The security implications of technology innovations
A recent article on Computer Weekly reporting on the findings of the Ponemon study, showed that an alarming percentage of UK companies lack any form of cyber resilience.
The interconnected world has moved on considerably in recent years, with both the internet of things (IOT) and the Industrial Internet of Things (IIOT) advancing at an unprecedented rate. One result of the speed of change itself is that there is room for both gaps and errors to appear in systems, because security is not always keeping up.
The advancement of technology innovations should be developed with the security implications behind these systems evolving just as fast, but we know this is often not the case.
As the Ponemon Institute survey showed, only 29% of UK organisations rate their cyber resilience as high.
Why do so many companies struggle with cyber security?
Most of the firms polled in the Ponemon survey reported they lack preparedness to handle cyber-attacks, and worryingly only 36% said they were confident in their ability to recover from an attack.
There is much publicity around the ever increasing threat of cyber-attacks, whether to IT or Operational Technology (OT) systems, which are unlikely to cease anytime soon given the rate of new technology innovations. Experts are predicting more of the same regarding the threat of cyber-attacks to companies, infrastructure and people during 2016.
While general awareness in the OT security domain is continuing to grow, many companies still rely on outdated patch management and anti-malware protection to combat these cyber threats. This is leaving many companies vulnerable, and often more vulnerable than they realise, to a cyber-attack. Tackling this subject can often appear to be a daunting task as companies realise they need a higher priority focus on cyber security; but where to begin?
The problem is not awareness, but the fact that most companies do not understand the actual risks involved. While individuals within a company may understand particular risks, very few can accurately identify the overall risks to their organisation.
To have a successful security plan, organisations need to understand their own unique risk environment, as no two organisations will deploy the same standard security policy and solutions.
A Process Control Security Journey
Many organisations still have problems with their OT security as it is still viewed generally as an IT issue. The individuals who are operating an asset often don’t see security as their problem, believing their industrial control systems are air-gaped, or even just that they are too busy with ‘real work’.
To successfully protect process control systems, OT security needs to be underpinned and sustained by the knowledge, awareness and competence of those who operate an asset. To continually improve security, everyone has to buy into the strategy. It is no longer sufficient to push this strategy only from an IT perspective, to really make this work this needs to be led by a team pulled from an assets’ commercial and industrial community.
For a company to have an effective security policy in place, it should incorporate a collective corporate message and one that covers all areas of a company’s operations. It is everyone’s responsibility to help ensure the security of an organisation. Security policies alone can only do so much; however they cannot protect against poor security attitudes that allows for example the unsolicited use of remote devices or employees not taking responsibilities for their own, or colleagues, actions.
Employees need to take responsibility for their own actions, just as they do with regards to safety. There needs to be a shift change with regards to attitude within many organisations from ‘we think there is a risk, but we cannot articulate what it is’, to ‘we understand our OT cyber security risks and we must protect production and safety from security risk’.
Similarly, there also has to be a corporate-wide shift change in attitudes, from the belief that ‘security is only for corporate IT, and OT systems do not require it’, to one that says ‘security is like safety, part of everything we do’.
There are three main levers of change:
- Understanding your environment – this forms the basics of your security strategy. What equipment do you have, how is it connected, who has access? A company must understand its own risk profile in order to effectively secure it.
- Get a vision with a year-on-year road map – There needs to be direction for structured and sustainable change, and a focus on the employees within the company. Security needs to be driven through a change in attitudes, culture and behaviour. Security is a journey, not a destination; there is no end point.
- People, culture and competence – Security needs company-wide awareness, management visibility, technical leadership and on-site ambassadors. This is often the hardest aspect; tackling and overcoming people’s perceptions. Technology matters, but people and process matter more, and security can only be sustained if the culture is aligned to this objective.
With so much awareness and publicity around cyber incidents, it is no longer a case of ignorance of the security threats, but rather a problem of risk management and how best to combat against potential incidents. Of those polled in the Ponemon Study, 71% of respondents rated their organisation’s cyber resilience as low. Overall organisations need to understand their own unique risk environment and then get back to the basics involving cyber security.