Why Cyber Security is the New Health and Safety for Industrial Control Systems
Many people view the UK’s Health and Safety at Work Act of 1974 as unnecessarily burdensome, but its introduction dramatically reduced accidents in the workplace, particularly within industrial settings.
Today it controls the safety of equipment used on process plants, the time professional drivers may spend behind the wheel, and even how long someone can stare at a computer screen.
When you walk into an industrial site, the success of this health and safety message really becomes clear. Safety is usually the first thing visitors are told about when entering a site, and anyone who comes through the door is given a health and safety induction before they gain access.
What’s more, people in these environments are extremely clear about what does and doesn’t constitute safe behaviours. Employees are empowered by this knowledge, and act as safety ambassadors.
As a cyber security specialist, when I enter sites like this, I often wonder why the same care and attention isn’t being paid to preventing a cyber attack. Because when it comes to our critical infrastructure, the risks associated with cyber attacks go beyond damaging a company’s reputation or losing customer data. A successful attack – can also put the physical safety of many employees at risk.
Recognising the importance of ICS security solutions
So, why aren’t these cyber security safety implications being taken more seriously? Partly because industrial control systems (ICS) have traditionally been seen as a separate entity from the IT systems used by corporate enterprises, and therefore outside the remit of corporate cyber security teams.
The belief was that, as these systems were not connected to the same networks as other computers or the Internet, someone would need to gain physical access to a machine in order to infect or tamper with it.
But as these control systems, such as manufacturing systems that continuously monitor and optimise performance, have become increasingly connected, IT and OT is converging.
In addition, as human involvement in these processes has reduced, and reliance on automation has increased, the potential cyber attack surface has grown significantly.
How to prevent cyber attacks on industrial control systems
So, how can we convince critical infrastructure operators to take ICS cyber security risks as seriously as considerations about our physical safety? – and indeed show them the two interlinked? The answer is a combination of legislation, cultural change and employee awareness.
The UK government’s 2017 proposal to implement the EU’s Network and Information Systems (NIS) Directive was a positive step. It forced critical infrastructure providers to put a determined cyber security strategy in place, or risk financial penalties.
The threat of being hit with a fine of up to £17 million, or four per cent of global turnover, will undoubtedly focus people’s minds and help to make this a board-level issue. But legislation alone is not enough, and can have the effect of making organisations compliance driven, when what is needed is a security driven mindset.
On-the-ground changes requires a vastly improved level of cyber security awareness. Employees need to be trained to understand what constitutes safe behaviour in terms of cyber security, and how to avoid taking unnecessary risks.
Good cyber security training can dramatically reduce the success rate of commonly-used attack techniques like spear phishing, or social engineering methods. For example, if employees understood the cyber security risks of a service engineer plugging in their own laptop while performing diagnostic checks industrial sites would be considerably more secure.
To bring this health and safety approach into the context of industrial cyber security, organisations should follow three key principles.
- – Firstly, employees need to understand how their behaviour can reduce cyber risks
- – Secondly, clear cyber security policies need to be set and reviewed regularly
- – Thirdly, risk assessments need to be conducted regularly, to understand any potential risks and to implement mitigation measures
How secure are your industrial control systems?