The biggest risk to nuclear energy sector security is lack of people trained in cybersecurity and risk management, according to a new report released by the U.S. Office of Inspector General (OIG) about the Nuclear Regulatory Commission's threat readiness. The OIG report was released at the same time SANS published the results of its OT/ICS Security Survey, saying pretty much the same thing.
Overwhelmingly, 62% of survey respondents said that their most pressing risk is people. And, as the survey also reports, the shortage of trained security, assessment and response staff is only part of the problem.
"The category of 'People' represents a broad risk category: It encompasses both your internal workforce and external workforce," said Barb Filkins, SANS Analyst Program research director and co-author of the survey, during a live webcast held on June 12. "And ... every cybersecurity attack starts with a person or people, even those that come from a nation-state."
In the SANS survey, attacks and frequency of attacks against ICS systems were on the rise. The biggest growth area is 6-10 incidents (up from 6% in 2017 to 18% in 2019). Also, 12% of respondents claim more than 11 incidents.
Organizations that suffered cyberattacks against their OT/ICS systems cite foreign nation-states and state-sponsored activity as their second top threat actor. This category increased from 0% in 2017 to 28% in 2019. The number of state-sponsored attacks is likely still growing, given the international political climate and threats of cyberwar.
The OIG report cites the need for more security training for staff and expresses concern over the lack of dedicated staff to these functions. The report's concerns also align with the SANS survey results, where 54% of respondent organizations assign responsibility to their CSOs and CISOs and 42% to their IT manager. Meanwhile, security for such systems is divided between OT and security departments (based on survey results).
The SANS survey also clearly indicates the need for more training and staffing of personnel in organizations hosting interconnected OT/ICS systems. When it comes to training, their top three budget areas are: training those with access (32%), increasing staff-implementers/managers (21%) and increasing training and creation of staff to implement/maintain (20%).
Every successful security program and incident recovery starts and ends with a good team, asserts Filkins. "Increasing this awareness and skills is not the largest budget item, but it is certainly most important," she said during the webcast. "It all starts with people who are qualified to make decisions."
Advice and Resources
Key observations and advice around people, processes and technology is provided at the end of our SANS survey report. The OIG report also provides similar advice.
Start with learning about your systems by inventorying and assessing them and their connections. Then develop and implement people, processes and technology in a way that is flexible enough to cover new and emerging threats and regulations.
SANS also regularly updates its courses around OT/ICS and SCADA security. You can link to them here.