Section II - Studies and Analysis of Cybercrime Phenomenon

Building a Cybersecurity Culture in the

Industrial Control System Environment
Claudia Araujo Macedo1, Jos Menting2
Linkebeek, Belgium
1
e-mail: claudia.macedo@engie.com
2
e-mail: jos.menting@engie.com

Abstract
Cybersecurity in industrial control system environments has become a significant
concern and is even more relevant in the context of critical infrastructures where control
system disruption could have a profound impact on health, safety and the environment.
This makes this type of system a major target for malicious activities. Notwithstanding
an organization’s interest in protecting its industrial control systems against cyber-
attacks, the implementation of security measures, whether technical, organizational or
human, still faces resistance and is often seen as a constraint. Using the best technology
to protect industrial control systems makes no sense if persons with access do not act
attentively and protectively. Technical and human cybersecurity measures are
intrinsically linked, and it is essential that all persons with access to these systems are
fully aware of the inherent cyber risks. Organizations must also act so that staff receive
appropriate training on how to keep systems continuously protected against cyber-attack
when carrying out their daily tasks. These educational processes can contribute to
building an effective cybersecurity culture fully reflective of management and staff
attitudes, so that the availability, integrity and confidentiality of information in industrial
control systems can be assured.
Index terms: Industrial Control System, cybersecurity culture, training,
awareness, security measures framework

1. Introduction

1.1. Let’s start by defining concepts:

Culture: the coalescence of group behaviors, values, principles and norms around an idea,
concept or social construct.
Organizational culture: culture as it applies to organizations and business entities 1.
ICS (Industrial Control System): a general term referring to an automation system
responsible for data acquisition, and visualization and control of industrial processes, found in
various industrial sectors and in critical infrastructure. These systems play a crucial role not only
in maintaining the continuity of industrial processes but also in ensuring functional and technical

1
ISC² on-line training: Building a Strong Culture of Security

39
International Journal of Information Security and Cybercrime Vol. 8 Issue 1/2019
safety, with a view to averting the threat of major industrial accidents and environmental
disasters2. The output of these systems is typically physical.
ICS Cybersecurity culture: a subculture reflecting an organization's attitudes to-wards
industrial cybersecurity and safety.

1.2 The context of this study

ICS cybersecurity threats

The ICS threat landscape is growing at a very rapid pace as systems become ex-posed to
increasingly robust and technologically advanced attacks (e.g. Advanced Persistent Threat -
APT).

ICS and IT (Information Technology) cybersecurity culture

ICS cybersecurity is often thought of as IT cybersecurity, which confusion very of-ten leads
to security flaws in ICS environments.
Risk perception and treatment in the ICS area require a deep understanding of both the process
and the technology applied. The ICS is also up against high availability expectation, the long life
cycle of legacy systems and others issues making the ICS environment so critical that it justifies
an additional cybersecurity culture to take into account its specific aspects, while remaining
aligned with but separate from IT security.

Regulatory landscape
The alignment of ICS cybersecurity with National Cyber Security Strategies and Critical
Infrastructure Protection efforts is evolving. Multiple guidelines, ICS security standards and good
practices have already been developed in the ICS community. It is therefore recommended to
organizations to develop from this a security baseline and good practices to protect its ICS
installations against cyber risks.

2. Building an ICS cybersecurity culture

To deal with ICS cybersecurity threats effectively, and attain the appropriate level of
cybersecurity culture, it is very important to develop a highly focused awareness, training and
education process. [A culture of cybersecurity encompasses the practices, policies and “unwritten
rules” that employees use when they carry out their daily activities] 3. In this process, it is also
important to make a clear distinction between awareness, training and education4:
• Awareness should be inclusive of all personnel having access to the systems concerned
so that a common understanding of the issues can be established, focusing attention on
security and reinforcing the sense that everyone has a role in this. It supports the process
of change in organizational attitudes about the importance of security and the adverse
consequences when security fails.
• Training usually refers to instruction on how to carry out security-relevant procedures
and processes. Training sessions should be adapted depending on the profile of the

2
ENISA: Analysis of ICS-SCADA Cyber Security Maturity Levels in Critical Sectors
3
MIT sources: 2017-07-Summary-of-Working-Session-on-Creating-a-Cybersecurity-
Culture.pdf; Cybersecurity-Culture-HICSS-MISQE.pdf and
Profiling_the_organizational_Cybersecurity_culture.pdf
4
ISC² on-line training: Building a Strong Culture of Security

40
 Section II - Studies and Analysis of Cybercrime Phenomenon
personnel involved, their level of knowledge and the need to take into account the
changes in behaviour expected from them.
• Education is a lifelong process that involves gaining new skills and know-how to
enhance security practices to reach an educational level where the beliefs, values and
attitudes of management and staff are reflected in appropriate cybersecurity behaviour.

