Many people view the Health and Safety at Work Act 1974 as unnecessary and burdensome, but its introduction has had a dramatic impact on reducing accidents in the workplace, particularly within industrial settings. Today it controls the safety of equipment used on process plants, the time professional drivers may spend behind the wheel, and even how long someone can stare at a computer screen for.
When you walk onto an oil and gas site, the success of this health and safety message really becomes clear. Safety is usually the first thing visitors are told about when entering a site, and anyone who comes through the door is given a health and safety induction before they gain access.
What’s more, people in these environments are extremely clear about what they can and can’t do, in terms of safe behaviours. Employees are empowered by this knowledge, and act as safety ambassadors within a site.
But as a cyber security specialist, when I enter sites like this, I often wonder why the same care and attention isn’t being paid to preventing the serious damage that could be caused by a successful cyber attack. Because when it comes to our critical infrastructure, cyber risks aren’t limited to damaging a company’s reputation or losing customer data, but could potentially jeopardise individual safety.
Recognising the Importance of ICS Security Solutions
So why aren’t these cyber security safety implications being taken more seriously? Partly because industrial control systems (ICS) have traditionally been seen as a separate entity from the IT systems used by the corporate enterprise, and therefore outside the remit of cyber security teams.
The belief was that, as these systems were not connected to the same networks as other computers or the Internet, someone would need to gain physical access to a machine in order to infect or tamper with it.
But as these control systems have become increasingly ‘smart’, such as manufacturing systems that continuously monitor and optimise performance, IT and OT systems are becoming ever more converged.
In addition, as human involvement in these processes has been reduced, and reliance on automation systems has increased, it has enlarged the potential cyber attack surface.
How to Prevent Cyber Attacks on Industrial Control Systems
So, how can we help critical infrastructure operators to consider ICS cyber security risks as being just as important as, and indeed interlinked with, considerations about our physical safety? The answer is a combination of legislation, cultural change and employee awareness.
The UK government’s proposals from 2017 to implement the EU’s Network and Information Systems (NIS) Directive was a positive step, by forcing critical infrastructure providers to put a determined cyber security strategy in place, or risk financial penalties.
The threat of being hit with a fine of up to £17 million, or four per cent of global turnover, will undoubtedly focus people’s minds and help to make this a board-level issue. But legislation alone is not enough, and can have the effect of making organisations compliance driven, when what is needed is a security driven mind-set.
But to really effect change on the ground, we will require a vastly improved level of cyber security awareness. Employees need to be trained so that they understand what the safe behaviours are in terms of cyber security, and how to avoid taking unnecessary risks.
Good cyber security training can dramatically reduce the chances of commonly-used techniques like spear phishing attacks, or social engineering methods, being successful. For example, if employees understood the cyber security risks of a service engineer plugging in their own laptop while performing diagnostic checks our industrial sites could be considerably more cyber secure.
To bring this health and safety approach into the context of industrial cyber security, organisations should follow three key principles.
- – Firstly, employees need to understand how their behaviours can reduce cyber risks.
- – Secondly, clear cyber security policies need to be set and reviewed regularly.
- – Thirdly, risk assessments need to be conducted regularly, to understand any potential risks and to plan for them to be mitigated successfully.