Professional Documents
Culture Documents
Content Server
Content Server
Abstract
Cybersecurity in industrial control system environments has become a significant
concern and is even more relevant in the context of critical infrastructures where control
system disruption could have a profound impact on health, safety and the environment.
This makes this type of system a major target for malicious activities. Notwithstanding
an organization’s interest in protecting its industrial control systems against cyber-
attacks, the implementation of security measures, whether technical, organizational or
human, still faces resistance and is often seen as a constraint. Using the best technology
to protect industrial control systems makes no sense if persons with access do not act
attentively and protectively. Technical and human cybersecurity measures are
intrinsically linked, and it is essential that all persons with access to these systems are
fully aware of the inherent cyber risks. Organizations must also act so that staff receive
appropriate training on how to keep systems continuously protected against cyber-attack
when carrying out their daily tasks. These educational processes can contribute to
building an effective cybersecurity culture fully reflective of management and staff
attitudes, so that the availability, integrity and confidentiality of information in industrial
control systems can be assured.
Index terms: Industrial Control System, cybersecurity culture, training,
awareness, security measures framework
1. Introduction
1
ISC² on-line training: Building a Strong Culture of Security
39
International Journal of Information Security and Cybercrime Vol. 8 Issue 1/2019
safety, with a view to averting the threat of major industrial accidents and environmental
disasters2. The output of these systems is typically physical.
ICS Cybersecurity culture: a subculture reflecting an organization's attitudes to-wards
industrial cybersecurity and safety.
Regulatory landscape
The alignment of ICS cybersecurity with National Cyber Security Strategies and Critical
Infrastructure Protection efforts is evolving. Multiple guidelines, ICS security standards and good
practices have already been developed in the ICS community. It is therefore recommended to
organizations to develop from this a security baseline and good practices to protect its ICS
installations against cyber risks.
To deal with ICS cybersecurity threats effectively, and attain the appropriate level of
cybersecurity culture, it is very important to develop a highly focused awareness, training and
education process. [A culture of cybersecurity encompasses the practices, policies and “unwritten
rules” that employees use when they carry out their daily activities] 3. In this process, it is also
important to make a clear distinction between awareness, training and education4:
• Awareness should be inclusive of all personnel having access to the systems concerned
so that a common understanding of the issues can be established, focusing attention on
security and reinforcing the sense that everyone has a role in this. It supports the process
of change in organizational attitudes about the importance of security and the adverse
consequences when security fails.
• Training usually refers to instruction on how to carry out security-relevant procedures
and processes. Training sessions should be adapted depending on the profile of the
2
ENISA: Analysis of ICS-SCADA Cyber Security Maturity Levels in Critical Sectors
3
MIT sources: 2017-07-Summary-of-Working-Session-on-Creating-a-Cybersecurity-
Culture.pdf; Cybersecurity-Culture-HICSS-MISQE.pdf and
Profiling_the_organizational_Cybersecurity_culture.pdf
4
ISC² on-line training: Building a Strong Culture of Security
40
Section II - Studies and Analysis of Cybercrime Phenomenon
personnel involved, their level of knowledge and the need to take into account the
changes in behaviour expected from them.
• Education is a lifelong process that involves gaining new skills and know-how to
enhance security practices to reach an educational level where the beliefs, values and
attitudes of management and staff are reflected in appropriate cybersecurity behaviour.
2.1 Challenges
Creating a resilient ICS cybersecurity culture involving everyone who has access to ICS
premises and assets is a major challenge.
Handling cultural aspects implies dealing with behaviors and actions, intangible elements
whose effectiveness is difficult to measure. To achieve this, it is fundamental to find an effective
balance between the appropriate security technology to use and appropriate human behaviour, so
that ICS cyber risks can be reduced to an acceptable level.
• Human factor: For many years, traditional cybersecurity has focused on securing the
technology. Humans have been treated as components whose behaviors can be
prescribed through security policies and controlled by security mechanisms and
sanctions. Such mechanisms have been demonstrated to be largely ineffective5.
