Fostering cybersecurity awareness for effective risk management and creating cyber-resilient environments – IndustrialCyber

As Cybersecurity Awareness Month 2024 begins, the U.S. administration called upon Americans to increase their efforts toward stronger data and technology protection from cyber threats and adversaries to improve national security and resilience. Businesses and institutions are advised to proactively safeguard the American public against cyber threats and advance new opportunities in well-paying cyber security jobs. Other immediate actions that are recommendable include enabling multi-factor authentication, updating software on computers and devices regularly, setting robust passwords, and being cautious when dealing with doubtful links.
The rising threats and attacks against critical infrastructure installations establish that there indeed is a vital need for strong cybersecurity measures within OT (operational technology) and ICS (industrial control systems) environments. Sectors such as these are susceptible to different risks than others because they are predisposed to high-level cyberattacks that take advantage of the vulnerabilities within the infrastructure and introduce malware into the control systems. Building a resilient cyber environment will be elevated by an increase in cyber awareness, especially across OT and ICS environments. 
Given the prevailing threat landscape, organizations have to include senior leadership, as their support is crucial. Appropriate training needs to be provided across these OT and ICS environments to enable the workforce to identify threats and respond appropriately to protect and mitigate those complex assets. Strategic programs with routine simulations and drills foster a culture of vigilance. Therefore, integrating cybersecurity within the ethos of an organization will help risk management and reduce vulnerabilities. Such an approach is bound to safeguard the critical infrastructure infrastructure and fortify the comprehensive risk management approach.
Employees are then at the forefront of mitigating such risks. Regular training on identifying phishing attempts and understanding cyber hygiene significantly reduces threats. Leadership is essential in reinforcing a cybersecurity culture by prioritizing strategic initiatives, such as implementing comprehensive security policies and fostering open communication about cyber risks. Embedding cybersecurity into every process encourages vigilance and proactive behavior among employees. Evaluating training programs ensures they are effective and efficient, balancing operational demands with readiness. 
Organizations need to adopt measures so that employees are fully prepared to handle threats effectively and without feeling overwhelmed through interactive and job-specific training practices. Security practices involve embracing the newest technologies, for example, AI-based threat detection and response systems that can provide insights in real-time and automate processes of response and thus decrease the increase in human error while ensuring security. 
Effective inclusive security practices are fundamental to the protection of both tangible and intangible resources, with security concerns fully integrated across levels of the operational process. Promoting cross-departmental collaboration and leveraging diverse perspectives help build resilient security frameworks that adapt to evolving threats. Building a comprehensive approach, supported by leadership commitment and cultural integration, is vital for safeguarding critical OT and ICS environments in today’s digital landscape.

