The North
American Electric Reliability Corporation (NERC) recently posted a document
confirming a cyber event that occurred on a western U.S. electrical grid in
spring 2019, marking the first cyberattack on an American grid and, more
importantly, striking a chord among operators. The case, which is ironically
labeled a “lesson” by NERC, is a glaring demonstration of the cyber challenges
faced not only by the energy sector, but also the 15 other critical
infrastructure sectors on which our way of life depends.Cyber
threats, however, are nothing new to the industry – three former secretaries of
the Department of Homeland Security (DHS) recently stressed the increased risk
of cyber threats to the US. In particular, Janet Napolitano pointed to critical
infrastructure cyberattacks on our nation's systems and underscored the need to
address the increasing threats before it’s too late.Additionally,
a recent study by the Ponemon Institute revealed that 90% of professionals in
industrial control systems (ICS) and operational technology (OT) environments
reported at least one negative impact of a cyberattack in the past two years.
While the adversaries largely remain unknown, these attacks more than likely
resulted from flawed IT/OT integration, the complexities of Supervisory Control
and Data Acquisition (SCADA) systems, lack of asset visibility, and inadequate
cyber policies, among other vulnerabilities.
One
contributing factor, however, that blatantly stands out from the rest – an
understaffed and much too frequently under-skilled critical infrastructure
cybersecurity workforce.The CIP
workforce challengeOrganizations
across industry face the challenge of recruiting and retaining cybersecurity
talent. Since 2015, the number of unfilled cybersecurity jobs has grown by more
than 50% and by 2021, the number of unfilled jobs is expected to reach upwards
of 3.5 million, according to Cybersecurity Ventures. These numbers offer
insight into an industry that is under pressure, both from internal and
external factors.For critical
infrastructure, the workforce shortage is even more threatening. The skills
that a typical IT security professional acquires does not necessarily transfer
to critical infrastructure that runs within ICS environments. Furthermore, ICS
was originally designed to stand alone, but now businesses’ needs have forced
ICS to become interconnected with external networks – a problem for the current
operations workforce that are not digital natives. There’s also the issue of
attracting new talent due to the nuanced skills required for critical
infrastructure protection (CIP) and the lure of high-paying Fortune 500s.Current
programs fall short of successIn the past,
evaluations have looked into cybersecurity workforce initiatives, specifically
to see if the programs are preparing students for the highly technical roles
associated with Infosec. As outlined by the Center for Strategic and
International Studies (CSIS), these programs are failing. And even though CSIS
did identify three programs that are working to establish “best practices,”
they still have flaws.One such
flaw - the three programs are in fact designed for students looking to enter
the cybersecurity industry and provide no programs for veterans looking to
improve their knowledge and skills nor is there a focus on critical
infrastructure, but rather a general application of cybersecurity. One program,
as CSIS notes, has even come under criticism for “a lack of rigor in their
programs.”As for
certifications that provide ICS testing, such as Global Industrial Cyber
Security Professional (GICSP), there remains too much of a focus on teaching
cybersecurity concepts and theories and too little focus on providing practical
experiences that ultimately arm students with tangible skills to take into the
workforce. Not only are many of these programs all but irrelevant to the
students’ needs within a CIP cyber environment, but many employers have
expressed dissatisfaction of graduates lacking practical experience upon
entering the workforce.Evolving
CIP Cyber TrainingFor critical
infrastructure protection, practical experience is invaluable. CIP cyber has
specific nuances typically not found in enterprise cybersecurity, making the
transition for IT security professionals or students difficult. For example,
once dependent upon ICS as isolated networks, organizations have evolved to
include modernized connections between their ICS and business and external
networks. This move to enhance productivity has unfortunately left critical
infrastructure sectors exposed to external and internal threats.As a result,
to support critical infrastructure’s workforce needs, training must evolve to
emphasize levant technologies and processes as well as interoperability with
existing IT security infrastructures, particularly access control.To start,
training should focus around the Purdue Enterprise Reference Architecture, or
Purdue model, which is an industry-adopted reference model that shows the
interconnections and interdependencies of all the main components of an
industrial control system (ICS). Created in the 1990s, this model was
originally used to develop enterprise architecture – today, it’s the backbone
of interoperability.In order to
arm professionals with the tools to be successful in protecting against
cyberattacks on critical infrastructure sectors, CIP cybersecurity training
must include in-depth experience with the following Purdue model components:Technologies
Deep
content disarm and reconstruction (D-CDR) technology breaks a file down and
scrubs any malicious threat. Training programs should highlight the practical
means as to why and how Deep CDR is used and needed throughout CIP in order to
ensure that internal and external data threats are mitigated.
Multi-scanning
technology also needs to be included in training programs so students can
understand how advanced threat detection and protection through scanning
engines increase malware detection rates.
Processes
Transfer
of data is a vulnerable point in critical infrastructure. Steps and protocols
should be emphasized in training on the data exchange between segregated
networks, specifically utilizing threat intelligence technology, proactive data
loss prevention (DLP), file-based vulnerability technology and Sandbox.
Transfer
of device is another vulnerable point for CIP. Many businesses now rely on
personal or remote devices for employees, allowing for productivity on-the-go,
but at a cost. Training should focus on data protection technologies, such as
anti-keylogger technology, and endpoint technologies and processes, including
malware detection, vulnerability assessment, compliance protocols and unwanted
application removals.
To achieve
mission-ready CIP cyber personnel now, training of aspiring and veteran
industry professionals must evolve to not only include the much-needed
practical skills, but also the comprehension of the nuanced systems that make
up the Purdue model. Simply put, if gaps in the cybersecurity workforce s are
not addressed soon not only will critical infrastructure be hurt, but
industries across the world will suffer the consequences. And next time, said consequences
could be more than just a “low-impact” blind spot on the western U.S. power
grid.
There are many ways to do DevSecOps, and each organization — each security team, even — uses a different approach. Questions such as how many environments you have and the frequency of deployment of those environments are important in understanding how to integrate a security scanner into your DevSecOps machinery. The ultimate goal is speed […]
It’s Cybersecurity Awareness Month, but security awareness is about much more than just dedicating a month to a few activities. Security awareness is a journey, requiring motivation along the way. And culture. Especially culture.That’s the point Proofpoint Cybersecurity Evangelist Brian Reed drove home in a recent appearance on Business Security Weekly.“If your security awareness program […]
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
