HUMAN FACTORS AND

IT-OT CORRELATION

Andrea Vallavanti ICT Manager

DEFINITIONS

The entire spectrum of technologies for information processing, including

software, hardware, communications technologies and related services. In

general, IT does not include embedded technologies that do not generate data

for enterprise use.

Is hardware and software that detects or causes a change through the direct

monitoring and/or control of physical devices, processes and events in the

enterprise.”

IT

OT

EVOLUTION AND INTEGRATION

OT

OT +IT

80

902

k

NOW

IT AND OT CONVERGING

TRANSPORTATION

OIL&GAS

HEALTHCAREDEFENSE

MINING

UTILITIES

MANUFACTURING

SECURITY/OBSCURITY AND STANDARDS

A SHARED SET OF STANDARDS AND

PLATFORMA ACROSS IT&OT WILL REDUCE COST OF SW

MANAGEMENT

….WILL REDUCE RISK COME FROM

REDUCING MALAWARE AND

INTERNAL ERRORS

CYBERSECURITY NOT ONLY IN IT POINT OF VIEW BUT IN A

«HOLISTIC» IT OT SECURITY POINT OF VIEW

ACCEPTABLE POLICY WITH MOST OF OLDER GENERATION OT

PLATFORM

NO NEED OF EXTERNAL

CONNECTION

IT IS NO LONGER RELY AND THIS MAXIM BECAUSE OT PLATFORM HAVE EVOLVED

TO USE COMMERCIAL GENERIC INFRASTRUCTURE WITH EXTERNAL WAN

CONNECTION

CIA TRIAD

HUMAN TREATH

Failure of staff to

understand new threats.

Increased use of social media

by staff.

Failure of IT staff to follow security procedures and

policies

General negligence/carelessness

with websites and applications.

Lack of security expertise with websites and applications

EXTERNAL THREAT

WORKLIFE

COMMON THREAT INFORMATION TECNOLOGY

& OPERATIONAL TECHNOLOGY

IT & OT CONCERNS

COMMON GROUND

Security Analisys with VA-

PT . Highlight threats and

remediation .

Upgrade of firmaware

and Sw and Integrity of

the updates

Idetifying & authenticating

all devices within the system

Define responsibilities

and common rules of

data interchange

VA-PT have to be

scheduled

Awarness on

threat for

employee

NEW EMPLOYEE

POLICY AND PROCEDURES

ENOUGH ???

EMPLOYEE HAVE A DEFINED A STRICTLY BOUNDARIES TO RESPECT OR IMPOSED

BY AUTHOMATIC OR PREDEFINED RULES / HW

EMPLOYEE EVEN IF TRAINED, NEED TOINTERACT DAILY IN DIFFERENT WAYS

AND ONLY WITH A CLEAR UNDERSTANDING OF EXTERNAL/INTERNAL

MENACE CAN BE AWARE

SOMETIMES YES IF …

SOMETIMES NO IF

SECURITY EDUCATION

SECURITY ASSESSMENT

REMEDIATION PHASE

INCIDENT INVESTIGATION

Policy ProceduresCybersecurityfundamentals

Penetration TestingImpact of PEN TEST with

Risk Analysis

Threat analysisIncident ResponseImpact on business

Fill the GapBudget €

CYCLE OF SECURITY

SOME BULLETS POINTS

• INVESTING 76% LESS COMPARE THOSE WHO NOT RECEIVING TRAINING

COMPANIES WITH

PROGRAMS OF

SECURITY AWARENESS

• 50% OF PROBABILITY LESS OF INCURRING IN VIOLATION OF THE PERSONAL SAFETY

COMPANIES WITH

PROGRAMS OF

SECURITY AWARENESS

•ACCIDENTS DECREASE UP TO 80%

•REDUCTION RANSOMWARE OF 50-60%

•TRANSLATION OF CYBERSECURITY LIKE IT CONCET IN COMPANY CONCEPT

•MEASURABLE RESULTS IN TERMS OF CYBERSECURITY AWARENESS

GOOD CYBERSECURITY

AWARENESS CAN

DETERMINE

PLATFORM FOR TRAINING AND ON LINE SKILL

COMPETENCE ANALYSIS Determine in depth the skills requirements relating to workplace. Skill assessment also in function of the role covered in the

company

TRAINING MODULE Anti-phishing protection, protection and data destruction, secure

approach to social network , physical security, smartphone security, web surfing, social engineering, email security and

PASSWORD

SIMULATED ATTACK E-mail phishing personalized with different level of difficulty. Employee learn also through mistakes and dedicated module

can be tailored to fill the gap

ANALYSIS AND REPORTS Security campaign report by : group, type of device, office, location (industrial or office)

SIMULATION

WHATEVER IS THE EXTERNAL AWARENESS

October Cybersecurity Awareness Month: Every Employee Should Be A Level Of Security

National Cyber Security Awareness Month: Security Tips for Enterprises and

Employees

Top online safety practices for companies & employees – Cyber Security Awareness Month

2016

SUBJECTS INVOLVED

Senior Manager

Line Manager

All Employee

Security Officers

Short training Impact on the business

Motivational training

Computer basedon access training

Cybersecurity culture assessmentLeading to the light side

TOP – DOWN APPROACH

Senior

Manager

Line Manager

All Employee

Security Officers

TOP

DOWN

WHY ?• When top executives lead by example

and participate themselves, key messages are understood to be important by the masses. Leading by example is key.

