Human factor security: evaluating the cybersecurity capacity of the industrial workforce
| Pages | 2-35 |
| Published date | 11 March 2019 |
| DOI | https://doi.org/10.1108/JSIT-02-2018-0028 |
| Date | 11 March 2019 |
| Author | Uchenna Daniel Ani,Hongmei He,Ashutosh Tiwari |
| Subject Matter | Information & knowledge management,Information systems,Information & communications technology |
Human factor security: evaluating
the cybersecurity capacity of
the industrial workforce
Uchenna Daniel Ani and Hongmei He
Cranfield University, Cranfield, UK, and
Ashutosh Tiwari
Department of Automatic Control and Systems Engineering,
University of Sheffield, Sheffield, UK
Abstract
Purpose –As cyber-attacks continue to grow, organisations adopting the internet-of-things (IoT) have continued
to react to security concerns that threaten their businesses within the current highly competitive environment.
Many recorded industrial cyber-attacks have successfully beaten technical security solutions by exploiting human-
factor vulnerabilities related to security knowledge and skills and manipulating human elements into inadvertently
conveying access to critical industrial assets. Knowledge and skill capabilities contribute to human analytical
proficiencies for enhanced cybersecurity readiness. Thus, a human-factored security endeavour is required to
investigate the capabilities of the human constituents (workforce) to appropriately recognise and respond to cyber
intrusion events within the industrial control system (ICS) environment.
Design/methodology/approach –A quantitative approach (statistical analysis) is adopted to provide an
approach to quantify the potential cybersecurity capability aptitudes of industrial human actors, identify the least
security-capable workforce in the operational domain with the greatest susceptibility likelihood to cyber-attacks (i.e.
weakest link) and guide the enhancement of security assurance. To support these objectives, a Human-factored
Cyber Security Capability Evaluationapproach is presented using conceptual analysis techniques.
Findings –Using a test scenario, the approachdemonstrates the capacity to proffer an efficient evaluation
of workforce securityknowledge and skills capabilities and the identification of weakestlink in the workforce.
Practical implications –The approach can enable organisations to gain better workforce securityperspectives
like security-consciousness, alertness and response aptitudes, thus guiding organisations into adopting strategic
means of appropriating security remediation outlines, scopes and resources without undue wastes or redundancies.
Originality/value –This paper demonstrates originality by providing a framework and computational
approachfor characterisingand quantify human-factor security capabilitiesbased on security knowledge and
security skills. It also supports the identification of potential security weakest links amongst an evaluated
industrial workforce (human agents), some key security susceptibility areas and relevant control
interventions. The model and validationresults demonstrate the application of action research. This paper
demonstratesoriginality by illustrating how action research can be applied within socio-technicaldimensions
to solve recurrent and dynamic problems related to industrial environment cyber security improvement. It
provides valueby demonstrating how theoretical security knowledge(awareness) and practical securityskills
can help resolvecyber security response and control uncertaintieswithin industrial organisations.
Keywords Cybersecurityevaluation, Human-factor security, Industrialcontrol environment security,
Workforce securityevaluation
Paper type Research paper
1. Introduction
Cybersecurity in industrycontrol system (ICS) environments has become a growing issueof
both national and global security over the past decade. The evolving information
JSIT
21,1
2
Received23 February 2018
Revised6 July 2018
26September 2018
Accepted30 September 2018
Journalof Systems and
InformationTechnology
Vol.21 No. 1, 2019
pp. 2-35
© Emerald Publishing Limited
1328-7265
DOI 10.1108/JSIT-02-2018-0028
The current issue and full text archive of this journal is available on Emerald Insight at:
www.emeraldinsight.com/1328-7265.htm
technology –operation technology (IT-OT) convergence now implies that organisations,
firms, industries and factories, embracing the much-acclaimed industry 4.0 and industrial
internet-of-things (IIoT) paradigms –are reliant on IT infrastructures, open standards and
technologies and the internet (Knowles et al.,2015). It also means that these organisational
platforms are susceptible to cyber threats,vulnerabilities and attacks. ICS is an all-purpose
(common) term used to describe varioustypes of automated industrial systems that control,
monitor and manage industrial processes (Macaulayand Singer, 2012;Stouffer et al.,2015).
An Industrial Control System Environment (ICSE) refers to a domain where industrial
control operations and processes are performed. The basic functions of ICS involve: sensor
measurements, hardware control for actuators (breakers, switches and monitors), human–
machine interfacing and remote diagnosticsand maintenance utilities (Cárdenas et al.,2008;
Nicholson et al., 2012). The modern ICS and it’s development trends enable great business
and operational profitability, an inevitable array of security susceptibilities are as well
introduced, which threaten the functional reliability of operations in the industrial domain
(Abe et al., 2016). Over the past years, records continue to show an alarming increase in
cyber threats andattacks against ICSs globally.
The attack landscape against ICSEs have strikingly widened with remarkabledynamic
patterns of attack vectors (Luallen, 2014;Brassso, 2016;Harp and Gregory-Brown, 2016;
Paganini, 2016). Industrial cyber security, SCADA security, etc., are now buzz words for
common topics of conversationsamongst everyday industrial technology users (Evans et al.,
2016) and have become necessities towards normal operations in the industrial domain.
