Security Culture in Industrial Control Systems Organisations: A Literature Review

Industrial control systems (ICS) are a key element of a country’s critical infrastructure, which includes industries like energy, water, and transport. In recent years, an increased convergence of operational and information technology has been taking place in these systems, increasing their cyber risks, and making security a necessity. People are often described as one of the biggest security risks in ICS, and historic attacks have demonstrated their role in facilitating or deterring them. One approach to enhance the security of organisations using ICS is the development of a security culture aiming to positively influence employees’ security perceptions, knowledge, and ultimately, behaviours. Accordingly, this work aims to review the security culture literature in organisations which use ICS and the factors that affect it, to provide a summary of the field. We conclude that the factors which affect security culture in ICS organisations are in line with the factors discussed in the general literature, such as security policies and management support. Additional factors related to ICS, such as safety culture, are also highlighted. Gaps are identified, with the limited research coverage being the most prominent. As such, proposals for future research are offered, including the need to conduct research with employees whose roles are not security related

Exploring the Security Culture of Operational Technology (OT) Organisations: The Role of External Consultancy in Overcoming Organisational Barriers

Operational Technology (OT) refers to systems that control and monitor industrial processes. Organisations that use OT can be found in many sectors, including water and energy, and often operate a nation's critical infrastructure. These organisations have been under a digitalisation process, which along with increasing regulatory pressures have necessitated changes in their cybersecurity practices. The lack of internal resources has often compelled these organisations to turn to external consultancy to enhance their security. Given the differences between OT and Information Technology (IT) security practices and that OT cybersecurity is still in its infancy, developing a security culture in OT environments remains a challenge, with little research investigating this topic. We have conducted 33 interviews with professionals with a security related role working in various OT sec-tors in the UK, on the subject of security culture development. Our analysis indicates three key organisational barriers to the development of a security culture: governance structures, lack of communication between functions, and the lack of OT cybersecurity expertise. Subsequently, the role of consultants and security solution vendors in overcoming these barriers through consultancy is demonstrated. We therefore argue that these stakeholders play a crucial part in the development of security culture in OT and conclude with recommendations for these organisations

A Review of Critical Infrastructure Protection Approaches: Improving Security through Responsiveness to the Dynamic Modelling Landscape

As new technologies such as the Internet of Things (IoT) are integrated into Critical National Infrastructures (CNI), new cybersecurity threats emerge that require specific security solutions. Approaches used for analysis include the modelling and simulation of critical infrastructure systems using attributes, functionalities, operations, and behaviours to support various security analysis viewpoints, recognising and appropriately managing associated security risks. With several critical infrastructure protection approaches available, the question of how to effectively model the complex behaviour of interconnected CNI elements and to configure their protection as a system-of-systems remains a challenge. Using a systematic review approach, existing critical infrastructure protection approaches (tools and techniques) are examined to determine their suitability given trends like IoT, and effective security modelling and analysis issues. It is found that empirical-based, agent-based, system dynamics-based, and network-based modelling are more commonly applied than economic-based and equation-based techniques, and empirical-based modelling is the most widely used. The energy and transportation critical infrastructure sectors reflect the most responsive sectors, and no one Critical Infrastructure Protection (CIP) approach – tool, technique, methodology or framework – provides a ‘fit-for-all’ capacity for all-round attribute modelling and simulation of security risks. Typically, deciding factors for CIP choices to adopt are often dominated by trade-offs between ‘complexity of use’ and ‘popularity of approach’, as well as between ‘specificity’ and ‘generality’ of application in sectors. Improved security modelling is feasible via; appropriate tweaking of CIP approaches to include a wider scope of security risk management, functional responsiveness to interdependency, resilience and policy formulation requirements, and collaborative information sharing between public and private sectors

Improving the Cybersecurity of Critical National Infrastructure using Modelling and Simulation

The UK Critical National Infrastructure is critically dependent on digital technologies that provide communications, monitoring, control, and decision-support functionalities. Digital technologies are progressively enhancing efficiency, reliability, and availability of infrastructure, and enabling new benefits not previously available. These benefits can introduce vulnerabilities through the connectivity enabled by the digital systems, thus, making it easier for would-be attackers, who frequently use socio-technical approaches, exploiting humans-in-the-loop to break in and sabotage an organization. Therefore, policies and strategies that minimize and manage risks must include an understanding of operator and corporate behaviors, as well as technical elements and the interfaces between them and humans. Better security via socio-technical security Modelling and Simulation can be achieved if backed by government effort, including appropriate policy interventions. Government, through its departments and agencies, can contribute by sign-posting and shaping the decision-making environment concerning cybersecurity M&S approaches and tools, showing how they can contribute to enhancing security in Modern Critical Infrastructure Systems