• Budget €/$• Make it simple …Stick to max three

topics• You cannot use the same materials

that you intend to use for the general population. Executives have concerns that are unique to their job function

OPTIMIZING CONTROL INVESTMENT

Cost of controls

Cost of impact

Optimum level of control investment

Increasing control

Co

sts

Company with limited security control suffer relatively more information security breaches

Beyond a certain point it is important to balance additional controls costs vsCost coming from security breaches

We clearly should not invest in additional controls unless we are convincedthey are truly cost- effective

REMIND THAT ….

Employeesmake simple

mistakes whichplaces them in

a risk .

Human error is

responsible for 95% of all

security incident

Lax email habits: opening suspicious

emails – click through website where

attackers can then phish for details

Weak Password easy to hack after

personal information shared

No backing data up

Poor security habit outside work.

Unptched vulnerabilities & connecting

to unsecure Wi Fi networks .

CONCLUSIONS

WE MUST TACKLE THE HUMAN FACTOR AS WELL AS THE TECHNOLOGY

PROACTIVELY MANAGING THE RISKS INVOLVES ASSESSING AND REASSESSINGALL THRETS , VULNERABILITIES ETC

OVERALL INVOLVEMENT ON SECURITY TOP DOWN APPROACH

THIS IS NOT A ONE- OFF «FIRE AND FORGET» OPERATION

THANKS !

Andrea Vallavanti – ICT MANAGER -

Mail to: andrea.vallavanti@oltoffshore.it

: : https://goo.gl/Kgnoya

Federprivacy Member

"The relationship between the IT and OT

groups needs to be managed better, but

more importantly, the nature of the OT

systems is changing, so that the underlying

technology — such as platforms, software,

security and communications — is

becoming more like IT systems," said

Kristian Steenstrup, research vice

president and Gartner fellow. "This gives a

stronger justification for IT groups to

contribute to OT software management,

creating an IT and OT alignment that could

be in the form of standards, enterprise

architecture (EA), support and security

models, software configuration practices, and information and process integration."

IT and OT are converging in numerous important industries, such as

healthcare, transportation, defense, energy, aviation, manufacturing,

engineering, mining, oil and gas, natural resources, and utilities. IT leaders

who are impacted by the convergence of IT and OT platforms should consider

the value and risk of pursuing alignment between IT and OT, as well as the

potential to integrate the people, tools and resources used to manage and

support both technology areas.

"A shared set of standards and platforms across IT and OT will reduce costs

in many areas of software management, and reduced risks come from

reducing malware intrusion and internal errors," Mr. Steenstrup said.

"Cybersecurity can be enhanced if IT security teams are shared, seconded or

combined with OT staff to plan and implement holistic IT-OT security. 'Security

through obscurity' was an acceptable policy with most older-generation OT

platforms because of their proprietary architectures and limited connection to

IT. It is no longer possible to rely on this maxim, because OT platforms have

evolved to use commercial generic infrastructures."

With IT and OT converging, the scope of CIO authority may cater to the needs

of planning and coordinating a new generation of operational technologies

alongside existing information- and administration-focused IT systems. The

key change for CIOs may be that their role moves from leading the IT delivery

organization to leading the exploitation of the business assets of processes,

information and relationships across all technologies in the enterprise — IT or

OT, whether delivered, supported, or managed by the formal IT organization

or elsewhere.

"The intersection of IT and OT changes the relative importance of IT

management disciplines for the IT organizations concerned. CIOs and other IT

leaders need to evaluate and realign their roles and relationships to maximize

the value of converging IT and OT," said Mr. Steenstrup. "CIOs have a great

opportunity to lead their enterprises in exploiting information flows from digital

technologies. By playing this role, they can better enable decisions that

optimize business processes and performance."

• Governance

• We'll help you build the Security Policies, Standards, and Procedures that form the basis of your security program. From there we'll address each aspect of your enterprise, helping you select and implement the most appropriate technologies, tools and products to achieve your security and business goals.

• Security Engineering

• Human Element will show you how to implement engineering processes using secure design principles. We have assisted commercial and Government organizations to effectively apply security engineering and evaluation models. First, we'll hep you define the most appropriate security controls for your information systems based on your risk, threat, and regulatory environment. Then we'll define specific security architectures, designs, and solutions to mitigate potential vulnerabilities. We have experience engineering web-based systems, mobile systems, embedded devices, cyber-physical systems, and cryptographic solutions as well as site and facility physical security.

• Governance

• Security Engineering

• Physical Security

• Communications and Networks

• Access Control - Identity and Access Management

• Assessments and Testing

• Security Network Operations Support

• Application Security

• Business Continuity and Disaster Recovery

• Vulnerability Management

• Intrusion Detection

• Asset and Data Security

• Human-Based Cyber Defense

• Security Operations