“This interactive workshop discusses how we can address cybersecurity in operational technology (OT) in critical water infrastructures with a multidisciplinary focus on human factors, geopolitical threats, and tailored training. Defending critical infrastructures from cybersecurity threats is crucial for ensuring the continual availability of essential services. If attacked, it could have serious and potentially life-threatening consequences for society. Although technical defences are a key resource, humans are a first line of defence in detecting and reporting anomalies in critical infrastructure systems. Cyber threat actors know this, and initial attack vectors in most breaches often involve exploiting human vulnerabilities. In critical infrastructures, OT personnel work closest with these systems, and are targeted by threat actors. It is crucial OT personnel can recognise cyber-threats and have confidence that they have the necessary knowledge and skills to respond. ATHENA, an EU funded project led by Rijkswaterstaat, is creating innovative training solutions for OT personnel to develop their awareness, skills, and engagement with cybersecurity.
Human factors are complex. Simply addressing cybersecurity behaviours through awareness-based training may not stimulate the level of engagement individuals need to change these behaviours. This is especially the case if the training is not designed to trigger meta-awareness, nor tailored to an individual’s needs or their organisational context. Generalised trainings that are ill-suited to end-users’ needs can result in poorer engagement, limiting the training’s effectiveness. Equally, discussing human factors on one organisational level can cause misalignment between the operational/technical, tactical, and strategic/policy levels, where clear communication is crucial in responding to cyber-threats. Only focusing on human factors as an isolated and compliance-dependent problem may miss opportunities to understand how geopolitical threat actors can exploit existing vulnerabilities, and gaps in individual skill levels, to attack critical infrastructures.
In this workshop, we explore how combining interdisciplinary perspectives from academia, industry, and OT personnel is critical in developing comprehensive solutions to change cybersecurity behaviours. The workshop encourages interactive discussions and activities with insights from the ATHENA project which combines different perspectives on tailored training through extended reality environments. This not only addresses the skills gap in cybersecurity in OT, it contributes to protecting the cognitive dimension; a known target in nonlinear and unrestricted warfare. This workshop ultimately explores how this approach facilitates the defence of critical infrastructures, and the humans responsible for critical systems, within an evolving geopolitical threat landscape.”
