The North American Electric Reliability Corporation (NERC) recently posted a document confirming a cyber event that occurred on a western U.S. electrical grid in spring 2019, marking the first cyberattack on an American grid and, more importantly, striking a chord among operators. The case, which is ironically labeled a “lesson” by NERC, is a glaring demonstration of the cyber challenges faced not only by the energy sector, but also the 15 other critical infrastructure sectors on which our way of life depends.
Cyber threats, however, are nothing new to the industry – three former secretaries of the Department of Homeland Security (DHS) recently stressed the increased risk of cyber threats to the US. In particular, Janet Napolitano pointed to critical infrastructure cyberattacks on our nation's systems and underscored the need to address the increasing threats before it’s too late.
Additionally, a recent study by the Ponemon Institute revealed that 90% of professionals in industrial control systems (ICS) and operational technology (OT) environments reported at least one negative impact of a cyberattack in the past two years. While the adversaries largely remain unknown, these attacks more than likely resulted from flawed IT/OT integration, the complexities of Supervisory Control and Data Acquisition (SCADA) systems, lack of asset visibility, and inadequate cyber policies, among other vulnerabilities.
One contributing factor, however, that blatantly stands out from the rest – an understaffed and much too frequently under-skilled critical infrastructure cybersecurity workforce.
The CIP workforce challenge
Organizations across industry face the challenge of recruiting and retaining cybersecurity talent. Since 2015, the number of unfilled cybersecurity jobs has grown by more than 50% and by 2021, the number of unfilled jobs is expected to reach upwards of 3.5 million, according to Cybersecurity Ventures. These numbers offer insight into an industry that is under pressure, both from internal and external factors.
For critical infrastructure, the workforce shortage is even more threatening. The skills that a typical IT security professional acquires does not necessarily transfer to critical infrastructure that runs within ICS environments. Furthermore, ICS was originally designed to stand alone, but now businesses’ needs have forced ICS to become interconnected with external networks – a problem for the current operations workforce that are not digital natives. There’s also the issue of attracting new talent due to the nuanced skills required for critical infrastructure protection (CIP) and the lure of high-paying Fortune 500s.
Current programs fall short of success
In the past, evaluations have looked into cybersecurity workforce initiatives, specifically to see if the programs are preparing students for the highly technical roles associated with Infosec. As outlined by the Center for Strategic and International Studies (CSIS), these programs are failing. And even though CSIS did identify three programs that are working to establish “best practices,” they still have flaws.
One such flaw - the three programs are in fact designed for students looking to enter the cybersecurity industry and provide no programs for veterans looking to improve their knowledge and skills nor is there a focus on critical infrastructure, but rather a general application of cybersecurity. One program, as CSIS notes, has even come under criticism for “a lack of rigor in their programs.”
As for certifications that provide ICS testing, such as Global Industrial Cyber Security Professional (GICSP), there remains too much of a focus on teaching cybersecurity concepts and theories and too little focus on providing practical experiences that ultimately arm students with tangible skills to take into the workforce. Not only are many of these programs all but irrelevant to the students’ needs within a CIP cyber environment, but many employers have expressed dissatisfaction of graduates lacking practical experience upon entering the workforce.
Evolving CIP Cyber Training
For critical infrastructure protection, practical experience is invaluable. CIP cyber has specific nuances typically not found in enterprise cybersecurity, making the transition for IT security professionals or students difficult. For example, once dependent upon ICS as isolated networks, organizations have evolved to include modernized connections between their ICS and business and external networks. This move to enhance productivity has unfortunately left critical infrastructure sectors exposed to external and internal threats.
As a result, to support critical infrastructure’s workforce needs, training must evolve to emphasize levant technologies and processes as well as interoperability with existing IT security infrastructures, particularly access control.
To start, training should focus around the Purdue Enterprise Reference Architecture, or Purdue model, which is an industry-adopted reference model that shows the interconnections and interdependencies of all the main components of an industrial control system (ICS). Created in the 1990s, this model was originally used to develop enterprise architecture – today, it’s the backbone of interoperability.
In order to arm professionals with the tools to be successful in protecting against cyberattacks on critical infrastructure sectors, CIP cybersecurity training must include in-depth experience with the following Purdue model components:
- Deep content disarm and reconstruction (D-CDR) technology breaks a file down and scrubs any malicious threat. Training programs should highlight the practical means as to why and how Deep CDR is used and needed throughout CIP in order to ensure that internal and external data threats are mitigated.
- Multi-scanning technology also needs to be included in training programs so students can understand how advanced threat detection and protection through scanning engines increase malware detection rates.
- Transfer of data is a vulnerable point in critical infrastructure. Steps and protocols should be emphasized in training on the data exchange between segregated networks, specifically utilizing threat intelligence technology, proactive data loss prevention (DLP), file-based vulnerability technology and Sandbox.
- Transfer of device is another vulnerable point for CIP. Many businesses now rely on personal or remote devices for employees, allowing for productivity on-the-go, but at a cost. Training should focus on data protection technologies, such as anti-keylogger technology, and endpoint technologies and processes, including malware detection, vulnerability assessment, compliance protocols and unwanted application removals.
To achieve mission-ready CIP cyber personnel now, training of aspiring and veteran industry professionals must evolve to not only include the much-needed practical skills, but also the comprehension of the nuanced systems that make up the Purdue model. Simply put, if gaps in the cybersecurity workforce s are not addressed soon not only will critical infrastructure be hurt, but industries across the world will suffer the consequences. And next time, said consequences could be more than just a “low-impact” blind spot on the western U.S. power grid.