Industrial Cybersecurity CS4CA Europe 2024: Human-Centric Industrial Cybersecurity Insights from London

Last week, I attended the CS4CA Europe event in London, an intensive two-day conference that gathered many of the most insightful voices in European industrial cybersecurity. It was an enlightening experience, with sessions covering everything from balancing human-centric cybersecurity strategies to understanding how IT/OT integration can offer measurable returns on investment. Chaired by Wayne Harrop, GRC & Resilience Manager at National Grid Ventures, the event excelled in highlighting the challenges and opportunities that lie ahead for industrial cybersecurity. Here are my key takeaways from this incredible gathering.

The Human Element in Industrial Cybersecurity

The event kicked off with a panel discussion that set the tone for what would become a central theme throughout the conference: the human side of cybersecurity in industrial environments. This panel discussion emphasized that at the core of all cybersecurity strategies must be an understanding of people—those who are the operators, decision-makers, and, occasionally, the vulnerabilities within the system.

Wayne Harrop and the panelists discussed the challenge of striking the right balance between technology-driven and human-centric security measures. As the integration of AI and advanced digital tools becomes more prevalent, it’s easy to see why many organizations are tempted to lean heavily on tech solutions. But what stood out was the acknowledgment that neglecting the human aspect—underestimating factors like cultural influences, individual behaviors, and even generational differences—could lead to ineffective cybersecurity outcomes.

Human-Centric Security: Perspectives from Industry Experts

Trish McGill , a noted cybersecurity executive, made an insightful point regarding the evolution into Industry 5.0, where robots and human workers are collaborating like never before. This era brings both opportunities and unique challenges in cybersecurity. The convergence of machine capabilities and human intelligence presents an increasingly intricate scenario that cybersecurity experts must understand and address.

Greg Blezard MBE MSc , Head of BISO at Scottish Power Renewables, challenged the traditional narrative that the “human factor” is the weakest link in cybersecurity. He argued that humans are also the “sensors” of an organization’s cyber resilience—sharp observers who can notice anomalies and prevent potential threats from escalating. It was a powerful reminder of the importance of fostering a cybersecurity culture where every individual, from the boardroom to the factory floor, sees themselves as an integral part of the organization’s defense strategy.

Blezard emphasized the need for organizations to shift their focus from purely technical controls and compliance-driven processes towards creating a culture where people are seen as key stakeholders in cybersecurity. This insight underscores how essential it is for companies to invest in training and empowering their workforce.

Building a Human-Centric Firewall

Marta Majtenyi , Director of Cybersecurity Services, further expanded on the notion of human-centric security, underlining the importance of understanding the varying needs of different roles within an organization. She pointed out that employees have different levels of engagement with cybersecurity, depending on their roles, their familiarity with technology, and their concerns. Senior executives might be concerned about reputational risks and financial implications, whereas factory workers may be more concerned about safety and operational stability.

The consensus among the speakers was that building an effective “human firewall” requires more than just awareness training—it demands a cultural shift across the organization. This means mobilizing not only the direct employees but also suppliers, contractors, and other third parties who may have access to the organization’s systems. The speakers emphasized the need for extended training programs that include these external partners, advocating for making such training mandatory to ensure that the organization’s cybersecurity standards are upheld by everyone involved.

Building an OT Cybersecurity Program: Insights from Medmix

Claudio Sangaletti , OT Security Leader at Medmix, delivered one of the most practical sessions, sharing his experience in building an operational technology (OT) cybersecurity program from the ground up. His story began dramatically with a late-night call about a ransomware attack, which became the catalyst for his deep dive into the world of OT security. This story underscored the point that OT cybersecurity is not a field one enters casually; it’s a discipline that demands urgency and a willingness to engage across every level of the organization.

Sangaletti highlighted the importance of relationships and understanding the core business before diving into the technicalities. His initial focus was not on technology but on understanding business processes, getting to know the people behind these processes, and building trust. This emphasis on relationships as the bedrock of cybersecurity initiatives was echoed throughout his presentation. In his view, cybersecurity is as much about the people as it is about the technology—it’s a “people business.”

Human-Centric Security as a Business Enabler

One of the standout messages from Sangaletti was his perspective on the role of cybersecurity in a business context. Rather than seeing it as a necessary burden driven by compliance, he views cybersecurity as a business enabler. He urged cybersecurity leaders to communicate in a way that resonates with different stakeholders, steering clear of the jargon that can alienate key decision-makers. Executives, he argued, need to understand how cybersecurity investments contribute to operational reliability, business continuity, and even productivity gains.

