As we witness the societal transformation needed to limit the spread of COVID-19, we are reminded of the important role humans play in the defence and mitigation of cyber attacks on our networks. The criticality of human compliance in supporting the organisation’s security needs through life is so often only realised in the aftermath of a catastrophic cyber event.
For those charged with developing robust security frameworks for intensely regulated high threat environments, it is essential to ensure that four key elements are aligned:
- The organisation’s business goals
- The technology and processes that enables those business goals
- The cyber security protecting those enablers
- The supporting security behaviours of every employee.
These frameworks must be fluid and agile, allowing for planned changes in the technology landscape such as Industry 4.0 (outlined below), as well as in cases of sudden and unforeseen circumstances, such as COVID-19.
Industry 4.0: The cyber-enabled utilities sector
The 4th industrial revolution (Industry 4.0) saw the convergence of corporate IT networks with operational technologies; two completely separate systems which were designed, built and operated in isolation. The intention was to address specific business challenges such as competitive advantage in an overcrowded sector, intense regulatory oversight and the government’s ‘NET ZERO’ contribution to halt global warming.
These newly converged IT/OT networks were highly successful at enabling business goals, providing greater efficiency, centralised reporting and holistic performance metrics. But the cyber security underpinning these business-enabling technologies suddenly had a much wider cyber-attack surface area, and new vulnerabilities emerged in otherwise protected systems. Employees may not have been aware of this critical vulnerability and the four core elements mentioned above were now perilously misaligned.
Many high profile cases soon emerged of relatively simple cyber-attacks shutting down major international utilities companies all over the world; resulting in substantial regulatory penalties, costing millions in production downtime and eroding public trust. Many of these security breaches were traced back to an employee absent-mindedly clicking on a corrupt weblink, or opening an email attachment without giving it any thought.
It was found that in the pursuit of converging IT/OT networks to achieve business goals, critical security implications had been overlooked, with devastating consequences that far outweighed the intended benefits.
COVID-19: Impact on the technology landscape and security behaviours
When lockdown was announced to contain the spread of COVID-19, many organisations rushed to implement new business-enabling technologies such as VPN solutions to allow employees to work from home. In normal circumstances, security approaches exist to manage this process effectively – but in the case of COVID-19, where rollouts need to be completed in a hurry, managers under pressure may be tempted to improvise new procedures as a ‘sticking plaster’ and security is often pushed to the side. With there being no time to prepare for this sudden disruption, employees could now be logging in to critical systems unsupervised from home, over non-managed wireless connections and using untrusted devices. Poor security behaviours that develop as a result may become embedded as ‘business as usual’ and employees may come to expect them as ‘the new normal’. The longer these poor behaviours continue, the more difficult they will be to correct later on.
Managing security perceptions, attitudes and behaviours in people
The examples of Industry 4.0 and COVID-19 illustrate how cybersecurity is socio-technical in nature and human behaviour plays an important role in the cybersecurity framework. Very simple actions from an organisation’s own employees can either enable or disable the most robust security solutions, and research by Willis Towers Watson suggests that employees cause around 66% of security breaches. This is mainly due to negligence or malfeasance, but also by well-intentioned people operating under pressure. Of course, human behaviour is a very complex area, but you can begin to establish informed and targeted mitigating actions to remedy unwanted security behaviours, by applying an analytical model to identify the likely root cause.
A systems-based approach: root cause analysis
The COM-B model developed by Mitchie et. al, suggests that behaviour is informed and influenced by just three key factors: Capability (the skills and knowledge the user has), opportunity (the position they find themselves in) and motivation (what they are incentivised to achieve). The theory suggests that in order to rectify an unwanted behaviour, you need to understand which aspects of capability, motivation or opportunity are driving that behaviour. In the case of COVID-19:
- Capability: when changes have been made to the employees’ working environment (the sudden disruption caused by COVID-19 lockdown) and they are given the ability to log in to systems remotely, if the processes are not well-defined and/or understood, then they may make up ones that fit.
- Motivation: the calamity of the pandemic has created a sense of solidarity and people are highly motivated to do the right thing. As such, they may stretch new capabilities to the limits to get the job done and may not consider the security implications (i.e. using their personal PC to do sensitive work).
- Opportunity: Working from home can be a new experience for many, with opportunities such as using their personal laptop to browse the internet in one tab, while accessing sensitive systems in another using a VPN. Whilst a VPN solution has been provided for corporate laptops, the technology may not have been implemented in such a way that enables full functionality because it’s been done quickly.
