There is a concern in the energy sector about the low level of cybersecurity training in the company staff, what it is considered a risk in the security of the company and in the infrastructures they operate.
The standard IEC-62443-2-1, considers that security awareness for all personnel is an essential tool for reducing cyber security risks. Companies are aware that they need to improve the cybersecurity competences of their employees, especially those that are operating the most critical assets. However, cybersecurity training cannot be done in an improvised way, when the company or society has suffered some type of cyber-attack, nor can it be left to the employees themselves. It is necessary to define and deploy in the organisation a set of processes and practices to provide to each employee an awareness and training in cybersecurity specific to its working activity.
SDN-microSENSE addressing this challenge has developed a Cybersecurity Awareness and Training Model and an Evaluation Tool to help energy companies to improve their cybersecurity training processes. The model establishes the set of processes and practices that must be deployed in the company to manage the cybersecurity awareness and training of its personnel, and the evaluation tool helps to assess the level of maturity reached by the company in the deployment of these processes and practices. Furthermore, a competency framework has also been developed with a set of cybersecurity knowledge, skills and abilities to be adopted by the people according to their working role.
Cybersecurity Awareness and Training Model and the Evaluation Tool defined in the context of SDN-microsense project is composed by three main components:
1. Cybersecurity Capability Maturity Model
2. Cybersecurity Competency Model
3. Evaluation tool
1. Cybersecurity Capability Maturity Model
The first component of the SDN-microSENSE Cybersecurity Awareness and Training Model is the Cybersecurity Maturity Model. In the context of the SDN-microSENSE, the Cybersecurity Maturity Model is defined as a set of processes and practices that should be deployed in a company to improve the competency level of its personnel in cybersecurity aspects. This model is structured in maturity levels, representing different degree of organizational capability for managing and developing the training, skills, and competences processes to generate a cybersecurity culture inside an energy company. Each maturity level, with the exception of the Initial Level, consists of processes, which identify the capabilities that should be deployed in the company to achieve a maturity level. Finally, each process is composed by a set of practices and tips for achieving the process goal. The following figure shows how all the elements in the model are related:
SDN-microSENSE Cybersecurity Capability Maturity Model considers 3 maturity levels:
· Initial level, where processes, although can exist in the organisation, are not institutionalised. All companies are in this initial level by default.
· People Managed level, where processes oriented to the personnel cybersecurity training management are defined and deployed.
· Competency managed, where processes oriented to the cybersecurity competences management are defined and deployed.
In next figure, the different processes associated to each level are presented.
2. Cybersecurity Competency Model
A competency model is a framework that defines a set of knowledge, skill and abilities required to perform a specific role in a company. The continuous digitisation of the energy sector is forcing the workforce to acquire cybersecurity knowledge and skills to avoid unconscious errors, reduce external threats, and be able to face adverse events (attacks and incidents) or system failures. This is why the Cybersecurity Competency Model focusses on specific cybersecurity competences that must be adopted by each person according to its working role. A total set of 16 user roles have been defined in the model like executive manager, security administrator, system operator, engineer, OT manager, installer or IT user. Each role includes information about its activity, location, managed assets, possible threats and cybersecurity competences (knowledge, skills and abilities).
3. Evaluation tool.
The Evaluation Tool allows a company to measure the maturity level reached in the definition and deployment of training processes defined in the Cybersecurity Maturity Model. Once the user has entered information about the practices deployed in the company, the tool will give information about the level of maturity reached by the company.
The tool, developed in EXCEL, contains the following elements:
· Cover form. It provides general information of the tool: name, version, brief description,
· Evaluation summary form.
· Level 2 (people managed) results presentation form.
· Level 3 (competency managed) results presentation form.
· Processes assessment form.
Cybersecurity Awareness and Training Model and the Evaluation Tool is described in the deliverable D3.4 due by the end of June.