Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Features
ICS Cyber Security Training
Malware, Phishing & Ransomware
Regulation, Standards and Compliance
Risk & Compliance
Supply Chain Security
Technology & Solutions
Threat Landscape
Vulnerabilities

ICS cybersecurity training can help fight off adversarial attacks in evolving threat landscape

May 29, 2022
ICS cybersecurity training can help fight off adversarial attacks in evolving threat landscape

The continuous onslaught of ransomware attacks, hardware vulnerabilities, and supply chain intrusions, along with the new dimension of cyber-warfare, has led to the need to adopt stronger security measures and greater operational resilience across the industrial control systems (ICS) and critical infrastructure sectors. One of the ways to deal with the evolving cybersecurity landscape is to develop and strengthen the skills of the cybersecurity workforce by conducting ICS cybersecurity training courses across varying skill levels to work on better defending both ICS and critical infrastructure assets. 

ICS cybersecurity training can be availed through courses and training programs offered by various agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), SANS Institute, and the ISA (International Society of Automation). Moreover, legislative measures have also been introduced, such as the ‘Industrial Control Systems Cybersecurity Training Act,’ which seeks to amend the Homeland Security Act of 2002 that authorizes the CISA to establish an ICS cybersecurity training initiative. Another instance is the bipartisan ‘Supply Chain Security Training Act’ that would help create a supply chain security training program for federal officials.

The fundamental purpose behind ​​ICS cybersecurity training is to create an ecosystem that delivers relevant training and skills that protects critical infrastructure sectors, such as power grids and water treatment facilities, from cybersecurity threats and attacks. Building sustainable operational resilience that addresses systemic weaknesses, including training on the newer methodologies and techniques adopted by adversaries and nation-state attackers, will help asset owners and operators avoid adversarial attacks. Cybersecurity skills cannot be built overnight – they must constantly be worked upon and updated over time, with appropriate exposure and relevant experience. 

The CISA supports cyber preparedness and resilience improvements through ICS-focused cyber exercise design, development, and execution. The security agency offers a range of exercise types, from tabletop discussions to full-scale national-level exercises, ICS training capabilities that include ICS security fundamentals, and advanced online and in-classroom training available for learners. It also offers regional courses and workshops and a recurring five-day, hands-on advanced training event.

Additionally, the educational programs administered through the CISA would work towards keeping businesses running and infrastructure safe against foreign cyber threats. It would also expand access to ICS education and training to women and underrepresented populations across different American regions. Cybersecurity training helps develop critical competencies when facing possible security issues while also improving employees’ ability to recognize and respond to potential cyber threats. 

The ISA offers comprehensive industrial cybersecurity certificate programming and aligned training courses. These programs cover the lifecycle of industrial automation and control system (IACS) assessment, design, implementation, operations, and maintenance. Each certificate program and training course is based on the ISA/IEC 62443 consensus-based series of automation cybersecurity standards. 

The SANS Institute also conducts ICS cybersecurity training courses. In addition, it runs multiple programs to draw more talent into the cybersecurity field and empower those people with the hands-on cybersecurity skills and knowledge needed to enter the workforce and accomplish relevant tasks.

The legislative push of the ICS Cybersecurity Training bill would authorize CISA to carry out training to develop and strengthen the skills of the cybersecurity workforce related to securing the ICS. By allowing CISA to carry out training, the availability of upskilled and reskilled employees will enable employers to bring about greater operational cybersecurity. The bill would also work toward educating information technology (IT) professionals across the nation on how best to protect against attacks on computer network security systems. 

Industrial Cyber reached out to experts in the ICS cybersecurity training field to bring reactions to the legislation, including the effect of such legislative measures on strengthening the cybersecurity posture prevalent in the critical infrastructure sector.

“Unfortunately, very little,” Clint Bodungen, founder, president and CEO at ThreatGEN, told Industrial Cyber. “CISA already offers free industrial cybersecurity training. While this does offer an alternative to paid (and often expensive) training for organizations that can’t afford it, it lacks the capacity to train enough operators, asset owners, and stakeholders to make a real difference,” he added.

Clint Bodungen, founder, president, and CEO at ThreatGEN
Clint Bodungen, founder, president, and CEO at ThreatGEN

Bodungen further pointed out that class sizes are limited, there is always a waiting list, and the number of scheduled classes is sparse. “What else is this directive supposed to provide that isn’t already in place? If it’s more funding, I doubt it’s enough funding to increase the class sizes and frequency to make much of a difference,” he added. 

