The Stages of Cyber Awareness Syndrome

I recently had the opportunity to circle the globe visiting 25 critical infrastructure customers. I set a simple agenda of cybersecurity pain points, and here is what I observed. Imagine that you work for an organization that represents critical infrastructure (electricity, water, transportation, etc.) and you are given the mission to make your organization cybersecure. What you are about to experience probably follows closely with the stages of grief.

First, you are hit with overwhelming shock: Yesterday I was a networking or controls engineer—how do I support cybersecurity? This aligns with the issue of ownership; can we hire someone to lead this effort, should we outsource this responsibility, or can insurance transfer the risk? In most cases, organizations try all these tactics. They appoint a director of operational technology (OT) security, they hire outside consultants to accelerate program development and assessments, and their legal teams sharpen their pencils. Within a few months, this leads to paperwork glory (just like our cyber adversaries, we target the path of least resistance). Organizations recognize the potentially devastating consequences of not being cybersecure; overnight, cybersecurity tops their charts, next only to safety with regards to importance, while regulations and industry frameworks start to represent the North Star for guidance. Assessments are reviewed and, on the surface, it seems that a few powerful IT tools have saved the day. Chief information security officers (CISOs) can proudly report that organizational maturity ranks high on the charts.

This, unfortunately, is where denial sets in. Organizations declare that OT systems are secure, ignoring the reality of unchanged default passwords and nonexistent patching. The reality is that as employees, our performance is graded upon our successes, and we live in a society that seeks instant gratification. Direct reports immediately recognize expectations and present status updates that confirm their leaders’ desires. This experience reminds me of when Allen Mullaly became CEO of Ford Motor Company and division leaders presented business review charts that showed nothing but green statuses, while the company was projected to lose approximately $10B that year. One wise cybersecurity director I spoke with used an analogy from The Lion King: “Everywhere the light touches is secure; the darkness is OT cybersecurity, and you should never go there.” Many CISOs admitted that they were “cyber aware,” meaning that programs had been established and requirements were understood, but they were still struggling to reduce risk for OT systems.

We now reach the stage of anger. Organizations design security controls for OT systems that prevent engineers and technicians from using the same workflows they are accustomed to. Security controls remove administrator rights from laptops, disallow the installation of third-party software, delete shared accounts, and restrict emailing event reports to vendors, due to information security. How can engineers and technicians support productivity requirements to maintain a reliable OT system under these conditions? So they enter the bargaining stage, discovering workarounds with secondary laptops, remote access support, and requests for additional funding. From a safety perspective, these safeguards are akin to requirements to wear arc-resistant PPE or fall harnesses when performing work. Unfortunately, culture has accepted the value of safety but is reluctant to accept security controls.

At this stage, we find the organizations in a depression. Those looking to move beyond this must adopt a holistic strategy to managing OT cybersecurity that starts with planning and procurement and includes lifecycle management of systems. This turning point creates checkpoints, or gateways, to projects that incorporate security reviews, audits, and maintenance. The search for silver bullet technologies fades and priorities begin to focus on pain points and system-level risk mitigation, as organizations finally begin to reach the stage of acceptance. Cyber-informed engineering allows for risk filters to highlight high-impact consequences and design solutions in a collaborative way. I personally believe that government regulation is only necessary when there is an imbalance in the risk that society and service providers are willing to accept. Mature organizations are able to avoid getting frozen while awaiting regulatory clarity and push beyond compliance towards actual security. Society expects us to protect critical infrastructure with minimal impact on their wallets, which requires that we jointly accept this responsibility and collaborate as public/private partners through each stage of cybersecurity grief.

Which stage of cyber awareness syndrome is your organization at? Are you willing to look closely at the evidence and embrace the challenge to progress? Fortunately, in my meetings with critical infrastructure customers, I saw many signs that the syndrome is curable:

• The invite—So many customers were eager to share their challenges and saw immediate value in closer communications with cybersecurity experts and supply chain partners.
• The learning—Customers are investing in themselves; many highlighted papers they read, training courses they completed, and efforts to convert their IT experience to applicable OT security strategies.
• The collaboration—A theme of working smarter, not harder, was embodied by many. Unlimited resources of money and people will not be available; therefore, collaboration with internal and external stakeholders provides more opportunities for optimization of security strategies with best-known methods and templates for accelerated success.
• The awareness—This is a key first step. Understanding objectives and requirements helps ensure that ideas are properly aligned and reporting to leadership and auditors is well prepared.
• The vendors—We are seeing lots of improvements in the ways that technology is designed for purpose-built functionality and ease of incorporation into security objectives. Growing maturity in product development is critical to holistic system security throughout the lifecycle.