Attacking the operational technology through the operator.

Chad Lloyd, Security Architect, Schneider Electric, began by pointing out that compromising a system very often starts with compromising a human being. Studies indicate, he said, that 97% of cyberattacks try to trick a human being. He reviewed principles of social engineering, and emphasized that social engineering enables an attacker to bypass cyber defenses in depth and physical security measures. He pointed out a mismatch between IT and OT. IT worries about confidentiality, integrity and availability. OT, by way of contrast, is concerned with safety, availability and integrity (which together make up reliability), and only then confidentiality. Social engineering will seek to exploit these different interests.

After a description of how social engineers pull off their confidence games, Lloyd offered some general considerations for making an organization more resistant to this threat. He recommended instituting a security awareness program, with a primary focus on social engineering. Do a baseline assessment, and target training to risky positions. Make the training short, interesting, and interactive. He recommended that organizations include social engineering in risk assessments and penetration tests, and extending such assessments to third-parties.

With respect to technology, Lloyd suggested that organizations consider control escalation and mutual control. Two-factor authentication is valuable. He urged that enterprises not permit unmanaged devices on their networks. Endpoint security is valuable (but he cautioned that this isn't a panacea, and that organizations shouldn't rely on it exclusively). One-way sneaker-netting and unidirectional data diodes are also useful.

Attention to the basics matters, he concluded, and those basics emphatically include training.