Evolving impact of cybersecurity awareness and training in critical infrastructure environments

Escalating cyber risks and attacks has led to cybersecurity awareness and training making significant inroads into critical infrastructure environments, permeating into the roles and responsibilities of automation engineers and plant managers. Highly digitized operational environments, characterized by interconnected systems, pose significant cybersecurity threats to industrial facilities and installations. Integration of cybersecurity awareness into the responsibilities of automation engineers and plant managers has also helped usher in heightened vigilance and proactive measures to safeguard critical systems across these operational environments. 

Cybersecurity awareness measures have evolved to address evolving challenges, emphasizing proactive risk management, threat intelligence, and incident response planning. Training programs have become more comprehensive, covering technical aspects and the human element, as employees play a crucial role in preventing breaches. Cybersecurity awareness and training are crucial for ensuring system resilience and security, responding to evolving cyber threats, and safeguarding vital infrastructure from sophisticated attacks.

Evaluation of CISA’s cybersecurity awareness in critical infrastructure

Industrial Cyber consulted experts to assess the evolving roles of automation engineers and plant managers in the context of CISA’s cybersecurity awareness efforts within critical infrastructure environments over the past two decades. Additionally, they examined the core principles and best practices emphasized in these cybersecurity awareness and training initiatives targeted at automation engineers and plant managers.

“Over the past two decades we’ve seen automation engineers and plant managers brought into the fold of cybersecurity awareness training,” Matthew Rogers, ICS cybersecurity expert at the U.S. Cybersecurity and Infrastructure Security Agency (CISA), told Industrial Cyber. “Where the critical infrastructure environments were ignored, they are now a key focus area for keeping attackers out of operational networks.”

Rogers pointed out that “there are four steps we encourage everyone to take to be safe online, including change default passwords and use a password manager, turn on multi-factor authentication (MFA), report phishing, and update software during scheduled maintenance periods. Our recent ‘Secure our World’ public awareness campaign is intended for a general audience and applies across sectors—from individuals to small businesses to large companies.”

CISA’s Cybersecurity Awareness initiatives have progressively increased the best practices, threat information, and even open-source tools that were developed by CISA or by federal labs in collaboration with CISA, Armando Seay, cybersecurity expert and member of Infragard, told Industrial Cyber. “It is important to remember that CISA’s ICS initiatives go beyond annual announcements and occur throughout the year.” 

InfraGard stands as a distinctive collaboration between the Federal Bureau of Investigation (FBI) and private sector individuals, dedicated to safeguarding U.S. critical infrastructure and its citizens. The expansive public/private partnership unites infrastructure leaders, operators, and stakeholders with the FBI fostering education, networking, and information exchange to tackle security threats and vulnerabilities effectively.

He added that what CISA does well is to provide not only a broad range of emerging threat awareness that includes the actively exploited threats but also ICS vertical information for industries such as oil and gas, water plants, manufacturers, and more.

“An example would be the Oil and Gas Subsector Cybersecurity Maturity Model. CISA collaborated with the Department of Energy on this. This is also where CISA’s support for the ICS community excels, its collaborations with the Department of Energy, US Cyber Command, and the National Security Agency and labs, such as Idaho National Laboratories are also great examples of how CISA’s cybersecurity awareness efforts are cross-sector base.” 

Seay also highlighted that “CISA has done a great job of alerting the community with the up-to-the-minute active cyber threat information but also new vulnerability disclosures. CISA updates the OT community on best practices that can be implemented to detect and mitigate threats on OT networks including MITRE ATT&CK.”

Another example Seay focused on is CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) applicable to IT and OT.

“My hope is that over the course of the past two decades, critical infrastructure environments have evolved to actually train their IT or cyber staff to address the issues in the context of CISA’s cybersecurity awareness requirements,” Gregg Smith, CEO at MISI told Industrial Cyber. “However, regarding the current state of cybersecurity readiness in critical infrastructure environments, we are stronger than where we were five years ago, but we have a tremendous amount more to go in preparing and protecting these critical systems.” 

Nonprofit organization MISI is focused on cybersecurity, works on empowering individuals, and advancing the technology required to tackle critical cybersecurity challenges. It centers its efforts around three key pillars: engagement with small businesses and academia, fostering STEM education and workforce development, and fostering proof-of-concept innovations. 

