Mounting need for ICS cybersecurity professionals to broaden training, break barriers, while closing skills gap

Technological advances in recent years have led to an expansion of networks in operational settings, making SCADA (supervisory control and data acquisition) systems and ICS (industrial control systems) more exposed and vulnerable to malicious attacks from hackers and state-sponsored cyber attackers. Frequent cybersecurity assaults can bring about the shutdown of industrial OT systems, threatening the safety of communities, personnel, and customers, thus making it particularly concerning and increasing pressure on already strained ICS cybersecurity professionals.

In wake of the critical role played by ICS/SCADA systems, organizational environments must work with the industry to work upon and tailor the ICS training needs of their cybersecurity professionals. Moreover, the sector should consider boosting the recruitment of teachers for broadening cyber education programs and providing cybersecurity professionals with greater possibilities to gain requisite competencies.

Recent cybersecurity incidents prove once again that the industry must prioritize diversity and inclusion among cybersecurity professionals in the industrial space, and immediately carry out necessary initiatives to provide cybersecurity professionals with access to education and training, mentorship, and networking opportunities. These skills can help improve decision-making, enhance innovation and build a more resilient and secure digital landscape. In addition, the workforce must be provided with opportunities for continuous learning and development of these cybersecurity professionals. 

The World Economic Forum (WEF) disclosed in its 2023 Outlook report that 10 percent of cyber leaders lack the critical people and skills needed to deal with a cyberattack, similar to last year’s figures. It also revealed that 13 percent of cyber leaders feel that they have critical gaps in skilled personnel. Additionally, 59 percent of business leaders and 64 percent of cyber leaders ranked talent recruitment and retention as a key challenge for managing cyber resilience, while less than half of respondents reported having the people and skills needed today to respond to cyberattacks. The level of shared understanding on this topic makes it more likely that steps can be taken to solve the challenge of creating and retaining cyber talent.

Industrial Cyber spoke with ICS cybersecurity professionals about the significant obstacles in the industrial cybersecurity space concerning training, education, and raising knowledge levels. They also examined various measures that can be adopted to alleviate these obstacles and make training more convenient and reachable.

“The main challenge for facilities and security teams is the misconception that IT security and ICS security are the same,” Dean Parsons, CEO and principal consultant of ICS Defense Force and SANS instructor, told Industrial Cyber. “Training for each discipline is not the same, either. The security controls, tools, support, system design, network architecture, incident response practices, threats, impacts, and recoveries from cyber incidents for each environment are very different.” 

Parsons added that this challenge can easily be overcome by engineering taking the lead in educating departments on the prioritization of safety and providing awareness of all the specific engineering systems, protocols, and processes that must be maintained and secured differently. “Leadership and technical teams must ensure they embrace the fact that IT security is not ICS security. Awareness on this topic must be a continued effort that leads to safety as the top priority.”

Joel Langill, founder and managing member at Industrial Control System Cyber Security Institute, told Industrial Cyber that the great challenge facing employers is the lack of cybersecurity training programs and curriculums that teach not only a solid foundation and basis of knowledge but also operational skills that focus on key objectives based on an employee’s position. “Someone that typically configures network equipment should not be expected to also be the one that assesses the security posture of the architecture applies corporate risk management guidelines and delivers remediation measures that reduce the risk to a tolerable level,” he added.

“The curriculum developed at the ICS Cyber Security Institute was operational task-driven, meaning that it was developed to teach a set of vital hands-on skills that can be used to identify, assess, secure and monitor cyber security risk of cyber-physical systems,” according to Langill. “It does not judge competence by successfully passing a certification examination, but rather by successfully demonstrating hands-on skills in realistic settings.”

The challenge of sourcing and retaining cybersecurity talent is one of the most pressing issues facing industrial enterprises today, Jonathon Gordon, directing analyst at Takepoint Research, told Industrial Cyber. “With a limited pool of experienced professionals, it can be difficult to fill key positions and maintain an effective security team. Asset owners and operators must invest in training programs, recruiting initiatives, and other strategies in order to attract the best cybersecurity talent and ensure their organization stays secure,” he added.

Auke Huistra, managing director at Applied Risk, a DNV company, identified three main challenges around ICS cybersecurity training. “The first one would be that the topic of industrial cybersecurity requires the involvement of different disciplines such as cyber security, operations technology, and information technology, which implies dealing with different objectives and bodies of knowledge.” 

He added that OT cybersecurity professionals will come from different backgrounds, being automation professionals, IT professionals, and cybersecurity professionals. Based on their background individual training and development needs will be identified to develop a seasoned OT cybersecurity professional.

