Summit: Security Needs Hands on Training

Wednesday, June 28, 2017 @ 03:06 PM gHale

By Gregory Hale
It is easy to think technology will solve any and all security problems, but the truth of the matter is people need training to understand and then trouble shoot any issues that can arise.

“People need to be trained and empowered,” said Marco Ayala, senior industrial cybersecurity project manager at aeSolutions during a session Wednesday at the Siemens Automation Summit 2017 in Boca Raton, FL, entitled “Value of Hands on Training for ICS Cybersecurity.” “I would want my people to be trained and enabled. It is all about the human factor; all about training.”

Ransomware Attack Part II
Monitoring Network Could Help Find Attack
Grid Attack: Understand ‘What We Will See Tomorrow’
Ukraine Attack: An Insider’s Perspective

During the presentation, Ayala showed a video where members of the National Guard were undergoing cyber training in a program called Cyber Shield. He said these soldiers needed to be aware of all attack methodologies to protect the cyber side of the physical critical infrastructure.

To that point, Ayala talked about conducting a search on Shodan, the Google-like search engine that can find Internet facing devices. The amount of devices directly facing on the Internet is frightening and a dream come true for any would be attackers.

“Shodan should scare you, but it can be an ally,” said Chris Da Costa, global operations cyber security manager at Air Products and Chemicals who presented with Ayala.

That means folks in the manufacturing automation sector need training to understand issues and know what questions to ask security professionals.

“On the protection side, it is not if, but when,” Da Costa said. “It is kind of scary.”

Da Costa used the latest attack hitting the cyber world, which is a new assault based off of the WannaCry ransomware that hit the industry a month ago as an example of companies needing to be prepared for anything.

“Version 2 of WannaCry is on the loose,” he said. “It gets in and propagates.”

That is why people have to understand what they are facing and when they do get hit, they know what to do.

“People get enamored with technology, but the reality is technology is only one component,” Da Costa said. “People can be you biggest asset, but also your weakest link. If you are not working on the people side of things, you are missing the boat.”

He also added the dynamic nature of security is constantly evolving and is not consistent.

“What was good yesterday may not be good today,” Da Costa said.

While sometimes security can seem doom and gloom, but there is help.

“Standards are out there and training is a big component of them,” he said. “You have to create a culture. You have to create a cyber culture, which needs a training component.”

Da Costa listed some considerations for effective training programs:
• Portability
• Knowledge of instructors
• How realistic are the scenarios presented in exercises?
• Is there flexibility to tailor to your specific environment/challenges?
• Is the equipment vendor agnostic?
• How interactive is the training?
• Are learning objectives states and validated?

Da Costa also talked about what he learned when he took training:
• Exposure to tools available to manage cybersecurity lifecycle
• Working with live equipment where you can observe cause and effect of introducing a vulnerability
• Penetration testing using networking security tools
• Benefits of bringing in training to do on location
• Training should be role-based

In the end, a solid security program can end up very solid if a user locks in on two points. “Secure your perimeter and ask the right questions,” Ayala said.

Leave a Reply

You must be logged in to post a comment.