Industrial Cyber consulted cybersecurity experts to identify critical threats currently facing OT and ICS environments. Additionally, they explored strategies for organizations to enhance employee awareness of these threats.
Sarah Freeman, chief engineer for intelligence, modeling, and simulation at MITRE’s Cyber Infrastructure Protection Innovation Center, told Industrial Cyber that a review of recent cyber events highlights the importance of bringing in key vendors and suppliers into the cybersecurity discussion. “Many organizations continue to place unverified trust into these third-party vendors despite a lack of visibility into the third-party’s cybersecurity program or understanding its maturity level.”
Critical infrastructure is the backbone of national security, and cyberattacks against infrastructure assets pose significant threats to various sectors, such as energy, water, transportation, supply chains, and U.S. communication networks, Darren Stephens, department manager for Cybersecurity Research and Development at Idaho National Laboratory’s Cybercore Integration Center, told Industrial Cyber. “These sectors are vulnerable to various attack vectors like ransomware attacks, which can be achieved in various ways. Some attacks are through phishing, social engineering schemes, and insider threats. Other sustained and persistent attacks are aimed at stealing sensitive information or sabotaging operations.”
Stephens mentioned that best practices to mitigate threats include regular training that demonstrates known attack methodologies, so individuals learn to recognize what is being used and how to properly identify it before being subjected to compromise. “Ensuring that cybersecurity policies are not just clearly communicated but readily achievable and accessible is also a good start. Leadership that promotes a culture of security awareness through positive reinforcement can also make a difference.”
Rob Lee, chief of research and head of faculty at SANS Institute said that industrial environments face a shifting threat landscape, with ransomware, insider threats, and supply chain vulnerabilities topping the list. Many attacks now target OT systems directly, aiming for operational disruption or data exfiltration. 
“To effectively raise awareness, organizations need to implement regular, targeted training programs that resonate with both employees and are understood by leadership,” Lee told Industrial Cyber. “This includes real-world examples, simulations, and scenario-based discussions that connect cybersecurity threats to their potential impact on safety, operations, and profitability.”
Dawn Cappelli, head of OT-Cyber Emergency Readiness Team at Dragos told Industrial Cyber that cyber threats vary by sector and geographic location. State actors have increased attacks against utilities, communications, transportation, and other critical infrastructure sectors for espionage, sabotage, and reputational harm. “Some aligned with hacktivist groups to increase the sophistication of hacktivist attacks. Hacktivist groups gained unauthorized access to Internet-exposed ICS/OT assets and conducted disruptive attacks against water utilities and other critical infrastructure organizations globally.”
Cappelli noted that successful cyberattacks in industrial environments used to be infrequent, but now they are common. “Organizations have many real examples to use, which is valuable since frequent communication is essential to keep cybersecurity front of mind in all employees.”
Armando Seay, executive cybersecurity consultant for cloud, ICS, and AI told Industrial Cyber that there is continuous evidence from across the community of government and commercial cybersecurity practitioners that malware implants by nation-state adversaries and continuous probing for weaknesses of critical infrastructure targets is persistent.
“Data continues to indicate that the targeting of operators/asset owners of critical infrastructure is the low-hanging fruit and entry point into the critical infrastructure networks,” Seay pointed out. 
He added that general cyber training is not the answer. “What I have witnessed is that when you can provide cyber awareness sessions with finite cyber threat examples in context, it increases the cyber resilience of the organization. Critical infrastructure operators do not have the time to become cyber experts, they need to develop the six senses to recognize a threat when they see it as it applies to their ICS and related IT systems.”
More specifically, Seay said, “if I am training a water management company, I want to show them the results of an attack on the IT side of the house that locks up customer data and prevents receipt of payments or billing.” 
“On the ICS side, I want to show them how a well-placed attack impacts the pumping, or water filtration systems. But I also want to ensure that they understand how to detect and respond,” Seay identified. “Cyber-attacks that impact water availability for humans but also attacks that target water used for agriculture have occurred overseas in countries like Israel and others. Educating the asset owners/operators using real-world industry-related examples is always a great cyber awareness accelerator.”

Role of leadership and culture in enhancing OT cybersecurity 
The executives discuss the impact of leadership and organizational culture on cybersecurity awareness and best practices in operational technology and industrial enterprises. They also examine the role initiatives like ‘Cybersecurity Awareness Month’ play in advancing these efforts.
Freeman mentioned that the promotion of a strong cybersecurity culture, especially one that fosters a questioning attitude, is key to bolstering organizational security. “Every employee should feel empowered to raise any cyber ‘red flags.’”
“Leadership and organizational culture play crucial roles in cybersecurity awareness. Leaders must prioritize and demonstrate proper cybersecurity hygiene and model best practices for others to emulate,” Stephens said. “Cybersecurity should be integrated into the organizational culture and not be treated as an afterthought or a once-a-year topic. That means allocating sufficient resources for cybersecurity initiatives, including training and technology. There are many out there.” 
For example, Stephens added that Idaho National Laboratory provides ICS training funded by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. The training is available to anyone working in the OT environment.
Lee said that leadership sets the tone for how seriously cybersecurity is treated within an organization. “When leaders prioritize security and embed it into the culture—making it part of everyday discussions and logistics—awareness naturally follows.” 
He added that initiatives like Cybersecurity Awareness Month are great for keeping cybersecurity top of mind, as they offer a structured time to focus on security topics that might otherwise take a backseat, but it can never replace an organization that keeps it top of mind all year long.
Cappelli said that leadership – from supervisors to plant managers to the CEO – must reinforce the importance of cybersecurity frequently. “Leaders should address security like safety – you cannot have safety without security because a security breach could impact safety in our plants.” 
She added that organizations focus on cybersecurity during Cybersecurity Month, but it is important that messaging is constant throughout the year and that unique messaging specific to OT is delivered during that month to employees in OT environments.
“Cybersecurity awareness is a 365-day-a-year necessity. Providing relatable cybersecurity scenarios accelerates understanding and cyber knowledge retention,” Seay said. “One month alone for cyber awareness is not the answer for a threat that is ever present and opportunistic. Incorporating cybersecurity awareness into human resources performance assessments helps to elevate its impact and Importance.”

