Building cyber security awareness in industrial, OT environments
The U.S. has observed the month of October as the ‘National Cybersecurity Awareness Month (NCSAM),’ since 2003, as a reminder to various industrial and manufacturing stakeholders, including supply chain vendors, to pause and analyze their cybersecurity environment. The intention behind this is to drive organizations to analyze their cyber security awareness and carry out necessary measures that will help to streamline and update their cybersecurity posture.
The past year has demonstrated that cyber adversaries are getting more sophisticated and destructive across industry sectors. Examining cyber security awareness within organizations would help connected networks protect their part of cyberspace, enhance cybersecurity practices, and encourage awareness about online habits as internet threats continue to grow. Cyber security awareness also provides an opportunity to implement stronger security practices, raise community awareness, and work towards educating vulnerable audiences or training employees.
Cybersecurity Awareness Month is co-led by the National Cyber Security Alliance and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security. This year’s overarching theme for the month was focused on ‘Do Your Part. #BeCyberSmart,’ which aims to direct individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability, and the importance of taking proactive steps to enhance cybersecurity.
Over the last year, ransomware and cybersecurity attacks have wrecked healthcare organizations, fuel pipelines, water plants, food and cooperative suppliers, and several other organizations. These aberrations have disrupted the supply chain, affected public health and services, schools and colleges, in addition to putting national and economic safety and security on the line.
Following these incidents, there is a pressing need for the rapidly evolving industrial control systems (ICS) and operational technology (OT) environments to build their cyber-hygiene and bring about additional cyber security awareness measures in the environments. While initiating cyber security awareness might seem to be a daunting task to get started, it is useful to recognize that the appropriate cyber hygiene provides cybersecurity defenses for various possible cyber threats and attacks.
The lack of visibility into hardware inventory results in uncontrolled risk, Yossi Appleboum, CEO and co-founder of Sepio Systems, told Industrial Cyber. “The OT network is sometimes distributed in multiple locations – including rural regions – and without knowing what’s there, how can anyone secure the infrastructure? That being said, I believe visibility into the hardware space does not mean simply monitoring network traffic as many ICS/OT solutions do, but literally focusing on the existence of the devices and physically fingerprinting them,” he added.
“Our customers are always surprised by the results of our measurement-based OT risk & maturity assessments,” Klaus Mochalski, founder and CEO of Rhebo, told Industrial Cyber. “What usually follows are comprehensive clean-up and repair measures. Over 80 % of all remediation activities based on findings of our OT anomaly detection happen as part of this initial assessment. So a regular cyber risk assessment is a clear recommendation,” he added.
The Leipzig, Germany-based Rhebo works towards ensuring both cybersecurity and operational stability of the ICS and IoT infrastructure in industrial, energy, and water companies. It directly supports operators of ICS to enhance cybersecurity, productivity, and availability of their systems and plants, and safeguard the digital transformation of their processes.
The line between online and offline lives is blurring and in a highly interconnected world, societal well-being, economic prosperity, and national security are impacted by the internet, Robert Burns, chief security officer for data security solutions at Thales, told Industrial Cyber. “The purpose of Cybersecurity Awareness Month is to empower individuals and organisations to own their role in protecting their cyberspace. If everyone does their part – implementing stronger security practices, raising community awareness, educating people, following good cyber hygiene – our interconnected world will be a safer and more resilient place for everyone.”
Maintaining a good cyber hygiene posture is a shift in mitigating ransomware threats – instead of reacting to an incident, basic cyber hygiene can help to proactively prevent ransomware attacks before they occur, according to Burns. “Even if an attack should occur, good cyber hygiene practices can help organisations control and reduce the impact. As the organisation becomes more mature, it can implement more advanced cybersecurity controls to block bad actors from hijacking their sensitive, valuable data.”
With the U.S. administration and legislative arms taking several measures to strengthen cybersecurity by hardening against cybersecurity attacks, the demand for cyber security awareness increases, forcing organizations to work towards establishing and promoting such directives.
“Anytime there is a tightening of cybersecurity regulation in any of our target geographies, we observer a near-immediate increase of customers in regulated industry sectors,” Mochalski said. “Interest then comes from various departments at infrastructure operators, showing that cybersecurity awareness is increasing across the organization.”
Even though ransomware actors are getting more sophisticated with their methodologies, basic cyber hygiene is still the answer to preventing these types of attacks, Burns said. “Cybersecurity experts agree that the vast majority of attacks active today can be prevented by good cyber hygiene practices,” he added.
“Maintaining a good cyber hygiene posture is a shift in mitigating ransomware threats – instead of reacting to an incident, basic cyber hygiene can help you to proactively prevent ransomware attacks before they occur,” according to Burns. “Even if an attack should occur, good cyber hygiene practices can help organisations control and reduce the impact. As the organisation becomes more mature, it can implement more advanced cybersecurity controls to block bad actors from hijacking their sensitive, valuable data,” he added.
One important sector that cyber security awareness must be brought to is the healthcare sector, as the COVID-19 pandemic exposed the weaknesses of healthcare systems while demonstrating that medical innovations can be developed and deployed with unprecedented speed.
“Healthcare institutions carry highly sensitive data and are also exposed to disruption, especially in the form of ransomware attacks,” Appleboum said. “Knowing what is connected to the network and the endpoints is a crucial component in their cyber defense.”
COVID-19 has led to significant changes in the way that healthcare institutions are protected, as well as how they are viewed by the government, according to Appleboum. “In 2019, many hospitals were under-budgeted and lacking in their cybersecurity programs. Today, we see a different scenario, with many hospitals ahead of the curve and open to innovative solutions. Government-mandated security measures are a very good way to ensure that the industry can defend itself against the increasing cyber-attacks on critical infrastructure,” he added.
As Cybersecurity Awareness Month comes to a close, it is vital for both industrial and manufacturing organizations to intensify their efforts on raising awareness about cybersecurity best practices and stressing the collective effort required to safeguard and prevent cybersecurity intrusions and attacks.
“Our mission is to help organizations understand and manage the cyber risks surrounding hardware devices,” Sepio’s Appleboum said. “To us, being “cyber smart” means managing and prioritizing your risk factors. It includes knowing your risk (visibility), managing it (control), and eliminating it (mitigation),” he added.
Rhebo is “about to launch a new service offering combining two, usually separate risk assessment techniques: our regular passive measurements-based OT risk assessment with an OT-specific penetration testing program,” Mochalski said. “This combination provides unique insights as all pen-testing activities should be tracked by the OT measurement assessment,” he added.
Burns ended on a philosophical note saying that, “Let’s take the opportunity to remind everyone of the importance of digital security for citizens, employees, businesses and government agencies – we are all concerned! Trust is essential to the development of our societies. Trust in our institutions. Trust in our infrastructures. Trust in technology. Trust in each other. But in an increasingly connected world, there is no trust without cyber security.”