Imagine this: the power grid has been hacked by a nation-state and has catapulted us back to the Stone Age. No power, water, fuel, online communications or banking. No, this isn’t a story out of a Michael Crichton novel. In 2018, a dire warning from former British Secretary of Defense, Gavin Williamson, indicated Britain’s energy infrastructure had been spied on by Russia. He predicted countless deaths would result if their power grid was ever crippled.

The critical infrastructure space is hardly an emerging topic in terms of cybersecurity. Case in point — in the spring of 2021, the Colonial Pipeline was hacked, leaving consumers from Texas up to New Jersey and New York vulnerable without a basic need: gas. Thankfully, the issue was resolved, but the implications of cyberattacks on critical infrastructure were exemplified by this incident.

The power of security awareness

There are key concerns revolving around device capabilities, supply chain, security and safety in the critical infrastructure sector. According to Brian Wrozek, Principal Research Analyst with Forrester and former CISO of Texas Instruments and Optiv, an organizational focus on security awareness can help critical infrastructure organizations harden their operational technology (OT) and information technology (IT) against threats.

The OT space has been a more challenging space to manage and prevent attacks primarily because OT utilizes unique equipment that is not able to leverage the common security controls used in IT environments. Systems were created to operate uninterrupted for a long period of time in specialized use cases and security was not built into the original design. Wrozek highlights that “on the plus side, OT environments have robust physical security controls and manual safety mechanisms that can provide protection to minimize potential damages.”

This is a prime time for IT and cybersecurity executives to revisit and re-strategize security awareness training around this space. The IT and OT environments can never be treated in the same manner, which means companies will need to adjust their delivery methods and timing to align with the unique characteristics of the OT environments. Structuring security awareness training to fit critical infrastructure challenges and meet employees where they are in terms of cybersecurity knowledge may lead to more successful security outcomes. Wrozek recommends “holding a live workshop during lunch time at the factory, as all operators may not have a traditional office desk and laptop.”  

Regardless, all OT operators and administrators should participate in the standard cybersecurity training curriculum offered by their companies, but taking it a step further, Wrozek emphasizes “incorporating cybersecurity training into the physical security and safety educational programs common in OT environments will improve participation and adoption.”

What should the ideal cybersecurity training program look like in the OT space? Just like any company you onboard with, learn about the environment. In this case, the OT environment requires education, and the materials must be tailored to the needs and concerns of their target audience. Wrozek states the importance of helping new hires connect the dots, “For example, a successful phishing email could allow an attacker to pivot from the corporate environment to the OT environment. It doesn't matter if the source of disruption was a weather event or specially constructed malware program, the consequences to human safety or the environment are the same.”