![Page 1: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/1.jpg)
57th Annual ISA Power Industry Division Symposium
2-4 June 2014, Scottsdale, Arizona
Hilton Scottsdale Resort 1 1
Slava Borilin
Cyber Security, or Cyber Safety Culture?
Convert the weakest link into the force
![Page 2: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/2.jpg)
INDUSTRIAL SECURITY
IS FOR THE SAKE OF
RELIABILITY AND SAFETY.
![Page 3: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/3.jpg)
ICS/SCADA “Triangle”
CEO
Doesn’t see how
Cyber Security
spending relates to
Revenues
Engineers
Are more
concerned
about security
measures than
malware
IT Security
Not in control
of security of
Industrial sites
ICS Security
![Page 4: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/4.jpg)
Building the way through “SCADA Triangle”
4
– Fun & engaging
– Team-work builds co-operation
– Competition fosters initiative & analysis skills
– Develops understanding of cyber security measures
Kaspersky Industrial Protection Simulation
13 countries, 4 languages
![Page 5: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/5.jpg)
![Page 6: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/6.jpg)
Cyber Security posters
6
![Page 7: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/7.jpg)
?
Employee vs. Security Officers =
![Page 8: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/8.jpg)
Industrial Security Equation
• Engineers don’t listen / don’t trust to IT
• Management (С-level) doesn’t care;
– Just “go to IT”
– No budget, no attention, no real support
• Employees seen as enemies,
they don’t understand security,
see it as an added burden
1 equation with 3 variables
![Page 9: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/9.jpg)
WE HEAR CALLS FOR
CYBER SECURITY CULTURE But most do not offer any practical solutions,
as its neither posters nor just trainings
![Page 10: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/10.jpg)
THIS IS NOT THE FIRST TIME
THIS PROBLEM OCCURRED Not long ago, the issue of industrial safety culture was in the same
boat, exactly the same problems seemed intractable
![Page 11: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/11.jpg)
Industrial SAFETY
– Existed always;
– Vastly improved in the last 25 years.
![Page 12: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/12.jpg)
Equation has being solved
Safety culture is now a big topic, a
corporate-wide initiative of most industrial
companies:
• It has funding
• C-level support and visibility
• Shell, Siemens, Du Pont, SIBUR, TATA,
SINALCO, BHP
• Developed and Emerging Economies
![Page 13: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/13.jpg)
3 whales of SAFETY CULTURE
13
1.ZERO INCIDENT
2.NEAR MISS REPORTING
3.ABC (BEHAVIORAL ANALYSIS)
![Page 14: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/14.jpg)
1. ZERO INCIDENT
THIS IS THE ONLY ACCEPTABLE TARGET TODAY
14
![Page 15: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/15.jpg)
Zero incident culture – key elements
15
1) Top-level Commitment
e.g. ACLOA: CEO requires all incidents
reported in 24 hours.
2) Leadership
Middle management and supervisers
cultivate practice
3) Employee Involvement Employees
know “what is in it for them,” they own
the different aspects of safety in their
area and they care about themselves
and their coworkers – they feel
responsible for each other.
![Page 16: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/16.jpg)
Zero incident culture – key elements
16
4) Accountability
WHEN EVERYONE DOES IT, IT GETS
DONE The obligation to meet
performance expectations or bear the
consequences for failure to perform as
expected, when expectations are clearly
communicated and agreed upon. Each
person is accountable for everyone’s
actions, including the decision to take no
action within the work environment.
5) Training
Equipping employees with the knowledge
and skill to
• perform their job safely and
• perform the health & safety functions
that aid organizations in reaching their
overall health and safety goals
![Page 17: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/17.jpg)
2. NEAR MISS
17
A “near miss” is an unplanned
event that did not result in injury,
illness or damage - but had the
potential to do so. Sometimes
called a “near hit” or “close call”;
“Near misses” should be reported
without penalty or punishment;
Reporting “near misses” is the
cornerstone of safety culture.
![Page 18: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/18.jpg)
Feedback culture
18
The system is designed so that
everyone talks about safety, it
becomes a habit (e.g. “yesterday
i went to a supermarket…”)
Feedback on observed behaviors
has to be specific (task focus,
concrete, timely and balanced);
Everyone should be able to
feedback, regardless of rank or
status, when they observe an
unsafe behavior.
![Page 19: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/19.jpg)
3. ABC - Every behavior is a function
of its consequences
19
Antecedent: What happens
before the behavior;
Behavior: What actually
happened, what can be
observed;
Consequence: What
happens after the behavior.
![Page 20: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/20.jpg)
ABC sequence defined
20
• IDENTIFY BEHAVIOR
• IDENTIFY ANTECEDENTS
• IDENTIFY CONSEQUENCES
• WORK ON CONSEQUENCES
TO CHANGE BEHAVIOR
![Page 21: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/21.jpg)
Driving tired
Driving for long periods
Not taking breaks
21
Near miss:
running a stop sign
Car accident
Injury Death(s)
Working more than
one job
Sleep debt
In s hurry
Behavior is a function of consequenses
ABC ANALYSIS – Driving Fatique
![Page 22: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/22.jpg)
22
SECURITY
CAPABILITY EFFICIENCY
COMMITMENT
Cyber
Safety
Culture
![Page 23: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/23.jpg)
Important Roles
in the cyber safety culture commitment
Line Managers
• Create cyber safe environment
• Enforce Cyber Safe behavior of employees
IT Security team
• Provide Security measures
• Design Secure behavior (ABC)
Employees
• Share cyber safety
• Act cyber safely
• Report near misses
• Help IT Security team
Safety Managers
• Understand cyber threats
• Include cyber content into safety program
Board/Tops: Policy, Goals, Procedures
![Page 24: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/24.jpg)
Developing Cyber Safety Culture by Gamification
Employees
• Cyber Safety training
• Gamefication
• Motivation
Managers (Safety/IT/OT)
• Understand cybersecurity strategy
• Develop cooperation principles
Line Managers
• Cyber Security Awareness
• Security-Efficiency win-win
• Cyber Safety enforcement
IT Security team
• Security expertise
• Behavior (ABC) and its redesign
Kaspersky Cyber Safety Games
Kaspersky Industrial Protection Simulation
Kaspersky Security Power
Kaspersky Security Design
Studio
![Page 25: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/25.jpg)
CYBER SECURITY AWARENESS BY GAMIFICATION
Kaspersky
Cyber Safety Games
![Page 26: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/26.jpg)
![Page 27: Cyber Security, or Cyber Safety Culture? Convert the · PDF file · 2014-10-08Cyber Security, or Cyber Safety Culture? Convert the weakest link into the force . INDUSTRIAL SECURITY](https://reader031.vdocuments.site/reader031/viewer/2022022004/5aadf8d47f8b9a22118b6da8/html5/thumbnails/27.jpg)
– No difference btw Cyber and Physical Safety.
– Merge Cyber Security and Industrial Safety.
– Speak the language Engineers & Managers.
– Enterprise (and ITSec): convert your weakest security link into acting cyber security guards;
– Employee: Living Cyber Safety keeps your personal values, makes your better recognized and valued employee.
Cyber safety – value proposition