Get in touch

Secure-by-Design (part 3) – The culturally aligned cyber security management system

Efforts to counter cyber threats to operational technology of energy transition assets naturally tend to focus upon technical measures during the design stage. Equally important however, to effectively maintain cyber risks at acceptable levels during operations, are a cyber security management system that is positively aligned with a proactive cyber security organisational culture. But what should the management system address and how should it align to the culture?

This is the final article of a three-part series that aims to set out an approach to help ensure energy transition assets are “secure-by-design”.

INTRODUCTION

The first article of this three-part series described the various types of cyber attackers and how their strikes can extend beyond commercial disruption of the business. The threat of a bad actor taking over control of the operational technology (OT) of an energy transition asset is very real, with the potential to impact the physical safety of personnel. The second article laid out a consequence-based approach to cyber security risk assessment (CSRA) that can be applied during the design phase of an asset. The article also described how the extent of the measures to counter identified vulnerabilities should be proportionate to whether the organisation is seeking to defend against a baseline or enhanced level of threat.

This third and final article recognises that achieving cyber security is not a one-off exercise in assessing risk and implementing technical and procedural countermeasures. What is required is an effective management system that strives to maintain an ongoing state of cyber security throughout the lifecycle of the asset, aligned with a proactive cyber security culture.

PURPOSE OF THE CYBER SECURITY MANAGEMENT SYSTEM

The primary purpose of a cyber security management system (CSMS) is to provide a systematic and structured approach to managing cyber security risks within the organisation and across all its assets and their lifecycles. It aims to:

  • Implement a cyber security risk management framework, where the organisation prioritises its efforts and allocates resources effectively to address the most significant risks.
  • Assure compliance with industry standards and regulatory requirements.
  • Ensure technical countermeasures introduced during design maintain their function throughout the operational life of the asset so that it remains both secure and safe.
  • Enable effective incident response by having well-defined processes in place to detect, respond to, and recover from cyber security incidents.
  • Promote continuous improvement by incorporating regular monitoring, auditing, and review processes.

The idea behind any management system is that an organisation cannot expect to protect against complex and evolving risks, like cyber attacks, with a patchwork of procedures, reliance on individuals and by taking ad hoc action. A comprehensive, structured, and organisational approach is required. The CSMS applies the “plan-do-check-act” quality management cycle, enabling continuous improvement of cyber security. The CSMS builds trust and confidence among stakeholders by providing assurance that appropriate measures are not only in place today, but that they will be consistently maintained and be improved upon to provide adequate security in the future.

ALIGNING THE MANAGEMENT SYSTEM AND CULTURE

The CSMS needs to be “culturally aligned”, which means the management system and the cyber security culture are fully in sync and mutually supportive. An effective CSMS can facilitate the development of a good cyber security organisational culture, and a proactive and positive cyber security culture will help the CSMS to become fully embedded and actioned within the organisation.

A well-designed CSMS provides the framework, policies, and procedures necessary for managing cyber security risks, but it is the people within the organisation who must embrace and live by those standards. If the organisational culture does not prioritise or value cyber security, even the most robust CSMS will struggle to be effective. For example, an organisation may have implemented rigorous policies for software updates and patching to address vulnerabilities promptly. But employees may view software update notifications as mere inconveniences and consistently delay or ignore them, leaving systems vulnerable. However, if the culture embraces cyber security as a shared responsibility and employees understand the potential consequences of unpatched vulnerabilities – especially those that could impact the safety of workers – they  will be more likely to prioritise and comply with the patching policies.

By fostering a culture where cyber security is valued, understood, and practiced at all levels, and by ensuring that the CSMS is designed to bolster and enable that culture, organisations can create a self-reinforcing cycle of continuous improvement in their cyber security posture. The CSMS provides the structure and processes, while the culture instils the mindset and behaviours necessary for those processes to be effectively implemented and sustained over time.

STRUCTURE OF THE CYBER SECURITY MANAGEMENT SYSTEM

The UK’s National Cyber Security Centre (NCSC) introduced the Cyber Assessment Framework (CAF) in 2022 as the assurance framework for government (Ref. 1). The CAF collection is aimed at helping an organisation achieve and demonstrate an appropriate level of cyber resilience. The UK’s safety regulator, the Health and Safety Executive (HSE), based its operational guidance for cyber security of OT (Ref. 2), around the CSMS described in the CAF.

The CAF provides a useful framework to structure the CSMS. It sets out the organisational countermeasures to achieve overall management of cyber security, and to ensure that associated technical countermeasures are appropriately managed, see Figure 1.

Figure 1 – Cyber security management system (derived from Ref. 2)

The CSMS is structured around four objectives:

A) Managing security risk

This covers the overall governance, risk management, asset management, and supply chain aspects of a CSMS. It involves establishing a governance framework with leadership, policies, and ongoing risk assessment. It requires procedures for identifying and managing OT assets throughout their lifecycle, as well as identifying and managing risks from third-party suppliers and services. The goal is to provide overarching management arrangements for understanding and addressing OT cyber security risks.

B) Defending against cyber attack

Achieving this objective requires technical and procedural controls to protect OT components from cyber threats. This includes identity and access management, data protection, system hardening and defensive architectures, patch management, physical security controls, and resilience requirements like backups and redundancy. It also covers policies, processes, and training required to properly implement and manage the cyber security controls over time in a disciplined way.

