Overcoming (human) inertia for cybersecurity

Dec. 2, 2021
Two experts at system integrator Maverick Technologies show how to motivate individuals and organizations to adopt and practice cybersecurity tools and skills

Beyond using passwords and authentication, segmenting networks, and monitoring communications and data traffic, the most crucial cybersecurity task is motivating managers and training staff to follow good cybersecurity practices—even though it remains persistently difficult to accomplish.

"Everyone is told about cybersecurity, and it's gaining traction, but many organizations and individuals still aren't complying with good practices," says Bruce Billedeaux, senior consultant at system integrator Maverick Technologies, a Rockwell Automation company. 

Robert Henderson, principal engineer at Maverick, adds, "Anyone can pay attention to cybersecurity and some know what they should do, but there are many facilities and networks that are 30-40 years old and many users don't know how to approach cybersecurity for those processes. Plus, they usually have very few staff to do cybersecurity, especially because more people are working remotely now. This is creating more network connections and more vulnerabilities, but most users still don't address cybersecurity until their board says to do it or there's an incident in the news."

2021 cybersecurity update

This article is one in the 2021 cybersecurity update multi-part series. 

View the rest of the series here.

The basic list

Due to the usual parade of recent, well-publicized breaches, Henderson reports more users continue to recognize that they need to do something, while others have already addressed cybersecurity and want to do better, including performing internal audits and responding to their directives. "The basic cybersecurity list is the same for everyone," says Henderson. "Inventory and document assets and networks, basically anything with an Internet protocol (IP) address. Build and test backups, which is where rookie efforts usually start. However, if earlier cybersecurity efforts were done and thought to be safe, they probably aren't by now. For example, users may think they're protected by air gaps, which are defeated when they use USB sticks for patches or software updates to equipment, or antivirus scanners that identified IT-related changes before may not find them now. This is how an outside audit can show users they're often not doing what they think they're doing."

Billedeaux reports these problems multiplied during the COVID-19 pandemic, when many cybersecurity requirements were relaxed and more access points were added because more staff needed to work remotely. "Now, these points need to be properly implemented and secured, or closed off again," says Billedeaux. "However, many continue to be left open and not auto-scanned."

Henderson adds the remedy to these cybersecurity issues is simply paying attention and giving cybersecurity the same consideration as other plant-floor tasks. "We need to think about cybersecurity differently and approach it with the same methodology and mindset we've used for 70 years to deliver power, water, compressed air or other services on the plant floor," explains Henderson. "When an engineer is asked to add a 5-hp motor that needs 480 V power, do they just splice it in wherever? No. They wouldn't consider adding it without creating engineering drawings, identifying the bucket it will be in, checking the load on the motor control center (MCC), adding a starter or disconnect, labeling wires, and following their change management procedure. When we put in a new Ethernet switch, its bandwidth and place in the network must be verified, and engineering drawings are needed for labeling wires. The same steps must be followed for cybersecurity, but they usually aren't because networking is a newer discipline."

In addition, an improperly engineered 4-20 mA unit will show up immediately, but a misidentified network device may not be immediately obvious, and may create vulnerabilities that only show up later, according to Henderson. "Many networks are resilient and can run for a long time before the results of problems emerge and break the camel's back," he says. "These problems can be caused by misidentifications, poor data converting, ineffective configuration, and poor architectures, such as daisy-chaining too many devices together."

The essential standards

To give them the best chance of running efficiently and securely with the fewest difficulties, Henderson adds that users should learn and develop their networks based on several major standards and common, non-prescriptive directives, including:

Beyond using CPwE and other standards for network design, Billedeaux reports that many suppliers and system integrators like Maverick also offer cloud-based services that let clients outsource their network monitoring for data sharing and maintenance. 

"This secured and supervised access to an automation system allows a cloud-hosting service to monitor a user's access points, look for maintenance thresholds and anomalies, if needed, so they don't have to do it themselves," says Billedeaux. "Some services like OSI PI can also automate data backups to secure access for multiple sites, while Rockwell Automation runs a Windows 365 cloud-hosted business network that allows Microsoft Teams users to go between companies, which wasn't allowed before. The next step is moving operations technology (OT) data beyond its usual network and allowing remote configuration. This is possible because Microsoft handles the application's cybersecurity with multifactor authentication that can tell which users are on the VPN, which many users can't do on their own."

Analysis for cybersecurity breaches of OT networks during COVID-19 showed cloud services to be more secure than locally managed remote access. Cloud-based automation and OT access, configuration control systems have dedicated security staffs to monitor for anomalies not only in the network itself, but also in the data tunnel to the site.

These IT-based, cloud-level services typically use secure tunneling to networks, work with the network segmentation and device-level firewalls that users already have in place, perform anomaly detection, and provide backup and recovery procedures. "These third-party services like Claroty and others sit on the network and monitor it, generate alerts and alarms, and do deeper analysis to detect potential issues before they manifest as intrusions," adds Billedeaux. "These services can help with backup and recovery by analyzing where and when an attack started, and isolate affected parts of a network, while allowing safe areas to keep running. Training staff not to fall victim to phishing is still the best way to prevent ransomware, but cloud-based services can also deliver backup configurations for operating systems and servers, and help conduct periodic testing."

About the author: Jim Montague
About the Author

Jim Montague | Executive Editor

Jim Montague is executive editor of Control.