Sangaletti used an apt analogy to describe the process of building an OT security program—comparing it to constructing with Lego blocks. He explained that it’s about starting with foundational elements and building upward in a scalable manner. A cybersecurity program should grow with the company, adapting to its changing needs without losing sight of the core objective: to help people work more securely and effectively.

ROI in Cybersecurity: A Complicated Question

Another critical discussion at the conference revolved around the concept of ROI in industrial cybersecurity, a subject close to our ongoing research efforts at Takepoint Research. Adam Paturej, Cybersecurity Director at the International Centre for Chemical Safety and Security, presented a compelling session on turning IT/OT cyber strategies into measurable returns for businesses.

Paturej highlighted the challenge of convincing stakeholders to invest in cybersecurity. Unlike safety investments, which are often linked to compliance and have direct, quantifiable benefits, cybersecurity investments can seem more abstract. Many companies justify these investments by pointing to media coverage of cyber incidents or the cost of compliance failures. However, Paturej stressed the need for organizations to go beyond reactive justifications. Instead, he encouraged companies to align cybersecurity strategies with core business objectives, showcasing how these strategies protect critical assets and add value to the business.

Drawing a parallel with safety protocols, Paturej introduced the idea of using consequence-based risk analysis in cybersecurity planning. In safety management, professionals don’t just identify risks—they consider the potential consequences of these risks. By applying this to cybersecurity, organizations can better prioritize their efforts, focusing on mitigating risks that have the most significant impact, such as operational downtime or regulatory breaches.

Aligning IT and OT Cybersecurity: Different Sectors, Different Needs

Paturej also addressed the complexity involved in aligning IT and OT cybersecurity strategies, pointing out that there are significant differences across industrial sectors. Unlike IT environments, which have benefited from years of standardization, OT environments are often highly diverse and operate under unique constraints, making standardization much more challenging. The Purdue model, often used as a framework for IT/OT integration, has its limitations, particularly when trying to address the nuances found in OT environments.

One of the main challenges is ensuring that different stakeholders—sometimes with very different priorities—all have the access they need without compromising security. For example, in sectors like renewable energy, operational staff may require real-time data access to ensure efficiency, while cybersecurity teams need to ensure that data remains protected from unauthorized access.

Cybersecurity as Part of Overall Business Strategy

The overarching theme of Paturej’s presentation was that cybersecurity must not be treated in isolation. It should be integrated into the organization’s overall safety and business strategies. Effective cybersecurity isn’t just about fending off attacks; it’s about ensuring that the business can operate reliably, resiliently, and with the trust of its stakeholders.

By aligning cybersecurity efforts with broader business goals and focusing on consequence-based risk analysis, organizations can not only secure themselves against threats but also drive efficiency and innovation. This approach is essential, especially in an industrial context where downtime and disruptions can have severe financial and operational repercussions.

Adding Value with More Practical Insights

While the sessions throughout CS4CA Europe were undoubtedly insightful, I would have liked to see some more hands-on topics—perhaps a dedicated technical track that offered deeper practical knowledge. Many of our clients are looking for actionable steps they can take to solve these complex issues. They want practical direction—tips and tricks they can employ when they get back to their organizations. A dedicated track focusing on technical solutions, specific case studies, or even practical workshops would have added a great deal of value to decent agenda.

However, it’s also worth noting that the useful discussions during the sessions and the many valuable interactions during the breaks made the event a worthwhile experience overall. The opportunity to speak directly with thought leaders and share perspectives with OT cyber peers is the reason to attend in person. Great to catch up with the usual suspects and meet some new folks too!

The Way Forward for Industrial Cybersecurity

The CS4CA Europe event underscored the evolving dynamics of industrial cybersecurity, especially the importance of considering both human and technological elements. Whether discussing the integration of IT and OT systems or the role of humans as both potential vulnerabilities and critical assets, the experts agreed that a balanced approach is essential.

The key takeaway for me was the necessity of building cybersecurity programs that prioritize human engagement, scalability, and alignment with business objectives. Industrial cybersecurity is not just about implementing sophisticated technologies or meeting compliance requirements; it’s about ensuring that every person in the organization understands their role in safeguarding operations. By focusing on building relationships, empowering people, and effectively communicating the value of cybersecurity, organizations can create resilient, adaptive security frameworks that will serve them well into the future.