When it comes to security, don’t give employee education short shrift

Put policies in place, and expect workers to play role in shielding company data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The Ger­man util­i­ty com­pa­ny, RWE, recent­ly dis­closed that its Gun­drem­min­gen nuclear pow­er plant had been infect­ed with com­put­er virus­es includ­ing W32.Ramnit and Con­fick­er.

Ed note_Antony Daly_Protection GroupRWE took pains to point out there was no threat to the facil­i­ty since it wasn’t con­nect­ed to the inter­net, and the mal­ware wasn’t tar­get­ed at ICS/SCADA sys­tems.

How­ev­er, the sys­tem that was affect­ed was asso­ci­at­ed with plant equip­ment used for mov­ing nuclear fuel rods—hardly ide­al. As a pre­cau­tion, the plant oper­a­tor shut down the plant—a move that wasn’t tak­en light­ly since it could result in sig­nif­i­cant rep­u­ta­tion­al and finan­cial dam­age.

Relat­ed: Tar­get­ed attacks on indus­tri­al con­trol sys­tems surge

While many ques­tions will be asked in the com­ing inves­ti­ga­tion, one that ris­es to the top will be how the net­work was infil­trat­ed. Was it a new advanced per­sis­tent threat or a crim­i­nal mas­ter­mind? The answer is nei­ther. It is thought an employ­ee plugged in a per­son­al USB stick into the plant net­work after using it on the cor­po­rate net­work or on their per­son­al sys­tem at home.

Change expec­ta­tions

Could this have been avoid­ed? Absolute­ly. Employ­ee edu­ca­tion is crit­i­cal. As an employ­er, there is an expec­ta­tion that duty of care is pro­vid­ed to your employ­ees. There is a mul­ti­tude of well-being, drug and alco­hol aware­ness, stress avoid­ance, and oth­er pro­grams in the work­place. Yet when it comes to cyber­se­cu­ri­ty aware­ness, there tends to be a mind-set of “anoth­er IT-relat­ed issue—let’s just pay lip ser­vice to it.”

There needs to be a focused effort on edu­cat­ing and train­ing employ­ees about the risks they and their orga­ni­za­tion face when they are logged on.

In the exam­ple above, one employ­ee man­aged to shut down a nuclear plant through the use of a USB device. Of course, they shouldn’t have done it, and the action points to a lais­sez-faire atti­tude to cyber­se­cu­ri­ty. How­ev­er, the ques­tion that should be asked is, “Why were they allowed to do it in the first place?”

Make secu­ri­ty pri­or­i­ty

The inci­dent rais­es fur­ther ques­tions than whether there was an Accept­able Use pol­i­cy in place. In an air-gapped sys­tem, is there a busi­ness require­ment for allow­ing exter­nal devices to be con­nect­ed to Oper­a­tional Tech­nol­o­gy net­works? Indeed, one of the Nation­al Insti­tute of Stan­dards and Technology’s cyber­se­cu­ri­ty frame­work sec­tions calls for access con­trol to pro­tect assets.

Relat­ed video: Tech­nol­o­gy that could be a sil­ver bul­let for util­i­ty net­works

While it’s easy to talk about what could have been done dif­fer­ent­ly, it’s more ben­e­fi­cial to take away the lessons learned and ask some ques­tions about the state of your net­works.

  • Is there a crit­i­cal busi­ness require­ment for allow­ing exter­nal stor­age devices to be con­nect­ed to the net­works?
  • Is there an effec­tive employ­ee cyber­se­cu­ri­ty aware­ness pro­gram in place?
  • Is the pro­gram tai­lored to suit all employ­ee lev­els, includ­ing con­trac­tors and employ­ees who don’t use a com­put­er ter­mi­nal for their day-to day work?
  • Is the pro­gram clas­si­fied as man­dat­ed reg­u­lar train­ing?

Employ­ee edu­ca­tion is crit­i­cal. Recent research by Comp­TIA has indi­cat­ed that the top cyber risks include human error and inad­e­quate user edu­ca­tion. I’m not sug­gest­ing that a com­pa­ny as large as RWE doesn’t have an accept­able user pol­i­cy in place. Indeed, if such a pol­i­cy exists, and the employ­ee breached it, then the out-of-line work­er deserves lit­tle sym­pa­thy.

But estab­lish­ing employ­ee pro­to­cols will great­ly reduce the chance of con­t­a­m­i­na­tion through the use of USB devices.