A brief scan of the news reaffirms that cyberattacks targeting critical infrastructure organizations are on the rise.
Daily headlines highlight the latest ransomware attacks, data breaches and new phishing techniques, bringing to light an epidemic that has resulted in financial, operational and reputational damage for businesses, governments and the general public alike.
Today, cyberattacks put a lot more than just our personal data at risk – threat actors have increased the regularity at which they target the infrastructure that supports mission critical systems, such as power grids, water utilities, healthcare systems, nuclear facilities and emergency services.
A report from the Ponemon Institute revealed a steady rise in cyberattacks against critical infrastructure, stating that “Nation-state attacks are especially concerning in the [original technology] sector because they’re typically conducted by well-funded, highly capable cyber criminals and are aimed at critical infrastructure.”
These critical infrastructure sectors – of which there are 16 – ultimately impact how our daily lives function and when attacked could have lasting global effects.
Just last month E&E News reported on the first cyberattack on the U.S. power grid as identified by the North American Electric Reliability Corp (NERC). While nation state reconnaissance has occurred for years, this attack is unique in that it is the first to facilitate “minor impact.” In contrast, other critical infrastructure sectors like healthcare and financial services have suffered the consequences of cyberattacks for over a decade, as personally identifiable information regularly sought can rake in millions on the Dark Web in addition to the many benefits associated with intellectual property theft.
Critical infrastructure cybersecurity training today
As mentioned, cybersecurity is not unknown to critical infrastructure sectors. In response to the integration of information technology systems with operational technology systems and the emergence of the industrial internet of things, an increased focus on risk mitigation and industry and federal regulatory compliance emerged. At the same time, a new challenge came to light - there simply aren’t enough cybersecurity workers to fill the number of open jobs.
To limit risk, most critical infrastructure organizations provide some level of security awareness training company-wide, but it’s often limited to very basic information, such as how to identify and report a phishing email. Advanced training is not typically given to ordinary workers, and many critical infrastructure stakeholders are never properly briefed on how to handle suspected cyber threats.
This is a serious problem in today’s connected world where vulnerabilities and cyberattacks can come from anywhere at any time including a remote worker, a contractor, a device or even technology that appears on its surface to be begin, like a smart thermostat.
To put it into perspective, most of today’s CI organizations remotely monitor the status and location of trains, buses and trucks; they can adjust the flow of crude oil and natural gas through pipelines remotely; water and electricity consumption can be monitored and changed from a centralized location and medical devices can be monitored from half a world away. These conveniences cut costs, increase efficiency and overall make our lives easier – but as the number of interconnected systems continues to rise, so does the attack surface. As a result, more employees across a CI ecosystem are a threat, whether they know it or not.
Training needs to go beyond phishing
Critical infrastructure organizations can no longer go through the motions of cybersecurity awareness training thinking their technology and security teams are enough to maintain control. Instead, all employees must begin to understand that any interaction with technology can play a role in a cyberattack. This represents a change to both culture and strategy - which is never easy to deploy despite its necessity.
Ultimately, CI organizations must begin to teach every employee and stakeholder that every person – no matter their role – plays an important part in protecting mission critical infrastructure. And not just with scare tactics, but with the knowledge and understanding of how cyberattacks operate and how to handle them.
Leaders should consider some of the following steps:
- Prioritize practical, hands-on CIP cybersecurity workforce training rather than just relying on theories and concepts that are difficult to visualize.
- Set up the right incentives, performance management, training, processes, procedures and other systems to ingrain the mindset and cultural changes needed.
- Train OT professionals in technologies and processes that are valuable to making CI stronger and more resilient.
- Lead by example – have all managers and leaders in CI take in-depth CIP cybersecurity training courses to become knowledgeable in cybersecurity for CI and to understand how to communicate that information to everyone involved.
Protecting critical infrastructure against cyberattacks is a two-part problem. We must put in place better protections, more advanced security protocols and better incident response plans, but that starts with better cybersecurity knowledge across the entire CI workforce. Ultimately, we need to change the way everyone in the CI ecosystem thinks about cybersecurity. The success of critical infrastructure protection relies on the steps taken by the workforce to mitigate risks – and that starts with the knowledge and understanding of the nuances that make up CIP cybersecurity. In today’s world, you cannot afford to not train every CIP stakeholder in cybersecurity.
Dan Lanir is vice president of customer success at OPSWAT, a San Francisco based software company.