Last updated at Wed, 03 May 2023 13:37:03 GMT

In baseball, a mistake made by a player that could have easily been avoided is sometimes called an “unforced error.” An unforced error is not an official error (that is, they are not reflected in statistics), however, they can result in additional runs being scored, runners getting on base, and even games being lost. This applies in cyber security, as well. Threat actors use all sorts of nefarious tactics to target your networks, but they usually can’t succeed without some mistakes from your team.

Rapid7’s partner SCADAfence recently commissioned a survey of 3500 OT professionals. Among the findings, nearly 80% of respondents believe that human error presents the greatest risk for compromise to operational technology (OT) control systems.

The survey also found that 83% of respondents believe that there is a significant shortfall in the number of skilled workers. This could contribute to the problem, since under-qualified or improperly trained security workers are more likely to make preventable errors.

Still, many organizations continue to ignore the extremely high potential costs of human error.

Real World Consequences

Last year, SCADAfence argued that an explosion at the Freeport LNG natural gas plant, which a Russian group claimed responsibility for, was actually caused by human error. The timing of the explosion, less than two months after a major maintenance upgrade, and several other factors appear to indicate that improper procedures and a lapse in adherence to company policies were the cause. This was later confirmed by the U.S. Pipeline and Hazardous Materials Safety Administration (PHMSA).

Another example is the Oldsmar Water Facility Attack in 2021. According to reports, human error played a large factor in the attack—in which hackers gained unauthorized access to the water facility’s industrial control system (ICS) network and increased sodium hydroxide content in drinking water to poisonous levels. The Oldsmar facility was using Windows 7, even though Microsoft had stopped supporting it a year earlier. All of Oldsmar’s employees shared the same password to access TeamViewer, a remote access software. And, the facility was connected directly to the internet without any type of firewall protection installed. All of these easily preventable factors contributed to the attacker’s ability to gain access to the facility.

Human error in OT systems can take different forms. As stated above, weak, outdated or duplicated passwords have led to any number of cyber security breaches. Firewalls, which are relied on to provide a first line of OT cyber security defense, are frequently misconfigured or improperly deployed by IT staff members. Finally, phishing attacks, a form of social engineering used by malicious actors to gain information from unwitting victims which is then used to access secure systems, are a major starting point for attacks on critical infrastructure.

Rapid7’s Advice

The number one way to prevent human error from leading to costly cyber attacks is training. OT and IT staff should be regularly trained on company security policies and should understand the importance of always following protocol. Also, teams need to work closely together to ensure that proper protections are in place across the network.

There are a number of best practices that have been shown to reduce the frequency and severity of cyber attacks in OT and ICS networks. Organizations should:

  • Require secure passwords that are changed on a regular schedule. Never allow team members to share passwords or access IDs to systems. Each employee that requires access to a system or device should have a unique user name and account.
  • Reduced access privilege access
  • Keep your network updated with important patches and upgrades
  • Make sure the tools your teams rely on are reliable, effective, and up to date.
  • Stay on top of news and information about newly discovered vulnerabilities, and potential threats relevant to your organization.

Finally, if your team lacks bandwidth or necessary skills, consider using managed services to gain insights and relevant threat information about your network.

This article was written in partnership with SCADAfence.