Jim Montague is executive editor ofĀ ControlĀ magazine, and has served as executive editor ofĀ Control DesignĀ andĀ Industrial NetworkingĀ magazines. He's worked for Putman Media for more than 10 years, and has covered the process control and automation technologies and industries for almost 20 years. He holds a B.A. in English from Carleton College and lives in Skokie, Illinois. Ā Stop me if youāve heard this one. Just kidding. Although, because this is text and not audio, you could shut me up if you just quit reading. However, if you continue, then Iāll just keep babbling to the end of the page as usual.
The reason I bring up rehashing previous messages is because so many (including most column topics) have been stated before. Most donāt need to be mentioned again, but there are a few worthy ideas that havenāt been stated enoughāat least, not enough to have a useful, significant or measurable impact. Thereās nothing new under the sun, but some items deserve wider distribution than theyāve gotten so far.
One oft-repeated idea that could still use more understanding if not exposure is that āhumans are the most important variable in successful and consistent cybersecurity.ā
Weāve all heard this one before. I may be overreacting, but in the process control and automation realm, it seems like every cybersecurity-related product, switch, module, box, software, strategy, initiative, network, platform and architecture brings it up.
Now, Iām not saying that humans donāt have a critical impact on upholding or defeating cybersecurity solutions, but why does this concept keep boomeranging back? Itās almost like a product disclaimer. āThe most secure password or firewall is no good if you donāt turn it on.ā
[pullquote]So, why all the steady reminders? I think itās because our collective missteps are the one monkey wrench that all the security experts and developers canāt change. Innovative and useful cybersecurity devices and software and modules arenāt easy to design and build, but theyāre apparently much easier to develop than getting people to alter or improve their habitsāor even be aware of them. Heck, just a couple of hours after I and my colleagues attended a recent user group session on basic cybersecurity, and got some stern advice on not posting bar-hopping photos on social media, what did we do? We posed for photos with drinks, and posted them on Facebook. The shots were tame and inoffensive, but the timing and irony were severe.
So, is there a way to address the human impact on cybersecurity? Well, what do we want? Some good cybersecurity practices include: turn on passwords; donāt plug in untested USB sticks; donāt open even slightly suspicious emails or PDF files; inventory all Ethernet/IP-enabled ports; segment your networks into functional zones with managed Ethernet switches acting as firewalls; develop and use software patching policies; and continuously monitor your network traffic for unusual activity.
Second, how can we and out fellow humans make these practices happen? No surprise. We need to do the dreaded talking with each other againāthe activity that engineers, technicians and, I think, pretty much everyone else seems to avoid at all costs. Iām close to 9,000 or 10,000 interviews in my career, and I still get nervous.
Nevertheless, there has to be a way to make these discussions, meetings and training sessions easier, whether theyāre about cybersecurity or some other topic that needs us to get on the same page. Now that itās mostly summer, how about holding some talks and meetings outside? How about a lunch-and-learn picnic?
Maybe start a cross-departmental or intra-organizational cybersecurity club or practice group. Maybe have a cybersecurity potluck? Personally, Iām always willing to listen to and canāt be objective about anyone who feeds me.
[javascriptSnippet]
I sure wish there was a cybersecurity skills board game or some kind of competition. Maybe there already is. The point is to get participants to practice good cybersecurity habits, so they become rituals like brushing our teeth. Iām well aware that some things just have to be drilled into my head, but that doesnāt mean I canāt make the best of it and perhaps enjoy the ride. Granted, we and our devices and networks canāt be 100% secure, but we can sure improve the odds with just a little more personal ownership and improved behavior.
