To meet this goal, technology-based solutions alone are insufficient, as even the best technology is inadequate if human operators are unaware of their role in mitigating the threat. To engage the human factor, behavioral change management plays a critical role in the deployment of any cyber security enhancement project, particularly when seeking to get ahead of the curve or when the corporate perception of risk is lagging.
Working with an oil and gas major to implement an accelerated cybersecurity program focused on proactively delivering resilience, presented a unique set of challenges for the Pcubed team, particularly with the current economic backdrop. One key project focused on removable media (such as USBs, smart devices and portable hard drives) as a threat vector within the industrial control systems (ICS) space. While well-funded by enterprise IT, the accelerated pace to drive change across a vast array of diverse business units in a traditionally non-IT space required careful planning.
When undertaking this proactive cyber security change initiative, it was essential to quickly and clearly articulate the risk. In the evolving risk landscape, many operators may not understand the mechanisms by which malicious code can be transmitted;
USB has been identified as the primary method to spread STUXNET, a malicious worm notoriously used to target Programmable Lifecycle Controllers (PLC) within automation systems.2 In the ICS space, many networks are operated by facility / mechanical engineers and sometimes leverage vendor-rich resource pools; two groups that often have higher demand for file transfer flexibility, but are also outside the usual corporate IT messaging and communication channels. Engaging end-users through existing channels of communication - where they exist - and training for the specific user base significantly improves the adoption success rate. Using Business Unit Liaisons / Coordinators, to push and pull communication and training through these channels enables effective engagement. Early establishment of appropriate communications channels for casual, contract or a non-traditional workforce is vital to drive awareness and build desire to become part of the solution. Under this project, site champions were identified to perform local site visits and to post policy and process information at the worksite.
When developing a solution to resonate with end users, it was useful to demonstrate knowledge of the procedures and controls currently in use within the business. The project team used surveys to gather “current-state” data from each end user group to define maturity, then validated the findings, thus ensuring relevant recommendations were demonstrated to be fit-for-purpose. Engaging end users in the conversation from this early stage builds the omnipresent foundational layer of all change models – Awareness. Ensuring a thorough knowledge of the baseline practices also provided the opportunity to develop use cases in-house; acknowledging home-grown expertise within the company, proven to fit current operating models.
Roadmap to the Desired State
As deployments commenced, Pcubed began championing early adopters to share success stories and case history which aided the project team in demonstrating the benefits of the action.
This project encountered end user resistance based on perception of low return on investment in the current fiscal climate. Conversely, other stakeholders suggested that the solution did not go far enough or provided only a low value-add intermediary step, which could cause a need for re-work in future. To satisfy both arguments, it was necessary to demonstrate the investment to be incremental, agile and supportive of current business practices.
Integrating cyber security is a modern cost of doing business, making many cyber security projects a matter of compliance. Proving measurable benefits (through championing of early adopters) in the short term, and providing a clear and concise road map for building out the capability over time, provided ample fodder to build up that desire and reduce adoption resistance. To help users understand the incremental approach, the project team leveraged industry best practices such as P3M3 and BISSM to design a maturity model to assess people, process and tool capability. Business units were measured against the model, and required actions and recommended practices were tailored to their current state. Business units with below average practices were instructed on how to meet minimum bench marks with a focus on how this initial investment could be built upon as the processes matured.
Helping stakeholders and end users to understand the threat and change behavior, rather than rely on technology alone to mitigate risk, is not a small undertaking. The optimistic human condition can make it challenging to build up excitement when the risk doesn’t yet seem real to users. Supplementing change tactics with proven tools and techniques from three of the four Pcubed service lines; program delivery using AGILE, change management, and enterprise project delivery helped ensure project success. The Pcubed project team found that early and active engagement through existing channels, and leveraging an Agile, incremental approach to solution design and deployment goes a long way to breaking down resistance and enticing users from all fields into the mindset of maintaining a healthy cyber security posture.
For further information on this article and Pcubed, please email firstname.lastname@example.org.