3 Challenges in Implementing ICS Cyber Security
These are the top three challenges companies face when implementing a cyber security program for their industrial control systems environment.
Learn MoreSubscribe to stay in the loop with the latest OT cyber security best practices.
The shortage of people with the skills and knowledge of OT cyber security is a huge challenge for the cyber security industry. In many cases, we hear that it is not budget that holds organizations back, but the ability to find people to fill the slots they need to achieve the objectives they’ve set. One would think that the COVID-19 pandemic and ensuing economic crisis would have reduced the challenge, but it hasn’t.
According to Cyberseek.org, the database established by NIST’s National Initiative for Cybersecurity Education (NICE) to track the number of open cyber security jobs, the gap continues to widen even during the downturn. Some have argued that the challenge is not in skilled resources, but in the salaries organizations are willing to pay for the talent.
Certainly, higher wages could help reduce the gap over time as people shift from other careers into cyber security, but higher wages alone do not close skill and knowledge gaps. This talent shortage is even greater in OT security, where individuals must understand cyber security, as well as the impact on sensitive control systems.
So, where should an organization look to find this unique talent? How should it go about building the right skill set necessary to protect its control systems?
We begin with the question of “what skills are most needed?” As a cyber security industry we tend to focus on the more advanced and analytical skills and roles such as threat hunters, advanced data analysts, SOC analysts, and architects.
However, according to NIST’s Cyberseek database, approximately 60% of cyber security-related jobs are in operations and maintenance and secure provisioning – things like patch, account, admin, and configuration management. This group is approximately 300,000 of the ~500,000 cybersecurity jobs.
Successfully and safely executing these tasks requires an understanding of the operations processes, OEM architectures, and regulatory requirements. If one includes the foundational elements of “protect and defend,” which includes vulnerability management and Antivirus and whitelisting management, the “management” tasks reach over ¾ of all jobs.
So, as we think about closing the talent gap, it is these skills which should be top of mind. This is not to say the more “advanced” skills of threat hunting, etc. are not important. But the biggest gaps are in foundational “systems security management” tasks.
In OT, this talent gap is even more pronounced as many of the foundational elements of Systems Management are not followed today in OT. Conducting these activities on sensitive OT systems is potentially operationally risky.
We all have stories of IT patching systems and taking plants offline. In the pharmaceutical industry, any changes to the manufacturing process may require revalidation of systems, so it needs to be closely managed by engineering and quality teams.
It is not impossible for an IT person to learn, nor that it will be a breeze to teach I&C techs about Windows patching or appropriate secure configuration management. However, these management, operations and provisioning tasks do not require the same level of cyber security training as threat-hunting or evaluation of attacks, while trying to impart the knowledge of 25 years of industrial operations experience about how the OEM systems are architected and how configurations are designed to an IT staff member through classroom training and some role-playing will be more difficult than we imagine.
For over 25 years, Verve has supported industrial customers in these types of OT systems management functions leveraging the Verve Security Center to automate and reduce necessary labor requirements. We have found that the best ways to find and develop this talent includes:
Some have asked the question: I have a corporate SOC, so should we rely on that group for security operations and analysis/alerting? We absolutely believe in the importance of an aggregated view of threats across IT and OT.
However, once an alert is identified in OT, OT expertise is usually necessary. Based on statistics from a range of sources (Ponemon, Fireye, Advanced Threat Analytics, IDC, Bromium), there is a 50% chance that the alert is a false positive. We have many experiences where a corporate SOC has called a plant and raised a flag on an incident, which has required a local I&C tech to research the issue, only to find that an operational change which the SOC was not aware of created a false alarm.
If the alert is in fact a true threat, the incident response to that threat will usually require local knowledge about what is happening in the plant at that moment, what processes can be stopped, what risk to quality or production will result. While we would all like detailed incident response plans for every type of scenario, we also know they don’t exist. Decisions and trade-offs are made in the moment. A local operations resource – who also understands the needs of cyber security – will be a key participant in this effort.
We cannot be narrow-focused in our search for cyber security talent. We absolutely need to recruit from the huge pool of IT talent and find ways to introduce them to the complexities of industrial operations. But, we also need to transform yesterday’s I&C techs and engineers into OT and OT cyber security talent.
Finally, we need to expand our ability to attract a new, younger generation into the industrial technology world. The debate of whether to start with IT or OT/Operations talent is a false dichotomy. We need them both – and we need to think about how we train and develop each group differently for the role that they will likely need to play.
And perhaps one resultant benefit of this approach is that we provide roles, jobs and futures for many of the communities that have been hardest hit by America’s industrial shift over the past thirty years. These communities have schools, resources, and a passion for manufacturing and industry.
If we develop the right approach to OT and OT security, we can develop tech jobs where we might least expect them, and sustain these communities in the future.
These are the top three challenges companies face when implementing a cyber security program for their industrial control systems environment.
Learn MoreOT security governance is the set of policies, procedures, and practices that govern the management and security of OT systems.
Learn MoreThese are 5 questions CISOs should ask as they pursue an OT or ICS cyber security program and establish an effective industrial organization and technical approach.
Learn More