For all the effort that’s been put into developing new generations of IT security experts to help fill the cyber skills gap, there is still much work to done when it comes to exposing up-and-coming infosec pros to the kind of hybrid IT, OT and IoT environments that one would find in an industrial or critical infrastructure setting.
According to energy tech firm Siemens Energy, there are fewer than 10 colleges that feature a curricula that covers cybersecurity for operational technologies. Hoping to make the most out of these still-limited academic options, Siemens this week announced a new industrial cybersecurity apprenticeship program that will allow university students to hone their specialized IT, OT and IoT skills in a real-life professional environment while also receiving pay for their work.
Siemens Energy is strategically partnering with a half-dozen other founding members on this endeavor: the nonprofit ICS Village, Inc.; Regional Economic Development for Eastern Idaho (REDI), recruiting organization MISI Academy; training and certification provider SANS Institute; and higher education institutions Capitol Technology University and Idaho State University, whose students will be eligible for the program.
“The new apprenticeship program will help meet a growing need for cybersecurity professionals who can defend physical systems,” said Teresa McKnight, CEO of REDI, in a press release. “Nine out of 10 jobs that call for cybersecurity in defense of critical infrastructure remain vacant. These jobs did not exist 10 years ago, but they will be essential to our modern economy for decades to come.”
The new four-year program, dubbed the Cybersecurity & Industrial Infrastructure Security Apprenticeship Program (CIISAp), is slated to commence with its first cohort of apprentices in the fall of 2022. To learn more about this initiative in detail, SC Media spoke with two executives with Siemens Energy: Rich Voorberg, president of the company’s North American division, and Leo Simonovich, vice president and global head of industrial cybersecurity.
Explain the motivations and strategic thinking behind this new program.
Rich Voorberg (RV): I've been involved with apprenticeships pretty much my whole career. I grew up in Canada. I used to run a [Siemens] factory up there, and everybody that came through the factory was an apprentice millwright, or fitter, or electrician or something like that. When I moved to the U.S., and we started building a factory in Charlotte, I said, “Everybody's going to have to be apprenticed.” And they were like: “Well, then you're not going to be able to fill your factories.”
I was just really shocked how we kind of let the apprenticeships fall by the wayside. That was the old style of training people, working them up through the process. And we kind of lost our way. I asked the guys, “Why don't we have apprenticeships anymore?” And they said, “Well, we spend all that money on somebody, we train them up, and then somebody else hires them away for a dollar an hour more.”
And I went, “It kind of sounds like another problem we’ve got, which is: Why aren’t we retaining people?” If we've invested in them and show them what their future is, then they should be glad to stay with us. So we show them that this isn't just a job; it's a career.
And so when I was in Charlotte, we started kicking off the apprenticeship program — and the thing exploded… It was on the nightly news.
[That was] more of the technical side. And then Leo and his team approached me and said, “We want to do this on the cybersecurity side, and I said, “Yeah, definitely go for it. Go figure out what this could look like.” Because… when you get down to cybersecurity, where need to have mechanical aptitude, as well as cyber aptitude, then this is really the only way to start developing it… It’s time for us as a lead company to stand up, take this over and drive this.
Leo Simonovich (LS): Industrial cyber has become the new risk frontier. We're talking about critical infrastructure — and we are talking about safety, reliability and delivery of energy to support our nation's economy. And to do that requires people to provide protection. We need a whole lot of folks that are skilled in a very unique way… given the rise and the sophistication of attacks against critical infrastructure, as we most recently saw with Colonial Pipeline.
I almost call it the endangered species. Because to be able to provide protection around critical infrastructure requires unique skills of mechanical controls, networking and security — and it’s very hard to acquire this.
The apprenticeship program that we launched here recently presents a model that would allow us to build on these skills and to do it in an environment that blends together an academic curriculum with hands-on training, and provide a path for talent to go into the field. This is the foremost problem of the day in security, where we're struggling to fill the talent gap, and do it in a way that helps reduce attrition and provides a clear path toward opportunity, jobs, and the chance to acquire a unique skill set.
You mentioned this notion of needing unique skills to manage cybersecurity in an industrialized environment? What sorts of skills would that include?
LS: Industrial cyber is about protecting both the physical and the digital world. And if you think about the exponential increase of smart devices that are being added to our energy system — something to the tune of 2 billion over the next couple of years — that means these folks have to understand not just digital flows, but also their impact on the physical world.
Take, for example, a security operations center [in an industrial environment]. Analysts are looking at threats in real time — not just the anomalies that are flowing through the networks, but what those anomalies really mean for the plant operator. They must be able to explain and understand what's happening, and how potential changes to configurations of control systems could impact plants. We call that context. [It means] becoming a translator of threats into action in the physical world.
For chosen apprentices, what will the experience entail?
LS: [The goal is to] build skills — practical, hands-on skills — that will differentiate the folks that go through this program. That's what's most important and giving them a path towards employment.
The program will include three types of learning. First is classroom learning from the premier universities that are focused on the topic of industrial cyber. Take Idaho State University, which has had an industrial cyber program in collaboration with Idaho National Laboratory for the better part of a decade.
Second is in-depth understanding of what we are calling the multifaceted technology stack — the mechanical, the electrical, and the digital world.
And then the third is learning by doing. As I mentioned, we have a security operations center specifically dedicated to operational technologies and industrial cyber that was built in Alpharetta, Georgia. And the folks who go through the rotation program will spend time with our analysts to get that training.
There are ultimately two tracks that we’re envisioning. The first track being the analyst or industrial cyber engineer track. And the second is more of an executive track to help run industrial cyber programs in corporate environments. And this is specifically designed for small and medium sized enterprises that oftentimes don't have the big teams and need to cover the whole gamut of topics from strategy to operations to response. And we want to put these folks on a path from classroom to hands-on training, using our environment, which we call the Living Lab.
Do you anticipate other employers joining the program and offering hands-on training in their facilities — including perhaps actual utilities or critical infrastructure providers?
LS: The short answer is: yes.
Siemens Energy is playing an important role as the glue in the energy value chain. So what that means is that we have customers, we have suppliers, and we have an ecosystem of technology partners focused on industrial cyber. So that creates a unique opportunity for learning.
We ultimately we have two foci. One is to match supply and demand between our partners and our customers. Utilities today struggle to find this type of talent. When I talk to customers, they say this is one of the biggest challenges… And we need to build up that pipeline.
We also ultimately want to help folks be out there learning from real problems. And to do that, we run and help maintain power plants all over this country. And I imagine a scenario in which our customers would want to work very closely with us to get access to talent that we're building and employ them in their ranks early on.
Your press release notes that there are fewer than 10 colleges that have classes covering cybersecurity for operational technologies. Why is there not better representation of OT and IoT security in academic curricula?
LS: Because it’s cross-disciplinary. The engineering department would need to talk to the computer science department, which then would need to talk to environmental sciences department. And you’d need to talk to the business school. It requires multiple departments coming together. And then working through the curriculum to make the classes cross-disciplinary.
If you think about in-field experience, and… the diversity of background that's required here, to be able to reskill it, it's about casting a wider net. So we hope that more universities will join the ranks, that more of them will see this model as valuable.
What would you ultimately like to see come out of this program?
RV: What I really want to see is a diversity of candidates… I want to see people coming straight out of school — high-school types. I want to see people that are doing a change of their career partway through and wanting to try something different… And that's where you get that diversity of thought. So we're going to pull from certain areas to begin with, but really it's going to be a global search.