• The utility approached DNV Cyber to implement an OT security awareness programme that could track progress.
• The programme made learning accessible and achievable for real people working for a real-world utility.
• The programme delivered measurable success.

Taking a proactive approach to strengthening the level of operational technology (OT) security awareness in its organization, an international utility company approached DNV Cyber to implement an OT security awareness programme. The ultimate goal was to initiate behavioural change among the people responsible for the safe and reliable operations of the utility’s critical OT.

Initial discussions zeroed in on three major challenges that would need to be overcome:

• The risk of system failures as a result of cyber security was considered too high – behavioural change was required at all levels, and especially among those responsible for the OT environment.
• Communication of expected employee behaviour regarding security, existing security policies and procedures, and how to act to keep OT cyber secure, was at times unclear or ineffective.
• The utility lacked an established and measurable OT security training and awareness programme that could capture the attention of participants and allow the company to track progress.

A pragmatic approach – a programme which made learning tangible

The strategy was to give employees the opportunity to experience a vastly higher level of interaction in the learning programme through unique activities connecting security procedures to physical workstations.

These initiatives went well beyond the usual intranet communications and newsletter messaging. A few examples included incident simulations, scalable face-to face training programmes to add the human touch, structured and role-specific e-learning modules, and guerilla marketing.

Learning interactions were designed to be relatable and to-the-point for real people working in the real world of a modern international utility. The programmes were therefore designed to adopt experience-orientated training and realistic scenarios to clearly explain where risks exist, and how to combat them. In-depth staff interviews were conducted during initial benchmarking to ensure the optimum compatibility of role-specific modules.

A fun and clearly recognizable company-wide OT security mascot was designed to:

• Tie together all initiatives
• Enable higher learning retention through repetition
• Bring security policies, procedures and encouraged actions into the light a positive manner.

Targeted marketing and blended learning raised security awareness

DNV Cyber’s collaboration with a communications agency resulted in an effective combination of OT security expertise and specialist communication skills being brought to designing and implementing the campaign. Working with the agency allowed the development of highly targeted OT security awareness messaging.

This initiative invited nearly 500 employees within the organization to participate in pre-campaign and post-campaign exercises to benchmark awareness level. It was aimed at a blended target audience of operators, engineers, managers, middle management, senior management and directors.

Based on the defined performance indicators of the OT security awareness campaign, the customer considered the programme to have been very successful. 

Overall, the campaign resulted in a 19% increase in company-wide OT security awareness as measured by the scoring system used.

Positive behavioural influence was achieved among team members at all levels of the organization. A positive effect was recorded over the one-year period between benchmarks. The customer has been enabled to benefit from the implemented expertise, training and awareness initiatives for years to come.