Applying a systematic, risk management framework
As mentioned earlier, technology exists within an organisation to enable business goals, but this can only be successful if underpinned by robust cyber security and a strong culture of human security behaviours.
Any decisions relating to the restructuring of technology setups (whether proactive, as in the case of Industry 4.0, or reactive, as with COVID-19) must be taken as a balance between security risk, business benefit and cost. Making these decisions consistently over time, in a way that can be justified to both budget holders and risk owners, requires a defined and endorsed approach such as ISO31000 which interlinks well with a series of related standards and frameworks to support delivery of security.
ISO31000 Design risk management framework
The ISO31000 risk management framework aligns security activities with business outcomes to set out how decisions should be made.
The ISO framework uses key risk indicators to monitor any changes in risk and inform decisions as to when risk mitigation plans need to change. It acts as a strategic management tool that needs to be integrated into ‘business as usual’ across the operational lifecycle, to include change release and change control, as well as supporting new system development. Where legacy systems exist, retrospective applications can mitigate risks and vulnerabilities to allow managers to make informed risk decisions. ISO30001 recognises that not all risk is a critical threat. You can accept a certain level of informed risk in order to achieve a business goal.
This approach allows you to understand the risk associated with new capabilities and therefore design security controls. Where there may be exceptional events that require rapid action (such as COVID-19), processes need to enable these actions as they are critical to the ongoing delivery of business outcomes.
To enable continuous improvement, this framework also needs to include a retrospective assessment of the risk that any changes that have been made to people, process and technology due to COVID-19, including analysis of the security behaviours using the COM-B model.
Given the rapid changes to technology and user behaviour resulting from COVID-19, you can use ISO31000 to take a retrospective assessment of the risks to critical services and capabilities which will provide assurance that risks are in line with your risk appetite, and that you remain fully compliant with your security obligations.
Service Risk Assessment
Leonardo has developed a robust service risk assessment process that will support assessment of the impact of changes. We first understand the internal and external context of the solution, to include business drivers, scope and any regulatory considerations. At Leonardo we call this the orientate phase, as it enables a solution to be viewed in the right business context.
We then need to review technical aspects of the solution, its boundaries, key dependencies, and the information assets it produces and outputs. We can use the understand phase to derive business impact assessments model and a set of risk scenarios that we are concerned with, which would include security behaviours as well as technical risks.
Following this, we then baseline the solution against an agreed security standard to give an indicative view of compliance. It is important to recognise that this is an indicative view rather than an audit, so it’s designed to inform the final stage of the assessment and it’s in this stage that we would conduct any required COM-B analysis in to identified behaviours.
In the final assess stage, we then score the risk scenarios, so for any given risk scenario we gauge the probability of the risk being realised and combine it with business impact to give a risk score. This uses the information gathered in the previous phases.
Ultimately what this provides, is a set of prioritised risks to a solution that enables compliance through risk management, as opposed to the reverse. This risk assessment is simply one part of a wider approach to security architecture and risk management. Within a utilities context, there is the NIS Directive and the National Cyber Security Centre (NCSC) framework which drive its implementation in the UK. And while the NIST and CAF may be seen as yet another compliance obligation, the NCSC assessment framework provides a highly effective approach to understanding operational security and maturity, and delivering security architecture. It’s especially relevant to the utilities sector as it is designed to cover both enterprise IT and operational technology systems. So adoption of the CAF as an approach will have the added benefit of harmonising compliance obligations and reducing rework. Introducing ways to manage all of the organisations compliance obligations in a streamlined manner is a key part of an effective security approach.
About the Author
Dr Max Wigley heads the Consulting Practice for Leonardo Cyber Division in the UK. His background is in CNI and Government security assurance and security architecture – helping to manage the security risks associated with large ICT / capabilities, whether that is during development and implementation of new capabilities, or understanding and managing risks to existing services. He is also the Service Owner and NCSC Head Consultant for our NCSC Certified Consultancy Service.
About Leonardo in the UK
We are major defence and aerospace company, and have our own very large and complex OT networks in our manufacturing facilities. Our dedicated cyber division delivers secure services and capabilities with Cyber and Physical security solutions to government and large enterprise organisations, particularly in the CNI sector. Our Cyber capability is headquartered from our Bristol office, where our Cyber Competence Centre provides a centre of excellence for our cyber capability. We have an ISO27001 24/7 SOC, an engineering team who are NATO’s cyber partner, and our NCSC- certified consulting team. For more information or for enquiries, please email firstname.lastname@example.org.