Standards committees and other industry groups have developed and promoted several conceptual models that describe a stepwise approach to cybersecurity for industrial control systems (ICS) and other operational technology (OT) products and applications. These models address the people, process, and technology elements of the cybersecurity response.
Before any of these recommendations can be implemented, managers must first understand and accept the risks they face and the potential consequences. This begins with Cybersecurity Awareness. Without this there can be active resistance to security-related recommendations. It is essential for industrial cybersecurity professionals to recognize this. An understanding of human behavior can help.
The Kübler-Ross model (often referred to as “The Five Stages of Grief”), describes a progression of emotional states associated with traumatic events. This model offers an interesting way to understand (and thus better address) these industrial cybersecurity-related challenges.
Applying the Kübler-Ross Grief Model for Cybersecurity Awareness
At first glance the Kübler-Ross Grief Model may appear to have little to do with how we manage the security of automation systems and operational technology (OT) in general. However, there are parallels between it and acceptance of the growing threat of cybersecurity attacks or compromises of automation systems used in the critical infrastructure. This is not surprising, since the model reflects human behavior when faced with stress.
When asked about programs and levels of preparedness in the face of potential attacks or compromise, common responses heard include: “We are not a target,” “Why would anyone attack us?” or “We are not connected to the Internet.” The assumption that responsibility for cybersecurity rests exclusively with the IT department is also a form of denial.
Any of these responses are potentially dangerous. Even if a facility is not the specific target of an attack, this does not mean that it will not be impacted by general or non-targeted malicious software that circulates in the public domain. Based on anecdotal assessment reports, it is common to find direct or indirect network connections that the asset owner may not even be aware of. Even without direct network connections, it is possible for systems to be compromised through portable media such as USB drives.
When presented with these realities, it is common for managers to express anger or frustration. This is almost certain to happen in the wake of an actual attack or incident that negatively impacts critical systems. This is evident from the types of questions that responsible managers will pose to their staff. Examples include:
- Why didn’t you warn me about the risk of network connections?
- Why can’t we meet the legitimate needs of the business in a secure manner?
- Why have we allowed sloppy practices such as the sharing of portable media to increase the risk to our systems?
Managers may ask questions like these even after previously refusing to heed warnings and provide the resources required to improve the security of key systems before an incident occurs. This can in turn lead to frustration on the part of cybersecurity professionals whose advice was not taken.
While both responses are understandable, they do little or nothing to address the real problem or improve the situation. Despite the unfairness of such comments, it is important to focus as quickly as possible on what can be done to mitigate any damages and prevent further occurrences. Rapid response is necessary not only to address the immediate risk, but also to better protect systems in the face of evolving risk. Additional threats and vulnerabilities will emerge over time, possibly resulting in even more serious consequences.
Identifying, analyzing, and selecting solutions to improve system security typically includes various types of bargaining. Internal and external discussion and dialog in this phase revolve around a fundamental assertion; “If we take certain steps now, will they increase our protection and mitigate consequences.” Of course, the difficulty is in determining exactly which steps or measures are “right” or most appropriate for the situation.
This may be the most interesting and dangerous stage, as it requires steadfastness in the face of urgency. It is essential to reconcile input, opinions, and proposals from different stakeholders and advisors, each that will bring their own perceptions, biases and agendas. Support staff are influenced by their past experience and potential suppliers will typically promote their products over those of their competitors.
The most critical need at this stage is for a well-defined and proven process for identifying and evaluating proposed solutions. The key input to this process is a clear set of constraints, expectations, and requirements. Where possible, the latter should be based on or derived from established industry standards and practices. Failure to use such a process will almost certainly lead to unnecessary spending and incompatible or even conflicting solutions. ARC selection guides can be a valuable tool in this stage.
Unfortunately, threats and vulnerabilities are constantly evolving, and new attacks are reported regularly. Each new report triggers an exercise to reassess protective tools and processes, leading to further frustration and fatigue. At this stage it is common to become resigned to the inevitability of an attack or some type of cyber-related incident, which can be very discouraging. This does not mean that response is futile. On the contrary, this inevitability makes it essential to have a plan for response in advance.
To offset the natural discouragement, it is important to remain aware of not only successful attacks or incidents, but also the successes that others have had in mitigating threats or even preventing incidents. This latter information is sometimes difficult to find, since most companies are reluctant to share it. However, it is often possible to collect some of it in conferences and user group meetings such as ARC’s annual Industry Forums, which typically include dedicated cybersecurity workshops and sessions.
Recognition of the fact that virtually all computerized systems are at risk creates an environment for proper cybersecurity management. However, simple acknowledgment is not enough. It is also essential that managers understand that managing cybersecurity risk is no different than that required for any other type of risk, such as personal safety or handling hazardous materials. Many companies already have processes and procedures in these areas, and managers need to accept the need for a sustained cybersecurity response.
The most effective security programs are integrated with risk management in other areas, notably process safety. Standards development organizations such as ISA and IEC have recognized this and are linking their safety and security standards and practices to use common tools and methodologies such as process hazard analysis (PHA). Several companies now offer “cyber PHA” services to help with this approach. The basic elements of such an approach are also appearing in recently developed standards such as ISA-62443-3-2.
Industrial asset owners – particularly those in the critical infrastructure – face a daunting challenge in defending and protecting the integrity of their automation systems in the face of rapidly evolving cybersecurity risks. One of the first and perhaps the most important milestones in successfully meeting this challenge is to understand and accept what can and cannot be changed. Only with this understanding is it possible to define and implement an effective cybersecurity management system.
Cybersecurity is and will most likely remain a complex and arcane subject. Although we’ve seen steady improvements in the methods and tools, effective application still requires specialized expertise. Technical expertise is essential, but not sufficient. Experts must also have practical experience in industrial or operations environments to be most effective and avoid potential misapplication of specific solutions. They must be able to collaborate and work closely with their counterparts in other disciplines, such as automation and process safety.
Finally, members of the cybersecurity team must be able to effectively communicate with management and other non-technical personnel to help them understand the nature of the possible risks, the required response and the need for any changes in their behavior. It is in this endeavor that an understanding of the awareness stages is most important and useful.
Based on ARC research and analysis, we recommend the following actions for owner-operators and other technology users:
- Understand the basic steps to acceptance of the reality of the cybersecurity risk, and work with stakeholders to get them through the intermediate stages as quickly as possible.
- Prepare to encounter denial when first raising the prospect of a cybersecurity risk. Respond with facts and anecdotal evidence where possible.
- Respond to anger and frustration with assertiveness, based on a solid understanding of what has been done and what else may be required.
- Use a multi-disciplinary approach to address cybersecurity risk, stressing the need to share methods and tools across disciplines.
ARC is prepared to assist you and your organization with a Cybersecurity Workshop. Just click on the “Contact Us” icon below.
Keywords: Cybersecurity Awareness, Cybersecurity Response, Five Stages of Grief Model, ARC Advisory Group.