The term “attack surface” is security jargon for the sum of your security risk exposure. It is the aggregate of all known, unknown, reachable and potentially exploitable weaknesses and vulnerabilities across the organization. All organizations regardless of industry have an attack surface.

Fortunately, awareness of weaknesses, prioritization of risk, and layered defenses can reduce the attack surface and limit disruption, enhance predictable operations, and lower business risk.

What is the Human Attack Surface in ICS Environments?

“Securing the human” is easy to overlook. Simply defined, the human attack surface is the sum of all exploitable security holes or gaps created by humans within your ICS operations environment.

Human behaviors in ICS realms are no different than those within many professional settings. A significant difference is that errors or negligence can have serious physical consequences even with safety instrumented systems in place.

controls systems are a target

Plant operations and process control engineers generally do not prioritize ICS security in their environments and rely on techniques such as airgaps, perimeter firewalls, and safety instrumented systems for protection. The poster above from the SANS Institute characterizes common risks and exploitable weaknesses to consider.

Examples of human factors influencing the size of your attack surface and directly related to cyber and business risk include a lack of ICS security knowledge, resistance to change (or choosing to bypass security rules/policies to avert disruption), ICS systems connected directly to the Internet (for maintenance, software updates or just unaware), susceptibility to social engineering, unsupervised insider privilege, opportunities for operator error or negligence, awareness training for email security, worker absence (such as due to illness, quitting, death, retirement), and a lack of ICS security policies or training.

Here are a few real incidents (there are many) of risky behaviors contributing to human attack surface risk within ICS environments: