What human aspects do we have to consider to create a secure industrial internet?

06 June 2017 by Jostein Jensen
The new industrial internet (Industry 4.0) is connecting closed, safety-critical systems to open, cloud-based internet platforms. What human aspects do we need to work with to improve our overall cybersecurity resilience?

Organizations such as KONGSBERG, our collaborators, and competitors are challenging existing industrial mindsets. How? By connecting more and more closed, safety-critical systems to open cloud-based internet platforms in the new industrial internet (Industry 4.0). In my last blog post, I reflected on what security aspects we should consider when we connect information technology (IT) to operational technology (OT), and I stated that to combat security risks you need to work with humans, technology and organization. In this blog post I am going to share some of my considerations about the human aspects within the industrial domain, and look at what we need to work with to improve our overall cybersecurity resilience.

“Buy our box with blinking lights to become secure and compliant”

My impression is that most people associate the term cybersecurity with technology and technical solutions. It is easy to understand why: The security industry is pushing boxes at us claiming they will solve all our problems. They’ll tell us: “Buy our box with blinking lights to be both secure and compliant” – or words to that effect. I wish it was that simple, but a box in itself will not solve your security problems. I have seen boxes in networks blinking away plenty of times, a pointless blinking because no one took any notice.

Follow us on Linkedin and learn more about our business

An intrusion detection system has little or no value unless you combine it with an incident response team with skilled, knowledgeable employees that are ready to analyze and act on its alarms. The same can be said of all other security products, such as anti-virus solutions, firewalls, and web proxies. To provide real value, we need to have a holistic approach to cybersecurity.

OT and IT experts must join forces

When building Industry 4.0, aspects of the human factor becomes really interesting. There are two traditionally disjoint camps that must join forces to build the new solutions – OT experts and IT experts. These two camps have had different mindsets when building systems:

Systems designed by OT experts have the following characteristics:

  • They are disconnected from other networked environments.
  • Few people have access to them.
  • They have high interaction with the physical environment
  • They have safety as a key concern.

Systems designed by IT experts have the following characteristics:

  • They are global and highly connected.
  • Many people have access to them.
  • They have little interaction with the physical world.
  • Security and privacy are key concerns (but vulnerable and hacked systems are constantly brought to our attention by the media).

How do we build a secure and safe industrial internet?

I believe a key to success in building safe and secure systems is to bring the two camps, OT people and IT people, together to create common mental models. The two camps must have a common understanding of some key issues, such as:

  • What does the threat landscape look like?
  • What vocabulary does the other camp use?
  • What are the design principles of the systems, and what assumptions are made when they are built?

And so on.

If we do not work with human aspects to create these common mental models, there will always be cybersecurity risks associated with the technical and organizational interfaces between IT and OT environments. This claim is soundly backed up through really interesting PhD research by Maria Bartnes and Stig Ole Johnsen. In his PhD thesis, Johnsen says

“Knowledge should be converted, created and shared [among IT and OT professionals] in order to establish some sort of common mental models to support safety and security.”

Bartnes’ research focused on incident response capacity across IT and OT teams. One of her key findings is really to the point:

“There is a gap in how IT staff and control system staff understand information security. Cross-functional teams need to be created in order to ensure a holistic view during the incident response process.”

I strongly believe in the idea of cross functional teams. When players from the two camps join forces through collaboration and teamwork on cybersecurity, we will be able to convert, create and share knowledge – and consequently, build a secure and safe industrial internet.

About the writer
Jostein Jensen
Jostein has a Ph.D. in information security from the Norwegian University of Science and Technology (NTNU) and comes to Kongsberg Digital from the Norwegian State Educational Loan Fund, where he has led the security work and targeted his efforts on improving the cyber resilience of the organization. His previous positions as an officer in the Norwegian Armed Forces and an ICT and security research scientist with SINTEF has contributed to his extensive knowledge of information security.