← Back to Home

Cyber Security Awareness

People are one of the strongest layers of defence within Industrial Automation and Control Systems (IACS). Effective awareness programs reduce cyber risk by improving security behaviours across the organisation.

Cyber Security Awareness Summary

Why Security Awareness Matters

IEC 62443 recognises that cybersecurity is not solely a technology problem—it is equally a people problem. Many successful cyber attacks exploit human behaviour rather than technical weaknesses.

Within Industrial Automation and Control Systems (IACS), cyber incidents can have consequences extending well beyond the loss of data. Compromised systems may disrupt production, damage equipment, create environmental incidents or introduce serious safety hazards for personnel.

For this reason, cybersecurity should receive the same level of organisational attention as safety, operational integrity and reliability.

People are Both...

  • A potential vulnerability through mistakes or poor security practices.
  • An important layer of defence capable of identifying and preventing cyber incidents.

Well-informed personnel frequently detect suspicious activity long before automated security systems, making awareness one of the most valuable security investments an organisation can make.

Awareness as a Cybersecurity Countermeasure

Security awareness is one of the most effective and lowest-cost cybersecurity controls available. Educating personnel significantly reduces the likelihood of incidents caused by human error, which remains one of the leading causes of successful cyber attacks.

Common awareness topics include:

Key Principle

Awareness is the first line of defence. Many cyber attacks can be prevented simply by making informed security decisions before clicking, connecting or responding.

Characteristics of Effective Awareness Programs

IEC 62443 recommends that awareness programs become part of normal business operations rather than occasional compliance activities.

Principle Description
Role-Based Training should match the responsibilities of operators, engineers, maintenance personnel, IT staff, managers and executives.
Relevant Training should use examples, incidents and scenarios that reflect the organisation's own IACS environment.
Continuous Awareness should be reinforced regularly through ongoing education rather than one-off training sessions.
Behaviour Focused The objective is to improve secure behaviours and decision making, not simply deliver information.

Examples of Awareness Activities

Prevention

Detection

Incident Response

Recovery

Building a Strong Security Culture

Effective cybersecurity awareness extends beyond formal training. Organisations should encourage security to become part of everyday operations by promoting positive behaviours and open communication.

Examples include:

Developing a positive security culture encourages personnel to identify and report potential issues without fear of blame, allowing organisations to respond more quickly to emerging threats.

Industrial Example

Scenario:

A maintenance contractor receives an email requesting an urgent PLC firmware update with an attached executable file. Because the contractor has completed cybersecurity awareness training, they recognise several phishing indicators, avoid opening the attachment and report the email to the cybersecurity team. Investigation confirms the attachment contained malware targeting industrial control systems.

A potentially serious cyber incident is prevented through awareness rather than technical controls alone.

Key Takeaways