Technically, security in ITis fairly standardised and differs from how it applies to ICS. The
differences between the two chiefly border on operational requirements and prioritisation
(Macaulay and Singer, 2012). Unlikethe IT, most ICS security compromises have associated
physical consequences and impacts. Theseare often more severe and abrupt than in the IT
domain. Security issues in the ICS environment often appear in the form of habitual
maintenance failures and other process anomalies, which make difficult the diagnosis and
resolution of the issues. The main reasonsfor the difficulty of managing the security of ICSE
include: vastly dispersed assets with frequent compulsory remote access requirements,
traditional IT security applicationssuch as antiviruses and firewalls may not be suitable for
compatibility issues, and when possible, application could affect system availability which
is not acceptable for ICS as a high-availability system.Older ICS systems are often not open
to patching or upgrades (Macaulay and Singer, 2012;Drias et al., 2015). Cyber security
threats to ICS encompass threat vectors like non-typical network protocols and instruction
sets that cannot be blocked for operations, performance and safety reasons (e.g. event and
alarm traffics). More contextually, technical security control may well be easily subverted
by intelligent adversaries who can easilydeceive unaware, unskilled and unsuspecting ICS
operators and usersinto undertaking actions and activities that can grantthe attackers easy
access and high privilege capacities to execute their malicious intents. These are often also
undetectable by securityalert systems until serious damages and anomalies begin to emerge
(Johansson et al.,2009;Fan et al., 2015).
As cyber-attacks exacerbate,organisations have become concerned about how to react to
security trends that threaten their business and operational relevance within the current
highly-competitive business environment. Many recorded industrial cyber breaches have
effectively beaten technological security solutions through exploiting human-factor
limitations in knowledge and skills. These attack patterns have manipulated human
elements into unintentionally conveying access to critical industrial assets. Cyber security
has indeed become a necessary objective to achieve uninterrupted industrial functions in a
changing operationaltechnology environment. One way of defining cyber security is:
Human factor
security
3
[...] the harmonisation of capabilities in people, processes, and(or) technologies; to secure and
control both authorised and/or unlawful access, disruption, destruction, or modification of
electronic computing systems (hardware, software, and networks), the data and information they
hold (Ani et al.., 2016).
However, most current security solutions are technology-inclined. People and process
security contexts and requirements are often not considered (Ramakrishnan and Testani,
2011), often resulting in lopsided security that are malignantly exploited by malicious
intelligent actors.
An ICS is a system of industrial technologies and infrastructures built and(or) operated
by people (workforce) for the execution of processes towards attaining target products or
services. It implies that securingtechnology (hardware and/or software) alone resolves only
a fraction of the larger security problem. A technology is often as weak and vulnerable as
the people (workforce) that develop and(or) operate it and the process(es) designed and
structured to use it. For example, suppose Alice is a process engineer that operates an
engineering workstation asset of an ICS and uses technology “A”firewall and technology
“B”Intrusion Detection System (IDS) to protecther workstation from security compromise.
Assuming Alice is unaware and unable to recognise various forms and signatures of social
engineering attack schemes. Bob as an intelligent and predetermined attacker employs a
deceptive spear-phishingmeans unknown to Alice and deceives her into clicking or running
links or attachments on her workstation that literally enables a backdoor (entry point) into
Alice’s system and networkvia a direct remote access. This happens seamlessly despite the
presence and functionalities of techs “A”and “B”security features. Alice’s security
ignorance, her uninformed and unskilled state in relations to evolving ICSE security trends
such as confronted her, and her consequentactions or inactions undervalues techs “A”and
“B”; opening the doorto an enemy attacker Bob.
The above theoretical scenariohighlights the importance of human-factors in ICSE cyber
security assurance, especially emphasising the significance of security knowledge
(awareness) and practical skills. Human-factor is as important as technical factors in ICSE
security. Real scenarios also consolidate this viewpoint. Probably, the agents of the 2013
Stuxnet attack had the challengeof penetrating the Iranian Nuclear Power plant network, as
the network was air-gapped from external networks.Thus, the attackers used infected USB
drive parking lot attack technique on a third party maintenance organisation and relied
upon human actors connecting the infected devices to their industrial network and provide
means for reaching and delivering Stuxnet to the nuclear plant network (Murphy, 2015).
Earlier works on the concept of security competence (capability) by Workman et al. (2008),
which investigated the “knowing-doing”gap in individuals showed that such individuals
can have appropriate security skills and knowledge yet not apply these skills in consistent
manner. Also, based on the analysed results of 588 workforce members of a technology
service company, Workman et al. (2008) concludes with the recommendation that security
technology shouldbe user-centred to avoid assessment tensions thatcan affect responses.
Probable motivationsfor these attacks may have stemmed from the perceptionthat:
most ICSE workforce (personnel) are often unfamiliar with advanced digital (cyber)
security concepts;
Information Technology security workforce are often unfamiliar with ICSE
operational concepts; and
intelligent attackers now consider human actors (workforce) within the industrial
environment as weak attractive exploit targets into operational system and
networks (Howarth, 2014).
JSIT
21,1
4
To continue reading
Request your trial