Simpler SCADA Security Beats More User Training
One of the mantras about good SCADA security is that it is primarily dependent on people and processes, not technology.
Thus if you have an ICS security problem, first look for solutions such as user training or better processes rather than technology solutions. This sounds good on the surface, but I’m not sure it’s true.
Performing tasks securely just isn’t part of human nature. Doing them the easiest way possible is. Unless the secure way is also the easy way, security will lose 9 times out of 10.
Cyber Education Test
At the ARC 2010 Conference there was a very good paper by Miles McQueen of Idaho National Laboratory that discussed the effectiveness of cyber education processes. The research team ran a number of tests for bad security practices in a facility with a high level of security.
- The researchers left 50 infected USB thumb drives distributed in parking lots, around picnic tables, sidewalks, benches etc. and then watched the keys “call home” as people installed the keys in their government computers.
- The researchers created a phishing email and watched who clicked on the URL.
- The researchers had a woman call pretending to be from tech support and ask for passwords.
They ran these tests before the staff attended a number of security education courses. Then they ran the tests again a year later. These are some of the results:
Security Infraction |
% of Employees who did the infraction |
|
Before training |
One year after training |
|
Let the thumb drive "call home" |
20% |
2% |
Click on phishing email |
22% |
21% |
Provide passwords to caller |
40% |
43% |
Training did not Reduce Security Infractions
In two of the three cases, the training had no effect one year later!
But in one case (the USB key) training seemed to be very effective – why? Because during that year Microsoft released Vista SP2 and XP SP3, two service packs that restrict the AutoPlay/AutoRun feature of the operating system, thus preventing the key from calling home. So chances are, the people still installed the USB drive in their computer, but it was prevented by the new OS defaults from calling home.
Now, this experiment was not perfect. In this case, the experiment was not performed on exactly the same people before the test and one year later. Also, there was no control or measurement of the quality of the training. Thus, the scientific rigour of this test could certainly be improved.
However, from my years of experience in working with ICS personnel, I am convinced that the moral of the story would not change, even with stronger test controls. There are two lessons that we need take from this:
- Security training is not a one-off effort, but must be repeated regularly (probably every six months) if we want it to be effective.
- Good usability designs that require little or no user effort will fix security – sporatic user training will not.
Both especially apply to ICS/SCADA security, where only a move to simpler solutions and consistant awareness training will ever fix the mess we are in.
Comments
Training
Eric-
Sorry but not only is this a poor survey but training can't be a one time thing. It needs continuned awareness and updates like any other behavior you want changed. And it has to be done constantly so you catch new folks.
I agree simple security is most effective but it needs to be connected to training and awareness.
I also bet the company did not have a way or place to analyze a "found" USB stix to see if it is ok or who it belongs too.
Bill
Very plausible
Even if the experiment is repeated, with more scientific rigor, I guess that the results would not change much.
Humans are prone to error and will most of times choose the easiest path.
Add new comment