Evaluating cybersecurity training, balancing readiness and efficiency
The executives evaluate how organizations can measure the effectiveness of their cybersecurity awareness programs and training within industrial settings. Furthermore, they consider how to balance cybersecurity preparedness with maintaining operational efficiency. 
The balance between cybersecurity initiatives and operational efficiency is a continual challenge, Freeman said. “Bringing engineering groups into security discussions early can improve communication between the two groups and increase partnerships between the organizations. A strong relationship does not mean that cybersecurity always ‘wins’ every discussion, however; the goal is to ensure situational awareness to support conversations around tolerable risk: where is there flexibility in cyber solutions and which cybersecurity initiatives are truly critical?”
Stephens said that assessing the effectiveness of cybersecurity awareness programs is extremely difficult without understanding the landscape, threats, and how many attacks are being performed against the environment. “However, there are several tools that can help assess the effectiveness of cybersecurity awareness programs and that includes feedback from employees about a program’s usefulness by using metrics to track reported phishing attempts or suspected incidents, evaluating the outcomes of simulated attacks, and conducting periodic audits.” 
He added that leveraging the resources that are already available to have a better-trained cybersecurity workforce can only help posture you for success. Organizations can take advantage of what’s out there to enhance their workforce knowledge.
“Assessment should be multifaceted—combining quantitative metrics, such as phishing simulation results or incident response times, with qualitative feedback from employees,” Lee said. “Surveys, interviews, and focus groups can shed light on how well the message is resonating. Striking a balance between awareness and operational efficiency requires an integrated approach—security should always enhance rather than hinder operations. Embedding cybersecurity into operational workflows ensures awareness without compromising employee and organizational efficiency.”
Cappelli identified that organizations should have a separate campaign for their OT environments for Cybersecurity Awareness Month, focusing on issues applicable to OT. “Cover topics like the risk of USBs spreading malware in plants, the risk of service providers infecting plant networks using USBs or by plugging laptops into the network, and the importance of following processes for secure remote access. For each topic, explain the risk – ‘Why’ – followed by ‘What’ – how to mitigate that risk. Include real cases – internal or external – for each topic when available.”
Seay said that any organization that is required to regularly account for and report on compliance using any of the NIST, ISO, IEC, or other cyber frameworks would by default have to address cybersecurity awareness of its organization as part of a risk and compliance assessment.
“The Cybersecurity Awareness Maturity Model has a five (5) phase set of standards that can be used to assess and measure the effectiveness of cybersecurity awareness programs as one example,” according to Seay. “The key to cybersecurity awareness in the IC environment is to educate at the level of the target audience. Said another way, meet them where they are/work on a daily basis. Managers and executives need a slightly different level of awareness training than do the operators and engineers of IC equipment and software. Typically, managers and executives need to understand the regulatory, reputational, compliance, and financial implications of ignoring cybersecurity.”
He added that assessment using pen testing techniques targeting users with social engineering and phishing is one technique. 
“Another strategy is investing in cyber risk assessments that include the IC networks and systems,” Seay highlighted. “You can compare cyber maturity using the first assessment as a baseline and the subsequent assessment to assess progress or lack thereof. Cybersecurity training can be incorporated and should be in line with any other regular training needed to maintain an operationally up-to-date workforce. It should be viewed as a necessary component as would for instance safety training for personnel in a plant.”

