MAR-APR 2018

Issue link:

Contents of this Issue


Page 44 of 57

INTECH MARCH/APRIL 2018 45 Tips and Strategies for Integrators | channel chat So many security breaches! Are we focusing on the wrong things? By Paul Rostick W e obsess over tools and tech- nologies when we should be focused on cul ture and commitment. In the recent Equifax breach, which affected more than 143 million people, a routine security patch was not applied to a critical server. In the Target breach, which cost that company over $200 million dollars, a vendor's remote access was not prop- erly managed, and the information technology (IT) department ignored clear signs that the network was compromised. The Russian hackers who shut down the Ukrainian electric grid, affecting more than 80,000 customers, used phishing emails to trick users and steal their network accounts. And in what may be one of the scariest in dustrial security incidents so far, unknown hackers who compromised a Schneider Electric Triconex safety controller in Saudi Arabia reached their target because an engineering workstation was not properly isolated and secured. Organizational failure What these breaches, and thousands of others, have in common is this: They were not caused by a failure of technol- ogy—they were caused by a failure of the organization. You can be certain that all of these companies had some kind of cy bersecurity policy, yet at the moment of greatest need they were unable to defend themselves. We see this pattern again and again—without a foundational secu - rity culture mandated by a clear executive commitment, cybersecurity efforts con - tinue to fail, often miserably, and at great cost. This should be unacceptable. Why do we obsess over security controls and not over security culture? Because controls are easy, and culture is hard. Any - o ne can write policies; you can find free templates on the Internet. Buying tools is fun, and any competent technician can install them. We get a sense of ac - complishing something. Changing an organization's culture re- quires far more effort to accomplish and far more energy to sustain. Culture cannot be delegated to technicians—it is the respon- sibility of the C-suite. The irony is that we already learned this lesson from safety. We know that people will not necessarily behave safely. Left to human nature and the pres- sures of deadlines and costs, people, includ- ing management, take shortcuts, and soon people get hurt—or worse. As a result, we do not just buy hardhats, we instill culture. "Do it safely, brother. Everyone goes home." Because safety and security are two sides of the same coin, one would think we would pick up on this correlation more clearly. Though we earnestly write policies, install tools, do assessments, and try to implement controls—we see from these breaches that without the sustaining culture, these efforts will unravel, just like safety unravels without its sustaining culture. If you are responsible for security, you cannot be everywhere re- viewing every design and counseling every technician, every integrator, every engineer, and every operator on the myriad security implications of every action. The culture it self must do this. Security awareness and knowledge and skills and commitment must pervade the very fabric of the organi - zation—just like safety. As the saying goes, if it isn't secure, it isn't safe. And what about new projects? When you raise a warning about a potentially in - secure design, will anyone hear you over the din of the project deadline? The safety guy can throw the red flag—can you? Not without a security culture. Culture and commitment As someone who built an industrial cybersecurity program from scratch, I have these lessons burned into my brain. You cannot truly fix a problem if you treat symptoms. Only correct- ing the root cause will fix the problem permanently. The root cause failure that led to all those breaches, and all the breaches yet to come, is the lack of a security culture and a corre- sponding executive commitment to make security a core competency. For security to be an organization's core competency, you need an executive sponsor and a champion (preferably the CEO) who will advocate for the appropriate governance, funding, staffing, and training to create a real security program alongside your real safety program. If your executive has not made a clear commitment to a secu- rity culture, then at the worst moment, the organization will likely fail as have so many others. No one should be surprised when that happens. In any complex en- deavor, without the necessary founda- tions of success, failure is practically pre- ordained. Security is no exception. I am not arguing against security con- trols, or tools or technologies, or policies or procedures or practices. They are nec- essary and critical—but they are not suffi - cient. They are not foundational. Security is not a thing; it is a management out- come, and there is no magic here: Culture and Commitment = Outcome. n ABOUT THE AUTHOR Paul Rostick ( is the chief information security officer and industrial cybersecurity advisor for aeSo- lutions (, a member of Control System Integrators Association (CSIA) ( In this dual role he advises both his own executives and customer executives on establishing strategic IT/OT cybersecurity programs.

Articles in this issue

Links on this page

Archives of this issue

view archives of InTech - MAR-APR 2018