In 2013, the Association for Talent Development reported that U.S. corporations spent over $164B on employee training. In 2015, Gartner estimated growth in cyber awareness employee training reached $1 billion globally. Looking at 2017, Peter High reports in Forbes that security is the No. 2 top concern for CIOs—up from No. 9 just four years ago. And it's been widely reported that behavior of employees and vendors rank among the most likely causes of security risk.
So, if security has risen to be among the top concerns of CIOs, and both employees and vendors are top contributors to security exposure, isn’t it time to prioritize cyber security training to build resilience into your organization?
The continuing growth of the Industrial Internet shines a bright spotlight on the importance of securing operational technology (OT) environment and industrial control systems (ICS). Today, threats come not only from bad actors and broadening attack surfaces, but also from inherent vulnerabilities, like lagging technical controls and inadequate cyber security readiness. How can your company overcome these hurdles to successfully prevent system disruption and ensure critical asset protection?
Overcoming Cyber Security Hurdles
While many organizations may defer to their IT security training programs to help with the demands of OT, it is important to realize that IT security controls are not always applicable to OT or ICS environments. In fact, IT security controls are usually insufficient to address the unique nature of OT environments. For example, there’s a big difference between securing a website versus a wind turbine.
Industrial organizations need a clear path toward adapting traditional efforts to protect critical infrastructure. This path requires several elements:
- Awareness of emerging threats
- Attention to existing vulnerabilities
- A common understanding of best practices
- OT-specific training programs for both asset operators and IT security professionals
A good training program gives ICS operators a deeper understanding of networking and network security. Likewise, it also provides IT security professionals with a deeper understanding of unique ICS challenges.
With common understanding, both sides have an easier time communicating and improving the security posture.
Build a Custom OT Cyber Security Program
Step one of any security management and training program is employee training. It’s crucial, and it should be mandatory.
A good training program will help personnel understand the fundamental risks associated with ICS environments—from a basic introduction to the new wave of cyber attacks on critical infrastructure to real-world examples and applicable best practices. Ideally, the program should include a choice or combination of in-classroom and online coursework.
Classroom-style training is designed to introduce participants to the unique cyber security needs of operational technology and offers the benefits of cross-function collaboration, as well as real-time interaction with an experienced cyber security specialist. Classroom courses should also be designed with both operators and IT security professionals in mind, with a focus on actionable insight, not just theory.
Web-based programs can accommodate employees concerned about taking time away from work. With online programs, employees can complete courses at their own pace, and focus on topics that are more relevant to their roles. For example, modules may include an introduction to key cyber security fundamentals like cryptography, security communication protocols, and wireless security. Or, they might delve deeper into detailed analyses of risk evaluation, action, and realized threats.
The goal of cyber security training is to make cyber security top of mind, providing a deeper understanding of vulnerabilities and threats, as well as tangible steps to take to improve the company’s security posture. While participants might not walk away as cyber security experts, they will gain a general awareness of common security controls and regulatory requirements, and how they are used to improve overall security posture and reduce risk.
A key benefit of a training program is that participants can return to work and share what they’ve learned with colleagues. Additionally, they might implement additional security controls, or begin to incorporate better security into the design of ICS systems. They can also start to consider more granular, role-based training. For example, asset operators might realize the need for specific training associated with the level of access and control they have within the system they are responsible for.
Synergies of Risk Assessments and Training
In addition to understanding the common vulnerabilities that contribute directly to risk in an ICS environment, it’s also important to consider risks that are specific to your business. One way to do this is to perform a cyber risk benchmark or an internal or third-party assessment. This provides your organization with a high-level blueprint to help you determine the current cyber security posture of your organization–where you are today–so that you can lay out a plan for where you want to be in the future.