The second challenge Huistra identified is the different target groups need different approaches. “We often distinguish managers, engineers, and operators. The engineers maintain the OT networks and systems, and the operators only work on the systems as users. The last group is by far the biggest. Main focus for that target group should be on basic behavior. So making clear what is expected of them. Engineers, of course, will need more in-depth training and understanding of the technical aspects of OT cybersecurity,” he added

The third challenge is that a lot of the actual work in industrial automation environments is carried out by suppliers and third parties, according to Huistra. “It is really important to ensure that these people also have enough knowledge and experience to maintain the right level of cybersecurity in the OT domain. This needs to be embedded in the contracts that are in place and also checked on a regular basis.”

The industrial cybersecurity sector faces an acute shortage of cybersecurity professionals and trained manpower. The executives address the various measures that must be adopted by the industry to simplify ICS cybersecurity training and make it more affordable and accessible to everyone so that training becomes more accessible, cheaper, and freely available. 

“For the protection of our critical infrastructure, which is actively targeted, ICS training is obtainable and required to protect such critical and specialized systems,” Parsons said. “Boards are asking the right questions. Mature leaders for ICS facilities already know and understand the safety and business risks associated with ICS cyber security. That is, untreated risks to control systems have consequences that could lead to serious brand tarnish, massive financial loss, impacts on the environment, and even personal injury or death.” 

Parsons adds that it is just a matter of ensuring those risks are represented in an organization’s risk register. “It’s a matter of risk management, a focus on ICS risk mitigation, and an allocated budget. Industrial control system cyber defense is totally doable! And according to the most recent statistics, facilities are maturing in a positive direction in many areas for appropriate and responsible ICS defense.”

“The root cause of this shortage is the lack of people that have the ‘desire’ to learn and grow in a new and exciting field,” Langill said. “After more than 15 years of direct training experience, the vast majority of individuals who take a course lack the motivation to learn new skills on their own and at their own expense. They rather want someone to tell them everything they need to know and then just regurgitate what they heard without applying knowledge and intelligence to adapt to new situations,” he added.

Gordon highlights regular training for both new and veteran staff is key to reducing risk and improving the cybersecurity posture. “Working with the most experienced and knowledgeable people can be invaluable for training purposes. On-the-job experience is irreplaceable in terms of learning tips, tricks, and best practices from those that have literally been in the trenches securing industrial environments for years,” he added.

“Having these experts share their experiences and knowledge, and providing the opportunity to shadow them, either in person or virtually, will provide immense value to both the team and the organization,” according to Gordon. “Knowledge retention is a major challenge in our field and is not something that can be easily addressed. Unfortunately, we don’t all have the luxury of being a ‘Padawan’ to our own ‘Industrial Cyber-Jedi Master.’”

Huistra said that it is not a simple task and will require a lot of cooperation from different stakeholders across the industry, government, and academia. “Already in 2014, ENISA released a study on ‘Certification of Cyber Security skills of ICS/SCADA professionals’ describing some of the challenges in this field. Having a description of the knowledge, skills, and abilities of industrial cybersecurity roles, that are recognized by the industry and leave room for sector specifics would be a good start. This will also allow for the further development of generic and freely available training, but also a basis for more specific training that will need to be created for sectors and companies,” he added.

Last October, the U.S. administration through the Office of the National Cyber Director (ONCD) called for insights and expertise on the cyber workforce, training, and education. When it came to the areas of training, education, and awareness, the agency said, ‘enable learners to overcome cost and other barriers to an education and training in cyber and related fields.’ 

Addressing these elements, Parsons said, “I think it’s important to look internally first. To offer job shadowing opportunities to internal teams. To realize that ICS is the business and internally blend both engineering and IT security skillsets with a focus on safety and specific security controls for ICS. For example, having IT security incident responders and ICS engineering members shadow each other for 3-4 months is a great start and very cost-effective.”

Additionally, a large body of tools, white papers, cheat sheets, posters, webcasts, blogs, and guidance by ICS security experts is available at no cost, Parsons said. “For example, the SANS ICS Team releases new and updated resources to the community to further protect critical infrastructure,” he added.

Langill said, “No. This is a terrible statement and why on average, 80-90% of those attempting to enter the field, will not succeed. To succeed you need two attributes – ‘capability’ to learn, and ‘desire’ to grow.”

“Many generic cybersecurity training programs prioritize certifications over actual skills, however, ICS/OT training often focuses more on practical hands-on experience with ‘industrial’ lab-based activities,” according to Gordon. “There is no shortcut to acquiring the necessary skills and approach; something that industrial enterprises and course promoters need to bear in mind.”

