WisePlant – A WiseGroup Company

Construction of Awareness and Training Programs

Currently, for companies it is a necessity to develop training and awareness programs in industrial cybersecurity, but there are doubts about how to successfully develop a program focused on generating the necessary knowledge, skills and actions for each type of public. In many cases we have seen that the programs are developed in a generic way and based on the controls defined in industrial cybersecurity, assuming that they will be adopted in a mandatory way, generating resistance and ignoring the specific knowledge needs of each public.

The problem of resistance to the adoption of controls is much greater, when the efficiency and effectiveness of each one have not been evaluated, the people who are directly related to the plant show that they are unnecessary, generating rejection and consider industrial cybersecurity inefficient. That is why the first recommendation is to implement industrial cybersecurity from the framework defined in the ISA/IEC-62443 that is developed by the ISA99 committee by consensus of the global industry and brings together experts in industrial cybersecurity from around the world. Taking the ISA/IEC-62443 as a guide to define the framework within the organization avoids making mistakes in industrial cybersecurity, such as developing activities and generating efforts that are not focused on the protection of the plant and its risk recipients.

Other frequent problems that are found in the development of training and awareness programs is not defining the actions or skills that each public must acquire as a result of awareness or training, so the results of the program do not guarantee that people can adopt industrial cybersecurity according to their responsibilities. Gathering all these frequent problems, we have seen how the programs are focused in a generic way on the following topics:

  • Strong passwords
  • Social engineering
  • Responsible use of IACS.
  • Among others…

But is that what an industrial cybersecurity awareness and training program needs? Probably not and here’s why… To define a training and awareness program, the objectives must first be defined until you have clarity about the learning path and the contents that must be taught. The objectives are defined from the framework that is used within the organization, for this case we will assume that the framework is the ISA/IEC-62443.

The ISA/IEC-62443 is based on industrial cyber risk management and is divided into 3 phases of the life cycle of a given system under consideration and these phases work in parallel with security policies, organization and awareness. The standard defines that the development of training and awareness programs are essential to contribute to the reduction of industrial cyber risk and must:

  • Be focused according to people’s roles and responsibilities
  • Generate the necessary knowledge according to your activity.

The development of the program aligned with the cybersecurity framework based on industrial cyber risk management naturally promotes the risk culture within the organization. What does this mean? That any action will be based on knowledge and being aware that actions that may generate unnecessary risks should be avoided.

The following graph explains in a generic way the framework and the interrelation with the programs.

Having already defined the framework within the organization, it must go on to define the objectives of the program The objectives of the program are defined according to the knowledge needs, actions and skills that the program must solve and develop according to the roles and responsibilities of the staff. The following graph of inputs and outputs can be taken as a guide whose objective is to facilitate the development of the learning path of a training and awareness program.

To define the knowledge needs, three needs can be raised, who should know the so, who should know what to do and who should know how to do the management of industrial cyber risk.

Now the target audience, needs and actions are proposed in a generic way to define a program based on the needs and knowledge necessary for each one.

Now, returning back to the original question.

Are these the topics that should be developed in training and awareness programs?

  • Strong passwords
  • Social engineering
  • Responsible use of IACS.
  • Among others…

Surely your answer will be no, because these issues do not solve the knowledge needs of the so that, what is done and how it is done, there is also no clarity about the skills and actions that each public must follow to the point of generating a culture in the organization from industrial cybersecurity. WiseCourses’ experience has led to the development of the following awareness and training learning paths based on ISA/IEC-62443 which can be consulted at the following link: https://wiseplant.com/campus/cyber-training/

About the author: Ximena Rengifo Verified Member Into Cybersecurity

Get Involved & Participate!

The moment is now!
The experience meets opportunity!

Comments

@peepso_user_335(Maximillian Kon)
Not everyone needs to become a certified expert for taking ISA official certificate training. Most of the people within the same company will require some kind of training according to their roles, obligations, and their own policies and procedures. Concepts, definitions, models, and other topics should also be covered.
You cannot copy the content of this page!