WaterISAC ICS Cybersecurity Guide

Thanks to Bridget O’Grady over at the ASDWA’s SecurityNotes blog for pointing at the updated WaterISAC cybersecurity guide; “10 Basic Cybersecurity Measures: Best Practices to Reduce Exploitable Weaknesses and Attacks”. While the overview of the 10 measures is written at a fairly high-level of generality (a good overview for upper management), each of the 10 sections is accompanied by links to a number of supporting documents from such organizations as ICS-CERT, NIST and SANS. That alone makes this a very valuable reference document.

While all 10 of the cybersecurity measures are important, I would like to add my 2 cents worth on measure number 8 in this document; “Implement an Employee Cybersecurity Training Program”. Time and again we have seen that one of the easiest ways for an attacker to get past security measures is through social media attacks against system users, administrators and management. Organizations that implement an annual ‘read and understand’ training program are doing little to protect their employees against such attacks.

A cybersecurity training program must include detailed classroom presentations about corporate security policies, security programs and individual responsibilities in those programs as well training in recognizing and reporting suspicious emails. While on-line training courses may have some value, face-to-face classroom presentations are typically more effective in communicating the importance of cybersecurity to the organization. This is particularly true when the organization takes the time and expense of ensuring that their training presenters have the tools (effective training materials, expertise, and presentation training) necessary to present effective classes.

But effective training cannot be limited to just periodic classes. There needs to be an ongoing communication from a designated management representative about the importance of cybersecurity, the current state of cybersecurity in the industry and the organization, and the sharing of news about updates on vulnerabilities and attacks.

Finally, consider the use of a social media attack incentive program. Conduct periodic in-house phishing attacks. Give small rewards and recognition to employees that report such attacks (and special, high-level recognition to employees that report real, out-side phishing attacks) and consider the use of system shutdowns for employees that fall for the training attacks. Those shutdowns would need to include a one-on-one review of why the attack succeeded before system access is restored.

For training to be effective, it must be repetitive, targeted and ongoing. And the only way to know if it is actually effective is if the training is evaluated through end-of-training testing and periodic real-world follow-up assessments.