Smith added that key principles and best practices that have been emphasized in these cybersecurity awareness initiatives include changing passwords, MFA, patching software, and keeping up with the common vulnerabilities and exposures (CVEs) of critical equipment. 

“I think it is critical for all employees at an organization to be trained on those best practices, not just the security team,” according to Smith. “And further, that the appropriate staff must be trained on insider threat risks as well. There should also be specialized training required on the operational technology being used at the organization, and this should be done on a continual basis.”

Navigating challenges in building cybersecurity awareness

The experts also delve into the hurdles and difficulties that organizations encounter when endeavoring to foster cybersecurity awareness within their critical infrastructure teams. They explore the measures implemented over time to address these issues. Furthermore, they examine the impact of specialized training and education programs designed for automation engineers and plant managers on bolstering cybersecurity awareness.

Rogers said that the key obstacle is that cybersecurity is often seen as time-consuming and an impediment to operators trying to do their jobs. “We approach this issue from two angles: reducing the friction from security controls (e.g., using an ID and pin number for MFA instead of complex passwords) and making cybersecurity a more tangible threat.”

He also highlighted CISA’s free ICS cyber education programs to help the ICS community understand how attacks happen. “This understanding helps them develop mitigations and buy-in to security processes.”

Seay outlined that cybersecurity awareness is a constant challenge, and its foundations are directly aligned with what we all call the weakest link, the human. “One of the challenges is how do you make it relevant, interesting, and easy to apply. Canned stock mandatory training typically does not work well. Also, one of the challenges is developing a culture of awareness. Without a culture and accountability, all manner of awareness training and programs tends to not be as successful as desired.”

“Employee recognition that rewards employees for proactive actions based on their cybersecurity awareness training elevates the importance for the entire organization,” Seay added. “Lastly, one of the challenges is making the time at the C-suite level to implement recognition and accountability programs using cybersecurity awareness and action as its foundation.”

Organizations, particularly large corporations, have allocated dedicated resources to providing continuous cybersecurity awareness to the enterprise and even more specific awareness training to the OT engineers and cybersecurity for OT staff, Seay said. “I have seen a few amazing approaches to continuous but also relevant training. Inserting outside subject matter expertise that is part of professional development in the OT environment is also a positive trend that successful corporations have implemented.”

Assessing progress and collaboration initiatives of cybersecurity readiness

The experts offer insights into the present cybersecurity readiness within critical infrastructure environments, shedding light on the progress made in safeguarding these vital systems since the inception of these initiatives. Additionally, they explore the pivotal role that collaboration and information sharing play in fortifying cybersecurity within the OT/ICS sector and examine how these initiatives have fostered and promoted such collaboration.

The state of OT cybersecurity awareness has come a long way in the last two decades, but this progress looks different across critical infrastructure sectors, CISA’s Rogers said. “Target rich, resource-poor entities including hospitals, schools, and water/wastewater facilities often lack the resources to maintain security training. Given these challenges, CISA works with all critical infrastructure entities to implement Cybersecurity Performance Goals to help them prioritize their limited resources.” 

He added that from a people perspective, “as we see increased IT/OT connectivity we are seeing a growing push for relationships between IT and OT staff. This push helps socialize security issues but can often be challenging at times, with IT folks not understanding the safety and reliability issues of OT networks. We encourage both IT and OT staff to engage with an open mind.”

Rogers identified that sector-specific Information Sharing and Analysis Centers (ISACs) play a huge part in socializing security issues. “CISA coordinates with ISACs, Sector Risk Management Agencies, and industry groups to share guidance and upcoming threats. These groups help IT/OT partners prioritize vulnerabilities and share resources.”

Seay observed that this tends to be a sensitive topic as the reality is that readiness is first in the eye of the beholder or based on regulatory compliance and the consequences of non-compliance and then finally on the size and budget of the organization. 

“While there remain substantial risks in the OT domain, we have come far with technologies that leverage AI, substantial cloud or other threat intelligence and we are slowly increasing the education system to include cybersecurity for OT as part of cyber curriculums,” according to Seay. 

He also pointed out that the government and federal labs such as MITRE’s and CISA’s collaboration on CALDERA for OT is a great example of tools that can help to close the gap in OT cybersecurity risks in organizations that might not be able to afford the commercial solutions. “The middle and small business markets are where I find a struggle for progress and while there is increased awareness, the resources just are not there or affordable. But an open source tool alone will not increase the resilience of OT cybersecurity environments in the hands of a non-technical resource or organization that does not have the talent on hand to implement it and achieve a result.”

