Today, many industrial plant managers and other automation and control system professionals recognise current cyber-security risks, but aren't always positioned to combat them. Unfortunately, many organisations lack the expertise and knowledge to protect these systems from attacks. Whilst many people entering work may be digitally skilled, older generations have had to adapt to digitisation, exacerbating the skills gap which is why organisations must invest in security skills now, to secure their systems for their future.
Cyber security breaches have been well documented in recent years and are hitting organisations of all sizes, across a range of industries and sectors. This is nowhere more apparent than in sectors such as manufacturing or critical infrastructure that are reliant on industrial control systems (ICS) for the smooth running of their operations. Indeed, the reliance on control systems continues to expand across not only industrial settings, but also the operation and maintenance of our cities, our buildings and all kinds of modern smart applications.
Developments in technology and connectivity have helped drive productivity, efficiency and revenues, but have also introduced risk. Shifting to cloud-based IT solutions, introducing connected devices and relying on digital technology for operations and processes have left many systems vulnerable to attack. When hackers breach business IT systems, data can be compromised and revenues may take a hit, but when attacks target utilities and critical infrastructure, the damage can be much more severe and far reaching.
In May this year, hackers targeted the computer networks of US companies operating nuclear power plants. Although spokespeople claimed that operating systems were not compromised, this serves as a stark warning to all businesses to invest in security personnel, as well as skills and training for existing staff. To date, many businesses have upgraded their IT and operating systems or embraced the Internet of Things, but have failed to educate employees on best practice and security when using these systems.
Education, education, education
According to a SANS Institute report, budgets for training and certification of staff responsible for implementing and maintaining industrial control systems have fallen considerably, from 34 percent in 2016 to 26 percent in 2017. This is despite the rise in cyber-attacks – incidents of ransomware, for example, have risen 300 percent since 2015 – and prominent media coverage. Furthermore, the same report revealed that businesses are cutting their budgets for bringing in trained security staff and consultants.
This approach will only serve to worsen the skills gap. In a recent study, 82 percent of respondents reported a shortage of cyber-security skills within their company, and 71 percent agreed that the shortage of skills does direct and measurable damage to their business.
Whilst weaknesses in IT systems can be to blame for cyber-breaches, it is actually people which pose a greater risk; almost 90 percent of cyber-attacks are caused by human error or behaviour. Some instances will stem from malicious action by staff, but many will simply be employees who have not received adequate training, and lack the knowledge of how to operate and maintain IT systems securely, or even spot there is an issue.
When it comes to ROI, education provides the best outcome. Reducing training and certification budgets is highly counter-intuitive given the rise of threats like ransomware, the expanding number of attack vectors, and overall threat levels. Attacks are happening in industry on a daily basis, so before putting in place even more new technologies, businesses need to ensure areas that have already been streamlined are properly protected.
Pumping funds into education and bringing in external security expertise will help ensure that all employees are equipped with the necessary skills to protect against and prevent cyber-attacks. Sharing knowledge throughout a workforce will help plug the skills gap, and reduce the risk of security breaches in the long run.
The current situation is not all negative: according to the SANS Institute report, employees do devote time to the security of industrial control systems (ICS). For the largest organisations, the highest percentage spends more than three quarters of their time focused on ICS security. Respondents in moderately sized organisations chose the 10 to 25 percent timeframe most frequently, and respondents from the smallest organisations chose the ‘more than 76 percent category' most frequently.
However, it still seems that there is a gap in the workforce of many businesses, for specialist skills, and those who are solely devoted to ICS security. The same report revealed that a large number of respondents had to balance their ICS security duties with a significant proportion of secondary responsibilities. At the heart of it, businesses should be upskilling staff to become dedicated security professionals, rather than splitting their time between a security role and another, which is where cracks appear.
Closing the skills gap is not necessarily about hiring new staff, which can be costly and time-intensive. Instead, it is important that organisations bring in external guidance and expertise to help secure existing and new control systems and technology. This is important in areas like security analysis and assessment, where a second pair of eyes may be more likely to pick up weaknesses in a system. This also has the added benefit of introducing specialist knowledge to an organisation, which can be shared amongst employees.
Adapting to change
Many organisations have readily embraced new technologies, innovative control systems, the IoT and digital initiatives. However, without a workforce trained in how to securely operate and maintain these systems, the investment could do more harm than good. The security skills gap can only be closed when businesses invest equal resources in building an educated, informed, well-equipped personnel and growing their skill sets over time.
Contributed by Doug Wylie, director of SANS Institute's Industrials & Infrastructure Practice
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.