Most members of the security community acknowledge the need for an improved security culture — meaning systemic corporate awareness, measurement, and monitoring for improvement of cybersecurity to lower the overall risk. Just look at Kim Zetter's Black Hat USA 2022 keynote, which called for crucial security improvements throughout critical infrastructure.
Many times, the impediment to effective security is not necessarily technical but, rather, a cultural issue. Many often mistakenly equate user education and training with the creation of a security culture. User education is about information sharing on issues and obligations — whereas security culture is about behavioral changes in support of security.
Building Security Culture Through User Awareness
Though user awareness and building a security culture are different exercises with distinct challenges, they share one commonality: They require serious attention and support. With that in mind, these two exercises actually complement each other.
Consider this: While there are many debates on CISO reporting structures, the support necessary for driving a security culture is not dependent upon this hierarchy; it's dependent on the modification of user behavior through generally accepted business operations. This holistic business process modification is why the security culture needs to be driven from the top down.
User awareness should be baked into an organization's security tools and take place as consistently as searching the systems for indications of compromise. User awareness does not take the place of, and is not the same as, the creation of a security culture — rather, it's a necessary component of any effective security culture.
Getting on Board
Ownership and support for creating security culture must be driven at the board level. This is because while many exploitations and attacks are no more than another security alert to manage, when a skilled adversary gets involved, serious risks arise. As I always say: Amateurs hack systems; professionals hack people. Hacking the human as a security risk category has a high yield of success and transcends technological safeguards.
The trick is to protect the human operator from the pitfalls of human nature by controlling and sculpting behavior. This often requires critical thought about ingrained business practices. Support for the realization of necessary changes will rely heavily upon top-down influence.
Security Culture in OT Environments
OT environments are saddled with even more significant challenges in examining and cultivating their security culture. Not only do business users play an integral role, but OT engineers are just as vital to preventing and responding to security events.
The relationship between IT and OT is where the creation of a holistic security culture will need top-down support to look critically at the overall business and operational processes. Things that can torpedo the most earnest attempts at shoring up a security effort could be as unsuspecting as the accounting process for applying budgets across the individual locations or the perception of ownership for security.
While these examples are the tip of the iceberg, it's important to create a holistic and continuous process improving program within the organization to continue to ask, "How could our security culture be improved?"
Security Culture in IT Environments
Unlike OT, the recognition of the need for technologies is well defined in IT. For example, asset inventory and visibility is a commodity product set for IT. There are many asset management vendors from which to choose, and a skilled IT team can quickly adopt these tools. The process of selecting technology may be influenced by an IT-centric process. Cultural changes may be found that would better fit the selection of complementary products on the OT side.
Asset inventory, vulnerability, and risk management are more challenging in OT due to the nature of the technology and topology. The personnel are typically engineers that specialize in the process and not necessarily the tool (systems) with how they interact with the operations of moving molecules. The owners of OT assets have a different mission focus from IT owners, and their training does not necessarily include security. The creation of a security culture must take these different mindsets into account and use relatable tactics to change behavior.
Blending Cultures: IT and OT
A risk-based approach will help IT and OT professionals by standardizing key metrics like life, health, safety, not to mention the impact on production capacity and efficiency. This approach should also include maximum tolerable downtime (MTD) and mean time to recovery (MTR).
This will drive answers to why personnel should care about security. Organizations will want to give the collective team a chance for success. While looking at business processes for assigning tasks across groups, subtle changes may become apparent when viewed through a security lens. While system ownership must remain bifurcated due to inherent, operationally driven needs, the IT/security/OT teams must all work in lockstep to address critical vulnerabilities, potential security events, and incident response/recovery. Speed and efficiency are paramount.
These are only two aspects of creating a security culture but serve as an excellent example of why there is more to changing behavior than simple information sharing. Creating a security culture is vital to any organization to augment the security technology investments but is indispensable to an OT operator's survival in the fast-paced breach response process.