When it comes to security, don’t give employee education short shrift
Put policies in place, and expect workers to play role in shielding company data
By Antony Daly, Special to ThirdCertainty
The German utility company, RWE, recently disclosed that its Gundremmingen nuclear power plant had been infected with computer viruses including W32.Ramnit and Conficker.
RWE took pains to point out there was no threat to the facility since it wasn’t connected to the internet, and the malware wasn’t targeted at ICS/SCADA systems.
However, the system that was affected was associated with plant equipment used for moving nuclear fuel rods—hardly ideal. As a precaution, the plant operator shut down the plant—a move that wasn’t taken lightly since it could result in significant reputational and financial damage.
While many questions will be asked in the coming investigation, one that rises to the top will be how the network was infiltrated. Was it a new advanced persistent threat or a criminal mastermind? The answer is neither. It is thought an employee plugged in a personal USB stick into the plant network after using it on the corporate network or on their personal system at home.
Could this have been avoided? Absolutely. Employee education is critical. As an employer, there is an expectation that duty of care is provided to your employees. There is a multitude of well-being, drug and alcohol awareness, stress avoidance, and other programs in the workplace. Yet when it comes to cybersecurity awareness, there tends to be a mind-set of “another IT-related issue—let’s just pay lip service to it.”
There needs to be a focused effort on educating and training employees about the risks they and their organization face when they are logged on.
In the example above, one employee managed to shut down a nuclear plant through the use of a USB device. Of course, they shouldn’t have done it, and the action points to a laissez-faire attitude to cybersecurity. However, the question that should be asked is, “Why were they allowed to do it in the first place?”
Make security priority
The incident raises further questions than whether there was an Acceptable Use policy in place. In an air-gapped system, is there a business requirement for allowing external devices to be connected to Operational Technology networks? Indeed, one of the National Institute of Standards and Technology’s cybersecurity framework sections calls for access control to protect assets.
While it’s easy to talk about what could have been done differently, it’s more beneficial to take away the lessons learned and ask some questions about the state of your networks.
- Is there a critical business requirement for allowing external storage devices to be connected to the networks?
- Is there an effective employee cybersecurity awareness program in place?
- Is the program tailored to suit all employee levels, including contractors and employees who don’t use a computer terminal for their day-to day work?
- Is the program classified as mandated regular training?
Employee education is critical. Recent research by CompTIA has indicated that the top cyber risks include human error and inadequate user education. I’m not suggesting that a company as large as RWE doesn’t have an acceptable user policy in place. Indeed, if such a policy exists, and the employee breached it, then the out-of-line worker deserves little sympathy.
But establishing employee protocols will greatly reduce the chance of contamination through the use of USB devices.