Why critical infrastructure businesses shouldn't wait for a cyber crisis to push for cultural change [Q&A]
Cybersecurity is important to any enterprise, but it's especially key to those that are delivering critical infrastructure.
But recent research from Nozomi Networks shows that often the development of a holistic security approach is being driven by events such as security breaches.
We spoke to Andrea Carcano, co-founder and chief product officer at Nozomi to find out why organizations need to be more proactive in their approach.
BN: Are today's critical infrastructure organizations doing enough to integrate cyber and physical layers of protection?
AC: Cyberattacks on critical infrastructure are increasing rapidly in number and complexity. Pipelines, power grids, telecommunications networks, ports, dams, banks, and healthcare systems are all vulnerable. The growing integration of information technology (IT), operational technology (OT) and physical systems is an important factor in their vulnerability. A recent survey from Nozomi Networks and Newsweek Vantage questioned 400 C-level executives from critical infrastructure organizations and found that nearly 9 out of 10 critical infrastructure organizations (88 percent) have either already integrated their systems or say the integration process is underway.
The survey found that in response to the integration and cyber and physical systems, 70 percent of critical infrastructure organizations are taking steps to address the new vulnerabilities, though the specific nature of these steps varies. This data is encouraging but also indicates that many critical infrastructure organizations still have work to do when it comes to implementing a holistic approach to securing cyber-physical systems.
BN: What are the major obstacles to a holistic approach?
AC: Our global survey found there are three major obstacles to implementing a holistic approach to securing cyber-physical systems: organizational, technical and external. The main organizational obstacle to achieving a holistic approach is differing opinions from IT and OT on what needs to be secured. This in turn leads to different risk management priorities. IT has traditionally focused on data security, in which a cyber threat could result in the theft of millions of dollars of intellectual property, corporate financials, and employee or customer information. By contrast, OT has focused on operational continuity and safety.
Technical obstacles to a holistic approach include the differences in IT and OT operation environments, the difference in IT and OT skill requirements and the differences in the security threats faced on both sides.
Finally, perhaps the most significant external obstacle to a holistic approach to cyber-physical systems is a lack of adherence to standards. There are not enough appropriate industry yardsticks to help ensure the performance claims of compete security products, and even more, there is a lack of established IT standards and a lack of awareness of OT standards.
BN: What does a holistic approach to securing cyber-physical systems look like?
AC: Our survey found that 88 percent of critical infrastructure organization have either already integrated their IT, OT, IoT and physical systems or say the integration process is underway. In spite of that, most organizations are still struggling with what a holistic approach to cybersecurity looks like. Achieving a holistic approach is not technically difficult -- it's culturally difficult. To overcome the cultural obstacles to a holistic approach, the most important factor is to build a team that includes IT, OT and physical security, along with cross-training of the teams from these three areas. The 'people factor' is the most important element -- making sure you have the right team with the right mindset to work cross-functionally.
BN: What are the major drivers of adopting a holistic approach?
AC: As in many areas of risk management, it often takes a crisis to change an organization and cybersecurity is no different. In fact, when C-level executives were asked what drove them to develop a holistic approach to cyber-physical security, more than half (64 percent) say it took a cyber or physical security breach to take action.
Without a crisis, it's often hard to change culture. It can be difficult to alter habits of thought and traditional business practices. Employee resistance to cultural change is the biggest obstacle. But achieving a cultural shift and getting broad buy-in is possible if you focus on these areas:
- Raise and apply cyber-physical standards where possible. There are standards for the cybersecurity of automation and control systems, and they should be universally adopted. The fact that there are several standards is not a good reason for asset owners and vendors to fail to apply them. The same goes for certification. Right now, engineers can work on the security of control systems without a relevant certificate. If project managers need a certificate to work on such projects, it makes no sense to ignore this stipulation for cybersecurity.
- Do things in the right order. Set up a good structure of governance for cyber-physical security, with clear lines of accountability. Sources, such as the US National Institute of Standards and Technology Cybersecurity Framework, describe a systematic approach with references to applicable standards for each step. Train all personnel thoroughly on their cyber-physical responsibilities. Design the organization's policies and procedures to align with those pertaining to cybersecurity and vice versa. Only then decide on what technologies to invest in that will support the other elements.
- Don't punish people if they admit to having made a mistake. Organizations tend to penalize those who make errors. Instead they should encourage personnel to own up when a cybersecurity breach occurs or, even better, when they recognize and disclose a mistake that might lead to an incident. A failure is an opportunity to learn how to do things better.
- Treat cyber-physical security in the same way as physical safety. The safety of employees and the public is considered of paramount importance at every organization. It's considered everyone's responsibility in the organization. There is no reason why cyber-physical security should not be treated the same way.
- Cyber-physical security is not 'one and done.' It's always evolving. Organizations should not think cybersecurity efforts are complete once they’ve implemented a holistic program. The job of securing assets and employee behavior should be continually updated because threats and vulnerabilities are constantly changing.
It doesn't have to take a catastrophe to spur organizations to change. Critical infrastructure organizations are facing ever-developing risks to their cyber-physical systems. Now is the time to push for change, so that they are in a better position to respond to an incident should it occur.