2.1 Challenges
Creating a resilient ICS cybersecurity culture involving everyone who has access to ICS
premises and assets is a major challenge.
Handling cultural aspects implies dealing with behaviors and actions, intangible elements
whose effectiveness is difficult to measure. To achieve this, it is fundamental to find an effective
balance between the appropriate security technology to use and appropriate human behaviour, so
that ICS cyber risks can be reduced to an acceptable level.
• Human factor: For many years, traditional cybersecurity has focused on securing the
technology. Humans have been treated as components whose behaviors can be
prescribed through security policies and controlled by security mechanisms and
sanctions. Such mechanisms have been demonstrated to be largely ineffective5.
The consequences arising from the human factor in cybersecurity are never resolved, and
there is no simple ‘solution’, but human skills and knowledge, rather than vulnerabilities, can be
made to work in favour of an organization’s defensive cyber-security 6 . In the cybersecurity
domain, the human factor has very often been identified as the weakest link and, by a wide margin
most cyber related incidents are linked to human action.
This approach aims to provide guidance to managers on how to challenge this concept,
building or reinforcing a cybersecurity culture where personnel are not just thought of as the weak
link but are acknowledged as the first line of defence on which an organization can count.

2.2 Success factors

• Management commitment: Management has a special responsibility to raise
awareness and knowledge about ICS cybersecurity threats throughout the whole
organization. However, they need practical solutions to drive behavioral change while
also dealing with the intangibles.
• Framework and compliance: Compliance is a key support feature for any security
program. If no local regulation has been established, or in the absence of a clear
statement on standards compliance, good practice is to develop a security baseline to
conform with ICS International Standards, and for the organization to set up its own ICS
Security Framework to reduce ICS cyber risks. This framework will also provide the
basis on which to monitor the progress and benefits of the ICS cyber-security culture.
• Effective communication: In the context of training campaigns, the target audience can
be motivated by what the training will bring in terms of personal and professional
evolution. This is not the case for awareness campaigns, which require a different
approach with greater emphasis on good communication. It is essential to make training
engaging and enjoyable or cybersecurity measures could be perceived as a constraint,
thus hindering the expected behaviour changes.
A good pathway to success is “keep things as simple as possible”

5
Studies from 1999: Whitten & Tygar (email encryption); Adams & Sasse (password policies)
6
ENISA: Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity

41
International Journal of Information Security and Cybercrime Vol. 8 Issue 1/2019
3. Methodology

This study aims to provide guidance on how to develop and strengthen an ICS cyber-security
culture. The methodology described will help establish awareness, training and education
programs, and encourage the motivation, commitment and voluntary participation of the staff
involved.

3.1 The methodology step-by-step

Defining the initial status of ICS cybersecurity culture and targets
• This step is supported by the deployment of a “survey tool” based on the results of an
MIT research program7 and enables managers to dig deep into details about the status of
ICS cybersecurity culture (see example of survey results in Fig. 1).

Fig. 1. Organization’s maturity in terms of ICS cybersecurity culture

• After analysis of the survey results, management can define its cybersecurity culture
goals based on five organizational aspects as outlined below:
1. Leadership: Top management priority, participation and knowledge;
2. Group: Community norms and beliefs, teamwork perception, inter-departmental
collaboration;
3. Individual: Employee self-efficacy, awareness of ICS cybersecurity policies and general
cyber threats, in-role and extra-role cybersecurity behavior;
4. Process: Organizational learning, cybersecurity training, communications channel;
5. External influences: Societal cybersecurity culture, external rules and regulations, peer
influence.
• Following on from the previous steps, the ICS cybersecurity culture implementation
process can now be driven in terms of priorities, planning of activities, investment and
program evaluation.

