5 Reasons why Security Awareness Training is Important to Secure Industrial Networks
In the last couple of years industrial systems are getting more intelligent, the software part more complex and the way to keep them protected is raising concerns. Patching and software updates within those traditionally closed systems are now a requirement raising concerns at information security department level.
Mindsett Security Your Human Factor Security Partner ...
With implementation support, custom software applications, and several different types of exercises, we support our customers in creating a culture of security company-wide.
What are the reasons why Security Awareness Training is Important to Secure Industrial Networks?
1. Industrial Control Systems are Different from IT Systems
Because SCADA systems are not designed to provide high-security built-in features, here is how you can train your IT staff to follow a slightly different approach and ensure better security of SCADA systems.
a. Isolate the Network from unnecessary connections – Train your staff to disable or remove any unused devices or network connections to avoid direct attacks. This is particularly of importance where SCADA networks are interconnected with each other. Do not allow any service on the SCADA network until a risk assessment is conducted, and the potential benefits far outweigh the negative consequences.
b. Use VPNs for Remote Access – IT managers need to set up a Virtual Private Network and teach employees how to use it, thus ensuring that all malware or inappropriate traffic is blocked from penetrating into your network.
c. Conduct Physical Security Surveys – All locations having connection to SCADA network are targets and serve as vulnerable points of entry for attackers, especially unmanned remote sites. Your IT staff should be given a drill on how to conduct regular physical security checkup of all systems to see if there are any accessible computer terminals, telephone, tapped fiber optic or computer network cables, or any exploitable radio and microwave links.
2. A single solution may not work every time
To ensure ongoing security effectiveness, system administrators should be trained to conduct technical audits of SCADA networks and devices, take corrective actions and make use of open-source and commercial security tools to identify patch level, active services, and vulnerabilities. Other than operational personnel, all other employees should be addressed with a personalized security awareness training to prepare them for any potential threats that they might face at their end. The specific security awareness training session may include department-specific social engineering experiments, email reminders or classroom trainings.
3. Use of Internet-based Technologies in SCADA has Resulted in Increased Cyber Threats
With increased network integration to reduce costs and increase productivity in SCADA, such as real-time data sharing from field or providing remote support, companies are now facing security vulnerabilities they were never designed for. After the discovery of Stuxnet worm in July 2010, security of automation systems is now a major concern for employers. Employees need to be trained about
- Avoiding malware infections while allowing remote access or using external devices in the network
- Looking beyond conventional IT firewalls and implement ones that hold the capability to carry deep packet inspection of all industrial protocols
- Focusing on securing mission critical systems first, specifically Safety Integrated Systems (SIS)
4. Unpreparedness for Potential Cyber Security Breaches
Security awareness training sessions must prepare employees to be ready for security breaches at all times. Employee readiness must come in the form of:
- Documented cybersecurity policies and procedures
- Regular vulnerability scans
- Installment of patches every other week
- Security assessment of control systems and networks
- Incident Response and reporting
5. Downtime can Result in Huge Revenue Losses
Since SCADA environments cannot afford to run on downtime, uptime running is vital for their viability. To avoid unexpected downtime resulting in significant increase in maintenance costs, productivity and material loss, and compromised safety standards regulators need training on how to watch critical infrastructures closely, protect cord and cabling components, and report downtime instantly, when required.
Dedicated awareness topics to approach in a security awareness training for employees
What to explain in a security awareness training for a colleague involved in SCADA environment in those conditions? What are the awareness topics and how to choose them? Explaining the reasons for closed ports, patching policy, malware protection and use of your own devices in conjunction with SCADA systems are topping the list. Malware protection from human factor perspective should be explained in the full context of a possible attack. Installing malware to target industrial systems is not a new topic nor one without space in the news. So the correlation with the daily activities under this aspect should be not hard to established – if we don’t miss at least one example. A suggestion as full list of security awareness topics can be the following:
- Security breached and SCADA systems
- Closed systems and network segregation
- VPN connection and remote access
- Malware and critical systems
- Security patches and back-ups – who, when, why
- Phishing, and use of email
- Social engineering, think before you click
- Data loss prevention and incident response
- A radiography of a well-known attack targeting critical systems
Closing Note – Why no to stop at certain user groups with security awareness…
Even if you use all security mechanisms to protect your systems, in the end it always comes down to how the use them. An open USB port, an open network link usually used for software upgrade or a path for phishing in many cases, in conjunction with a human error, can be causes of security breaches hard to evaluate in impact, cost and reputation losses.
Users with a certain level of security awareness are less likely tempted to open attachments from unknown senders, borrow USB devices, click any link they get or carry out any other risky actions.
Although the effectiveness of a specialized awareness program is about how to influence the attitudes and behaviors of colleagues involved in specific activities, do not lose sight of educating everyone in organization in contact with computer systems. This is a strong recommendation for companies using industrial automation or critical systems.