Initiatives for industrial operations to bolster security programs
The executives explored ways for industrial organizations to utilize Cybersecurity Awareness Month as a chance to initiate or enhance their cybersecurity awareness programs.
Freeman said that Cybersecurity Awareness Month activities are particularly helpful in that they provide a concrete time for an organization to take stock of their programs and ask what’s working well and what things need to be revamped.
Stephens said that at Idaho National Laboratory “our communications and IT teams have collaborated to establish a Cybersecurity Awareness Month campaign that raises awareness and provides resources internally and externally. It’s important to remind people of cybersecurity resources but also to empower them to be cybersecurity advocates through the use of interactive sessions, dedicated time to discuss real-world cases, or even individual anecdotes to make cybersecurity more impactful at the individual level.”
“Cybersecurity Awareness Month is a good time to re-engage employees and assess the maturity of existing programs,” Lee said. “Industrial organizations can leverage the increased focus on cybersecurity during this period to introduce new training modules, host workshops, or even organize competitions or awards for best cybersecurity practices. It’s also an excellent time to showcase leadership’s commitment to security, which can further reinforce a culture of vigilance throughout the organization.”
Cappelli said to measure effectiveness by the number of policy violations in plants that were covered in cybersecurity awareness communications. “Cybersecurity awareness preparedness doesn’t have to impede operational efficiency. In fact, requiring plant personnel to sit through online training is not the most efficient way to deliver training.” 
Seay looks at Cybersecurity Month as a great way to invigorate the organization and launch cybersecurity initiatives that are implemented and measured throughout the year culminating in a review of the organization and its personnel cybersecurity maturity. 

Developing inclusive cybersecurity strategies in organizations
The executives analyze the steps organizations can take to ensure their cybersecurity awareness programs and training are inclusive and accessible to all employees, regardless of their role or technical expertise.
“Cybersecurity teams should spend time generating use cases that resonate with employees and their varied roles and responsibilities,” Freeman said. “Overly generalized training tends to be less impactful for staff, so extra effort upfront improves outcomes and adoption.” 
Stephens said that to ensure inclusivity and accessibility, develop training materials that cater to as many different roles within the organization and address various levels of technical expertise. “Offer training in various formats, such as online courses, in-person workshops, and printed materials to reach a wider audience.” 
Additionally, he suggested using clear, jargon-free language and providing translations if necessary. “Most importantly, create channels for all employees to provide open and honest feedback so employees can improve on awareness programs through their comments and questions.”
“To ensure inclusivity, organizations must tailor training materials to different roles within the company, making them relevant to both technical and non-technical employees,” Lee said. “This could involve creating tiered training programs or role-specific learning paths. Accessibility can also be improved through multiple formats, such as video tutorials, hands-on workshops, and gamified learning experiences.” 
Ultimately, Lee said that the goal is to make cybersecurity awareness engaging, approachable, and relevant to every employee across the organization.
Cappelli called upon organizations not to implement a ‘one size fit all’ security awareness program across their organization – especially OT. “The program should communicate to each employee based on their role. Office employees, product developers, plant operations staff, IT, and executives need to be aware of risks, threats, policies and procedures pertinent to them, and not be bogged down by sitting through training that has nothing to do with them.”
Seay said that the implementation of regular cybersecurity awareness programs that reach the organization’s personnel at their level of responsibility and in context with their daily duties is the key. Regular awareness training with knowledge retention measurement is essential. Incentivizing individuals to implement best practices and to report suspicious or anomalous system operational behavior characteristics or processes or practices that they assess as posing a risk to the IC systems.
He pointed out that millions of dollars are spent on cybersecurity training in some organizations as one class or training fits all. 
“The U.S. government has taken this approach for instance when it rolled out the initial awareness campaigns for the NIST 800-171 Controlled Unclassified Information (CUI) Cybersecurity Maturity Model Certification (CMMC),” according to Seay. “Millions were spent on binders of training information that were handed out at training events across the U.S. and websites with training content were deployed.” 
In the end, Seay mentioned that any survey of the organizations that participated in this training indicated very little retention of any of the information and a marginal increase in cybersecurity awareness and understanding. “The common answer from the persons surveyed was it was too long, I do not have the time to become a cybersecurity expert though I want to comply and be more resilient, or I could not correlate the information to my industry segment.”
All rights reserved | Terms and Conditions
Privacy Policy | Cookie Policy

source
This is a newsfeed from leading technology publications. No additional editorial review has been performed before posting.