Encouraging appropriate ICS cybersecurity behaviors

• This step aims to promote behaviors that would reduce risk and increase security during
daily activities, for example:
1. Setting up ICS cyber resilience awareness campaigns;
2. Encouraging personnel to embed security actions such as reporting suspicious activity;

7
MIT - CAMS Research Program: How can we create a strong cybersecurity culture in our
organizations?

42
 Section II - Studies and Analysis of Cybercrime Phenomenon
3. Encouraging personnel to display extra-role behaviors;
4. Securing personal technology;
5. Encouraging cooperative helping, etc.

The value of an in-house ICS framework (e.g. ENGIE ICS Security Framework)
Industrial control systems must be protected against unauthorized access, use, dis-closure,
disruption, modification or destruction. To address this, ENGIE has developed and implemented
an ICS Security Framework based on group ICS security policy. The Framework supports
ENGIE’s industrial sites in securing their ICS installations throughout their lifecycle and allows
its cybersecurity posture to be assessed.
The ENGIE ICS Security Framework is a set of 19 mandatory security controls aiming to
reduce risk to an acceptable level. Once implemented, the effectiveness of the security controls
is evaluated and reported to higher management.
Among the measures to continuously safeguard the organization, this procedure is a major
pillar of ICS protection contributing to the creation of an effective ICS security culture. It supports
ICS leaders in defining the behaviors expected from all personnel who have access to the ICS
and its premises, and provides clear information about roles, responsibilities and accountability.
The ICS security policy, ICS Security Framework and all other ICS procedures and related
documents must take this principle into account and make its implications clear for every
individual concerned.

Establishing performance indicators and monitoring effectiveness

The survey tool used in this methodology permits a qualitative analysis of five organizational
aspects defining the maturity level of each. It gives an overview of cybersecurity maturity through
a question/answer technique aimed at capturing nuance and making a maturity evaluation
consistent with local reality as far as possible. This solution is based on a set of mechanisms
impacting the construction of cyber-security culture as defined by the holistic approach of the
Cybersecurity Model from the MIT CAMS research program.
The maturity levels considered for the purpose of the survey’s tool (see Fig. 2) are8:

Fig. 2. Performance indicator table

8
ENISA – Analysis of ICS-SCADA cybersecurity Maturity Level in critical sectors

43
International Journal of Information Security and Cybercrime Vol. 8 Issue 1/2019
• Basic - activities are not conducted;
• Developing - activities are under development or conducted in an ad-hoc manner;
• Established - activities are regularly conducted at a basic level;
• Advanced - activities are implemented with a deep understanding of specific ICS
requirements;
• Leading - activities are implemented at a level exceeding current basic needs (de-signed
to address needs whose arrival is foreseen).

4. Preliminary conclusion

• This methodology aims to provide guidance to an organization's management on how to

define, commence and handle the continuous process of securing ICS sys-tems,
supporting the creation of a specific ICS cybersecurity culture;
• Personnel having access to ICS and its premises (internal and external) need to
understand their individual responsibilities and their role in the construction of ICS
cybersecurity resilience;
• Management teams must understand their responsibilities and capacity to im-prove the
cybersecurity culture;
• Becoming a cyber resilient organization stems from a combination of technologi-cal,
organizational and human investment;
• Management needs to invest in and commit to all these mechanisms, providing the
weight essential to increasing resilience;
• The collection of empirical data from a real case study is planned as part of the next step
of this study to consolidate the methodology and enhance the tools used in this approach.

5. Next steps

• Proof of concept of “Building a cybersecurity culture in the Industrial Control System

environment” methodology, to be validated at an ENGIE power plant;
• Development of an action plan to support the methodology by setting up an ICS
cybersecurity awareness, training and education program;
• Analysis of deployments results, improving and supporting the methodology and its
support tools.

References:

[1]. ENISA – Cybersecurity Culture in Organizations.

[2]. ENISA – Cybersecurity culture Guidelines: Behavior Aspects of Cybersecurity.
[3]. ENISA – Analysis of ICS-SCADA cybersecurity Maturity Level in critical sectors.
[4]. ISC² - Building a Strong Culture of Security.
[5]. MIT - CAMS Research Program: How can we create a strong cybersecurity culture
in our organizations?
[6]. Allianz - Risk barometer 2018.

44
Copyright of International Journal of Information Security & Cybercrime is the property of
Romanian Association for Information Security Assurance and its content may not be copied
or emailed to multiple sites or posted to a listserv without the copyright holder's express
written permission. However, users may print, download, or email articles for individual use.