Seay added that “while we may have come a long way in raising OT cybersecurity awareness to its proper place in the risk profile of organizations there is a tendency to still address OT in a silo. Manufacturers share knowledge with other manufacturers as the energy sector shares with others in their sector, the pattern continues across all sectors. The reality is that many threats are cross-sector in nature, I have seen the data. The fact is every IT-centric organization has OT threats that have not been addressed but invest every dollar in countermeasures in the IT domain.” 

He highlighted that this places the organization and its employees themselves at substantial risk. “OT-dependent health and safety systems, elevators, redundant energy, and electrical systems, and the many OT-driven building controls are all part of what allows the IT systems and the people who use and operate them to be able to rely on those systems for business. Take out the building’s infrastructure or its water supply or other systems and the organization crumbles.”

Seay recently reviewed the results of an OT cyber exercise that helped to create and launch an annual event. The knowledge of IT networks and protocols was easy to spot, and the participants performed well in detecting and defending against the IT-specific cyber threats that were part of the exercise. 

“The OT part of the exercise revealed a constant result that I have observed now for five years,” Seay said. “There was little to no understanding of the devices, the network protocols, and how to address threats to an OT environment. The tendency was to use traditional IT tools to tackle OT threats and related network analysis. This result was the same when it came to industry participants.” 

“The fix I believe is to prep in advance and help to mentor participants well ahead of the OT cyber exercise such that they begin to gain acumen and are more successful in the exercise,” according to Seay. “This fuels a thirst for knowledge and to be better.”

MISI’s Smith said that while certain sectors share information and certainly industry sector Chief Information Security Officers (CISOs) talk directly and share data, “I think we could do a significantly better job with collaboration and information sharing across market sectors. The State of Arizona for example does a great job with public-private sector information sharing. More states like Maryland are looking into this and following Arizona’s model. More work needs to be done across the board to keep up with growing threats to our critical infrastructure.”

Cybersecurity evolution among automation engineers and managers

The experts also examined the evolving perception of cybersecurity’s importance among automation engineers and plant managers in their day-to-day operations, and how this perception has evolved over the years. With the backdrop of measures and increased awareness during this period, they analyzed the insights gained by cybersecurity professionals regarding the critical infrastructure they are entrusted to secure.

“Cybersecurity has grown from a niche issue to one that everyone has a stake in and can relate to. We can see this with words like ‘ransomware’ becoming household concepts,” Rogers noted. “In OT environments, vulnerabilities can arise through an increased number of insecure remote connections that can be easily exploited by online attackers. Improving security awareness across the board will help automation engineers and plant managers understand the various risks when installing or using remote connections. Operators who use up-to-date tools and foster a security mindset in the workplace play a huge part in keeping their systems safe and secure.” 

It’s critical for cybersecurity professionals entering the ICS field to learn and understand the critical infrastructure they are going to support, according to Rogers. “ICS/OT security is a blossoming area and we’ve seen a positive change over the years with more cybersecurity classes geared toward understanding the actual physical processes underlying the critical infrastructure Americans rely upon.” 

He added that the first hurdle for most cybersecurity professionals is understanding why we can’t ‘just patch’ OT networks. “Those of us from a cyber background are extremely thankful to the kind and patient operators who helped us learn as we entered the ICS/OT space.”

Seay said that automation engineers have increased their knowledge and awareness of cybersecurity as the news continues to chronicle the detection of threats and the successful attacks that have crippled OT environments. “The threat intelligence available as a paid-for service or available in the public domain also has increased awareness along with the number of OT conferences.” 

He also identified that there is also a change beginning in the community where the silos in the organization between IT and the automation engineers and plant managers come together to discuss cybersecurity threats, mitigation, and best practices.

“But the knowledge and support must come from the top as well. The C-suite executives need more forums centered on OT with their peers. The C-suite helps to develop or set the OT cybersecurity policies for their organizations,” Seay said. “The C-suite executives are also responsible for informing the board of directors and investors in the event of an incident or to gain the budget approval necessary to increase the cyber resilience of the organization by increasing the knowledge and tools available for the automation engineers and plant managers.”

Seay concluded that new cybersecurity regulations that flow liability to the board of directors and new federal regulations such as those being implemented by the Department of Defense (DoD) are accelerating awareness and the actions needed to comply are flowing throughout the plant and its engineers.