When companies think about cybersecurity training, they often focus on employees outside technology. But for organizations in critical infrastructure, it's the engineers who are at the frontline of cybersecurity risk without the appropriate training.
"Who knows about engineering systems? The engineers. Who has been excluded from the world of cybersecurity? The engineers," said Joe Weiss, managing partner of Applied Control Solutions, LLC, during a webcast hosted by ThreatConnect Wednesday. Cybersecurity skills are the next natural step for a career in engineering as companies rely on engineers to operate secure systems.
Vendors, educated end users and regulators do not help "when you have all of this guidance for critical infrastructure security being entirely predicated on a network," Weiss said. "When things start going wrong, [engineers] don't even know when to go to the network people to say, 'have you seen similar things?'"
Engineers and network security professionals are looking for anomalies in the network or in processes, respectively. Issues within processes are often absent from network irregularities.
Engineers may be fundamental to a given business, but inclusion in cybersecurity is part of a greater cultural movement, which takes time. The penultimate test of a cyber-ready company culture is one where employees think differently — business continuity is not the sole indicator of a secure network. This is where training comes into play.
When overhauling a culture of cybersecurity in an organization — or lack of a culture — Tim Grieveson, CISO of Aveva PLC, recommends revisiting the basics, he said during the webcast. Companies should be able to answer:
- How effective is our training? Are employees well-versed in security?
- Do we consider and implement security throughout our design process? Is security a component of maintenance measures?
- Are vendors charging extra for adding security to their offering? Are our partners best of breed?
Security has a role to play when it becomes tempting to connect and monitor everything in an environment. But Grieveson argues companies should actually question whether or not it's necessary to connect and monitor everything in the first place. In areas where it is, refresh the security policies and controls that protect the connection.
When companies are modernizing, "I think it should be behavioral," Grieveson said. Instead of reacting to monitoring and concluding something is broken, engineers should instinctively ask "have we seen an increase in the data? Is it giving some peaks and some spikes that we haven't seen before?" or unusual information consumption.
By combining the expertise and observations between engineers and security professionals, companies have an entirely new dataset to review for abnormalities or vulnerabilities that threaten the business as a whole.
"You don't have the ability to know whether incidents were cyber related or not, which is why training and everything else is going to be so important," said Weiss.