Huistra highlighted the free training available in the market e.g. the DHS training and a diversity of training on free online training platforms, but the most effective training is focused on the situation within the organization itself. “As an example, having generic awareness training is a good start, but if the bridge can be made towards the company-specific situation, the message becomes much stronger. These company-specific adjustments to training modules are something that requires effort and will come with a cost. But also with a reward,” he added. 

Based on their experience, the experts assessed the frequency of training and skills up-gradation that OT and industrial cybersecurity teams should undertake to effectively mitigate evolving threats.

Learning in IT or ICS cybersecurity is constant, Parsons said. “A constant undertaking and understanding of how threats change, technology trends influence facilities and engineering process improvements, and how to best manage evolving threats. ICS defenders must always be looking to improve by setting realistic goals based on their ICS Security Program’s current and target maturity and their infrastructure’s role,” he added.

Langill said that to be a worthy ‘OT’ or ‘industrial’ security practitioner, “you MUST have operational experience. This means working in the field, learning about the technologies and how they are used in real-life situations, and where the cyber-physical risk lies within not the ‘system’ but rather the ‘facilities’ and how it impacts the objectives of the manufacturing environment.” 

He added that power generation is different from oil refining is different from pharmaceutical packaging. “You need experience in order to add value to the end-user and how to apply what is usually very different security parameters to different industries sectors and sub-sectors,” he added.

“Getting the best training requires not only time but also financial resources. The quality of training will depend on the educational institution and its faculty,” Gordon said. “While some relevant courses are being offered at the university level, many opt for private ‘technology institutes.’ The best courses tend to be led by ‘working professionals’ masters of OT/ICS rather than full-time academics,” he added.

The specific training should be embedded in an overall workforce development plan, that is based on the knowledge, skills, and abilities that are needed for the identified roles in the organization, Huistra said. “Based on a gap analysis the need for training, additional on-the-job work experience, and certifications will need to be identified. Next to that, the specialists will need to have time allocated to follow the latest threat trends, techniques out there, and evaluate potential impact on the organization,” he added. 

Due to the necessity and criticality of the role played by the ICS cybersecurity workforce in ensuring that every member is kept up-to-date with the latest trends and techniques, the experts estimate the appropriate amount of training time and resources to allocate continually. They further weigh in on whether organizations can set aside such time and resources for these cybersecurity professionals as part of the organizational structure.

“Given the threat landscape, it is not only possible but required to set aside dedicated time for ICS security discussions and continual learning for all involved in the planning, design, deployment, maintenance, and safe operation of control systems,” Parsons said. “To start, a healthy and obtainable way to improve the ICS security culture is through expanding upon traditional IT security awareness with specific ICS security topics such as but not limited to; how ICS security supports safety and reliability, differences between IT and ICS security controls, ICS attack history, ICS attack surfaces, ICS network defense through network visibility, ICS risk-based vulnerability management, secure remote access and ICS specific incident response steps.” 

Parsons added that these sessions could be more regular, such as monthly, rather than once a year during cyber security awareness month. “Whereas a full technical training course could be annually or every two years. ICS defenders will also do well to consume and action sector-specific ICS threat intelligence to proactively keep abreast of the current threats and ensure time for active ICS defense and strategic mobility,” he pointed out.

Langill said that there is no straight answer to this. “I never stop learning. I never stop exploring, I never stop playing with technologies covering both offensive and defensive cyber options. I spend my money on lab equipment and physical systems that reflect what is really in use in the real world and do not depend solely on free or open-sourced solutions,” he added.

“Two of the major issues I see today with regard to training in the field are availability and cost. High-quality training is often limited by location and is prohibitively expensive,” according to Gordon. “Some of the top-training institutions price their courses way above what individuals can afford, preferring to focus on the top end of the market only.”

Gordon added that the industry desperately needs to figure out a way to democratize industrial cybersecurity training – to lower the cost of, and increase accessibility to quality training. “Until this happens, the market will remain concerned about the lack of talented people,” he added. 

“It is impossible to train every member of the OT cybersecurity staff up to every existing and emerging threat vector out there, since they will be spread across different domains, like networks, operating systems, control systems and not to forget the human factor,” according to Huistra. “Within a team of specialists, there will need to be focus areas to cover the entire scope. Of course, it will always take balancing between training needs and the available budget. This should be a risk-driven business decision.”

For smaller organizations, it won’t be possible to cover all areas themselves, so they should seek assistance from third parties for support and guidance, Huistra concluded.