Why changing your mindset on your biggest ICS risk is essential?

In a world full of threats, cybersecurity staffing could be the leading risk.

By Karl Sharman, Vice-President, BeecherMadden

58% of the companies surveyed by Kaspersky (2018) classify it as a major challenge to hire Industrial control systems (ICS) cybersecurity employees with the right skills, a global issue in cybersecurity. Critical Infrastructure companies often say that it is external factors that make it difficult to improve their cybersecurity standards such as hiring the right staff. However, from experience, it is more of a mindset within both job descriptions and talent selection.

Today is full of potential threats to your organization and none more so than the cyber threat. Critical infrastructure is a leading target for specific foreign governments, criminals and terrorist groups. Most cyber-attacks are opportunistic but within the infrastructure, 85% are targeted, according to Kaspersky (2017). This study stated that 73% were committed by outsiders and 27% by insiders.

According to Fortinet (2018), nearly 90% of organizations with connected Operational Technology (OT) have experienced a security breach within their SCADA (supervisory control and data acquisition) or ICS system. Often our first thought is to protect the IT within an organization however, many of the organizations within critical infrastructure are more complex due to OT systems required for business operations.

There are many different examples of OT such as ICS, automation and process control networks (PCN). There is also SCADA which is utilized within oil & gas, pharmaceuticals, and the energy sector.

The pressures on systems have led to an interconnected OT and IT environment, with many internets of things (IoT) devices connected to the IT infrastructure to improve efficiency through smarter, data have driven decisions. With the speed in transformation, threats have also shifted quicker and are constantly evolving. In 2018, ICS specific malware, such as Stuxnet, BlackEnergy, Havex, Crisis, and CrashOverride, was hitting critical infrastructure companies

To compete in this cyber war, there has been a push for further integration from the OT and IT team, which now seems unavoidable. Security posture depends on how effective both sides can be within security. To date, the inability to identify or act on business operations risks has been a stumbling block for securing ICS. When I speak to clients, often their challenge has been identifying or attracting the small talent pool of security expertise within OT to further develop this.

A change of mindset is about looking at the bigger picture as often companies demand high level and experienced security talent which is often within complicated and time-consuming processes just further adding to increased budgets and business risk. It’s obvious, still hire the best security team you can but make educating your employees a top priority including cross-training between OT and IT. If they can spot a phishing attack, or know to only use company hardware, you can protect yourself against a large number of attacks. It is important to have a security team in place that understands the threat but also your business. There are a number of solutions that this talent can implement with you, that will dramatically improve your defenses. Not all of these involve a large amount of spend and getting the right people, will help you get the right solution that fits your risk appetite.

Gartner (2018) believes there is an 80/20 rule-of-thumb in the answer: 80% of the security issues faced by OT are almost identical to IT, while 20% are very unique and cannot be ignored. The 80% means that the similarities in experiences and threats that are being seen in OT can be managed and handled by the same expertise that is being hired in the security space. OT is no doubt slower, scarier and has bigger implications with failure, but a change in mindset from Senior management within the company would lead to more hires in this space as their primary security focus should be about ensuring control.

Identify talent who:

1. Understand complex environments within the security
2. Passionate and want to learn about ICS
3. Have managed complex environments such as networks & applications
4. Driven by safety and low amounts of downtime
5. Someone who understands your business

Your employees are your first line of defense against external threats. While a state-sponsored attack will have a 98% success rate, the majority of threats can be defended with simple security provisions (Forbes, 2018). So, it’s time for you to remove silos and build this task force you require for the future of your organization.

About the Author

Karl Sharman is a Cyber Security specialist recruiter & talent advisor leading the US operations for BeecherMadden. After graduating from University, he was a lead recruiter of talent for football clubs including Crystal Palace, AFC Wimbledon & Southampton FC. In his time, he produced and supported over £1 million worth of talent for football clubs before moving into Cyber Security in 2017. In the cybersecurity industry, Karl has become a contributor, writer and a podcast host alongside his full-time recruitment focus. Karl can be reached online at [email protected], on LinkedIn and at our company website http://www.beechermadden.com