C) Detecting cyber security events

Procedures are needed to monitor for and detect potential cyber security incidents and compromises. This includes specifying security monitoring data sources, log analysis, malicious code detection, and situational awareness of threats and vulnerabilities. More proactive testing like baseline monitoring, vulnerability scanning and penetration testing can supplement basic monitoring practices once they are mature.

D) Minimising the impact of cyber incidents

Having an incident response plan is critical for quickly recognising, containing, and recovering from a cyber attack. The plan should cover roles, reporting, initial containment, data collection, analysis, escalation, and recovery actions based on likely threat scenarios and impacts. Where the cyber attack has caused asset damage and threatened lives, for example structural collapse of a wind turbine due to an induced overspeed, then the response must align with the wider emergency response plan – cyber security does not exist in isolation. Exercising the plan is important, as is conducting lessons learned reviews after incidents to identify areas for prevention and improvement.

THE POSITIVE CYBER SECURITY CULTURE

It is quite common within technical risk domains, such as cyber security, that the management system can become overly complex.

The system is often developed by technical experts, primarily with other technical personnel in mind. As a result, the system may appear sound in theory with well-intended procedural countermeasures but fail to account for the practical realities faced by workers in their daily work. This gives a false sense of security, as employees struggle to adhere to unrealistic expectations and end up finding workarounds that undermine the system’s effectiveness. It is a well-established pattern that when a restrictive procedure makes an employee’s job unnecessarily difficult or impractical, human nature drives them to seek unofficial shortcuts to accomplish their tasks on time.

When it comes to cyber security, employees are frequently referred to as the “weak link”. But in practice it is the management system that is the weak point if it does not adequately recognise the need for lean and practical processes, for procedures that people can understand and readily act upon, and for appropriate levels of initial and refresher training. A culturally aligned CSMS safeguards through security awareness and an appreciation for how people work, not through overengineered processes that discourage compliance.

The starting point for employees is usually cyber security awareness training. The entry point for a cyber criminal onto an organisation’s network and from there into the OT can be as simple as a “phishing” email. This attack tricks untrained or inattentive users into revealing sensitive information like login credentials or into installing malware. Employees need to know why and how cyber threats are specifically important and relevant to them, and what the consequences of poor cyber security might look like. People tend to be surprised to learn that a cyber attack can initiate a safety incident, for instance a fire due to instigating a fault at an HV transformer. With this understanding, when employees complete the training they will feel motivated to be more diligent.

If cyber security awareness is the basic knowledge of cyber security issues, then a positive cyber security culture is the resultant behavioural patterns and dedication of all employees to implementing that knowledge. It is about adhering to the organisation’s pragmatic policies and procedures that have been integrated into normal workflows as seamlessly as possible, without causing undue burden or friction.

The key is making cyber security an organisational value through visible leadership, integrated processes, open communication, proper incentives, continuous awareness, and a supportive environment for managing cyber risk. Over time the cyber security culture will evolve, climbing the “cultural ladder”, aspiring to reach the highest level of a generative, high reliability culture, where cyber security is simply part of everything that is done – “how we do business round here”.

FOLLOW THE LEADER

Ultimately, it is the leaders who drive the organisational culture. If cyber security demonstrably matters to them, then the workforce is more likely to embrace cyber security too. Employees take cues from what their leaders say and do. If a leader’s actions contradict the stated cyber security policies and messaging, then people will conclude that cyber security is not genuinely important.

For example, if the organisation has a policy prohibiting the use of unauthorised USB drives or external storage devices due to the risks of malware infections, a leader leaving a personal USB drive plugged into their work computer would send the wrong message. Any employees witnessing this could reasonably conclude that the leader does not truly take the policy seriously themselves.

Leaders need to be vocal about the critical reasons behind the emphasis on cyber security and personally adhere to security protocols and best practices.

Conclusion

The goal of the CSMS is to help organisations pursuing the energy transition to achieve and demonstrate an appropriate level of cyber resilience by creating “secure-by-design” assets and then ensuring the assets remain secure throughout their lifetimes. An asset cannot be safe-by-design if it is also not secure-by-design.

A well-structured CSMS sets out how the organisation manages overall cyber security, as well as how the technical countermeasures are managed. In what is a very technical domain, it is crucial that the management system is not overly complicated, and that demands upon people are realistic. By nurturing a culture where cyber security is valued, and by ensuring that the CSMS is designed to align with and reinforce that culture, organisations can create a virtuous cycle of continuous improvement in cyber security.

REFERENCEs

  1. Cyber Assessment Framework, National Cyber Security Centre, https://www.ncsc.gov.uk/collection/cyber-assessment-framework (accessed 15.6.24).
  2. Cyber Security for Industrial Automation and Control Systems (IACS), HSE OG-0086 (Operational Guidance), Edition 2, August 2021.

RELATED CAIRN CONTENT

Secure-by-Design (part 1) – The cyber threat, and regulatory expectations
Secure-by-Design (part 1) – The cyber threat, and regulatory expectations
Secure-by-Design (part 2) – Cyber security risk assessment and countermeasures
Secure-by-Design (part 2) – Cyber security risk assessment and countermeasures
Sustainable-by-Design –Pioneering engineering for a better future
Sustainable-by-Design –Pioneering engineering for a better future

Contact Us

Want to discuss your requirements?
Get in touch

Jump to Top