The consequences arising from the human factor in cybersecurity are never resolved, and
there is no simple ‘solution’, but human skills and knowledge, rather than vulnerabilities, can be
made to work in favour of an organization’s defensive cyber-security 6 . In the cybersecurity
domain, the human factor has very often been identified as the weakest link and, by a wide margin
most cyber related incidents are linked to human action.
This approach aims to provide guidance to managers on how to challenge this concept,
building or reinforcing a cybersecurity culture where personnel are not just thought of as the weak
link but are acknowledged as the first line of defence on which an organization can count.
5
Studies from 1999: Whitten & Tygar (email encryption); Adams & Sasse (password policies)
6
ENISA: Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity
41
International Journal of Information Security and Cybercrime Vol. 8 Issue 1/2019
3. Methodology
This study aims to provide guidance on how to develop and strengthen an ICS cyber-security
culture. The methodology described will help establish awareness, training and education
programs, and encourage the motivation, commitment and voluntary participation of the staff
involved.
• After analysis of the survey results, management can define its cybersecurity culture
goals based on five organizational aspects as outlined below:
1. Leadership: Top management priority, participation and knowledge;
2. Group: Community norms and beliefs, teamwork perception, inter-departmental
collaboration;
3. Individual: Employee self-efficacy, awareness of ICS cybersecurity policies and general
cyber threats, in-role and extra-role cybersecurity behavior;
4. Process: Organizational learning, cybersecurity training, communications channel;
5. External influences: Societal cybersecurity culture, external rules and regulations, peer
influence.
• Following on from the previous steps, the ICS cybersecurity culture implementation
process can now be driven in terms of priorities, planning of activities, investment and
program evaluation.
7
MIT - CAMS Research Program: How can we create a strong cybersecurity culture in our
organizations?
42
Section II - Studies and Analysis of Cybercrime Phenomenon
3. Encouraging personnel to display extra-role behaviors;
4. Securing personal technology;
5. Encouraging cooperative helping, etc.
The value of an in-house ICS framework (e.g. ENGIE ICS Security Framework)
Industrial control systems must be protected against unauthorized access, use, dis-closure,
disruption, modification or destruction. To address this, ENGIE has developed and implemented
an ICS Security Framework based on group ICS security policy. The Framework supports
ENGIE’s industrial sites in securing their ICS installations throughout their lifecycle and allows
its cybersecurity posture to be assessed.
The ENGIE ICS Security Framework is a set of 19 mandatory security controls aiming to
reduce risk to an acceptable level. Once implemented, the effectiveness of the security controls
is evaluated and reported to higher management.
Among the measures to continuously safeguard the organization, this procedure is a major
pillar of ICS protection contributing to the creation of an effective ICS security culture. It supports
ICS leaders in defining the behaviors expected from all personnel who have access to the ICS
and its premises, and provides clear information about roles, responsibilities and accountability.
The ICS security policy, ICS Security Framework and all other ICS procedures and related
documents must take this principle into account and make its implications clear for every
individual concerned.
8
ENISA – Analysis of ICS-SCADA cybersecurity Maturity Level in critical sectors
43
International Journal of Information Security and Cybercrime Vol. 8 Issue 1/2019
• Basic - activities are not conducted;
• Developing - activities are under development or conducted in an ad-hoc manner;
• Established - activities are regularly conducted at a basic level;
• Advanced - activities are implemented with a deep understanding of specific ICS
requirements;
• Leading - activities are implemented at a level exceeding current basic needs (de-signed
to address needs whose arrival is foreseen).
4. Preliminary conclusion
5. Next steps
References:
44
Copyright of International Journal of Information Security & Cybercrime is the property of
Romanian Association for Information Security Assurance and its content may not be copied
or emailed to multiple sites or posted to a listserv without the copyright holder's express
written permission. However, users may print, download, or email articles for individual use.