It’s not news that industrial companies are struggling to plug the OT/ICS cybersecurity skills shortage.
Earlier this year American software company Symantec released the results of a survey of 3000 chief information security officers and security decision makers. According to the report, 37 percent of cybersecurity professionals say they are unable to handle their current workload and 44 percent of respondents say their team lacks the necessary skill-set to combat cyber threats.
Similarly, in January, American software company Tripwire released the results of its Cybersecurity Skills Gap Survey 2019. According to the report, 80 percent of respondents said finding security skills had become harder in 2018 than it was in 2017. Additionally 47 percent said they were already experiencing a cybersecurity skills gap.
At the recent ICS Cyber Security Conference in Atlanta this month, there was a great deal of passionate discussion about how to fill the OT/ICS cybersecurity skills gap.
Some say it makes more sense to take OT and automation engineers and educate them about cybersecurity. Others say it would be wise to take cybersecurity folks out of their air-conditioned offices and get them out into the field. The consensus was that both of these strategies have seen success and failure, and in order to see more successful outcomes, candidates need to have passion and a sense of mission.
Does this sound like you? The OT/ICS cybersecurity skills shortage has led to an increase in the number of job openings in this field. We looked at some of the current open positions for OT/ICS managers to put together a composite of what hiring managers are looking for. Read on if you’re looking to make a move.
Understanding of ICS and SCADA fundamentals
At the basic level, hiring managers are looking for candidates with an understanding of ICS architecture and components. This includes ICS design and and security considerations, knowledge of IT and OT security best practices, and an understanding of protocols of ICS environments. Candidates should also understand how to prepare, review, and maintain documents and policies governing security operations for ICS equipment and networks.
Experience with specific ICS systems and industry practices
Some hiring managers are looking for candidates with specific experience related to designing, maintaining and supporting ICS network infrastructure, including industrial wireless networking.
Specific qualifications include knowledge of IEC 62443/ISA 99, ISO 27001, NIST SP 800-82, and CPNI Good Practice. Managers also want candidates with experience supporting PLC, DCS, SIS, HMI or SCADA systems. Additionally, candidates should have experience supporting and troubleshooting industrial protocols such as OPC, Modbus TCP, HART, and Foundation Fieldbus.
In addition to an understanding of and experience with both basic and specific ICS/OT cybersecurity, candidates should be prepared to perform a number of responsibilities. This includes cyber security engineering analyses, needs assessments, requirements identification and management, and alternatives analyses.
In many cases professionals will be responsible for advising on cybersecurity designs, implementation, vulnerability identification, and mitigation techniques and procedures. Professionals will also likely be tasked with securing critical infrastructure systems against current and emerging threats through the use of the latest technologies in order to provide advanced strategies, mitigation techniques, and cybersecurity system design concepts.
In order to ensure candidates are able to meet the demands of these positions, hiring managers are seeking professionals with specific cyber security certifications. These include CCNA, CCNP ,GICSP, GRID, GCIH, CNSS 4016 Risk Analysis, IAT LEVEL III Professional Certification, and more.