this with a slightly modified safety thought - Don't learn ICS Cybersecurity by accident.
Technical Director - ICS and SCADA programs at SANS. Responsible for developing, reviewing, and implementing technical components of the SANS ICS and SCADA product offerings. Formerly, the Director of CIP Compliance and Operations Technology at Northern Indiana Public Service Company (NIPSCO). Responsible for Operations Technology, NERC CIP Compliance, and the NERC training environments for the operations departments within NIPSCO Electric. Previously, an EMS Computer Systems Engineer at NIPSCO for eight years, with responsibility over the control system servers and the supporting network infrastructure. Former Chair of the RFC CIPC, current Chair of the NERC CIP Interpretation Drafting Team, member of the NESCO advisory board, current Chair of the NERC CIPC GridEx Working Group, and Chair of the NBISE Smart Grid Cyber Security panel.