“While I applaud the efforts of CISA, there just isn’t much more they can do alone that they aren’t already trying to do, even with funding,” Bodungen said. “This bill is nothing more than an ill-informed politician trying to solve a problem we have been trying to solve for decades, but not doing anything different,” he added.

“People of Human Factor was always a weakest in cybersecurity,” Jalal Bouhdada, founder and CEO at Applied Risk, told Industrial Cyber. “This Act will certainly boost the skills and knowledge of professionals responsible for CIs. In addition, this initiative could be a great opportunity to enhance the cybersecurity of a lot of organizations and address the increased shortage in skills that industry is suffering,” he added.

Jalal Bouhdada, founder and CEO at Applied Risk
Jalal Bouhdada, founder and CEO at Applied Risk

The ICS Cybersecurity Training bill calls for virtual and in-person training and courses provided at no cost to participants. It also covers training and courses available at different skill levels, including introductory-level courses. Furthermore, it also delivers training and courses that cover cyber defense strategies for ICS, including understanding the unique cyber threats facing ICS and the mitigation of security vulnerabilities in ICS technology, with appropriate consideration regarding the availability of training and courses in different regions across the U.S.

The legislation also called for collaboration with the national laboratories of the Department of Energy and consultation with Sector Risk Management Agencies (SRMA). Furthermore, it also called for consultation with private sector entities with relevant expertise, such as vendors of ICS technologies.

Assessing how achievable is it for the critical infrastructure sector to meet the requirements of the ICS Cybersecurity Training bill in the prevailing threat landscape, further weakened by cyber warfare and geopolitical issues, Bodungen said that “from what I can tell (and I have only read what is available so for, which doesn’t seem to be much), there are no requirements for operators and asset owners. The requirements are for CISA and the government. They are also very broad and ambiguous,” he added. 

On the surface, “they can superficially meet the requirements as outlined very easily because there aren’t any details, and they already have existing training,” Bodungen said. “Technically, they could just expand on what they have and call it a ‘success. However, to create real success and make a real difference in the actual ‘spirit’ of the bill is another story,” he added. 

“All of the recent ‘gestures’ by Congress to bolster industrial cybersecurity have been nothing more than theater,” Bodungen said. “None of these acts, bills, standards, regulations, etc., are going to do in 90 days, 100 days, or a year what we have all as an industry been working on doing for decades. We are making progress but no amount of government laws and regulations (or even funding) is going to speed up the process. The real change and progress have to come from the community and the industry, not the government,” he added. 

Bouhdada said that all these drivers are relevant and, of course, the challenge will be in execution as training and education should be a continuous process as the threat landscape is changing rapidly. “Of course, availability or budget and resources are key elements that need to be addressed to meet these requirements,” he added.

Evaluating if the initiatives such as the ICS Cybersecurity Training bill can keep pace with the quickly evolving threat landscape, including the ransomware groups, Bodungen said, “no training can, and I don’t think that is the purpose of the bill. It takes a significant amount of effort and resources to create a course (or even just update a course) with accurate and valuable information, develop content, quality test it, and present it properly,” he added. 

The threat landscape moves much quicker than anyone can develop a proper course or even a poor-quality course, Bodungen said. “Training isn’t meant to keep pace with the latest threats. Training is meant to provide people with the knowledge, skills, and resources to know how to keep up with the threat landscape themselves. So I guess the answer is… directly, no. Indirectly, yes to point, but, not alone in most cases. No single source of training is going to provide anyone with everything they need. It takes a village, a community, and an industry… all working together,” he added.

“Training should always be part of defense strategy, especially when it comes to the ICS cybersecurity. Industry requires well-trained and qualified professionals that will be able to deal with the evolving threat landscape,” Bouhdada said. He added that this should go beyond security awareness and focus on incident response, offensive capabilities, and hands-on experience.

Working out if the ICS Cybersecurity Training bill suffers from any shortcomings, Bouhdada said that overall, this is a positive initiative as long as it can focus on the long term and go beyond the compliance requirements. “It should be inclusive to focus on the whole community (not only system owners/operators) but also suppliers and system integrators. Like any new bill, only time can show if there are any gaps or shortcomings,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Securing cloud, IIoT in Industry 4.0 emerges crucial for protecting industrial operations across OT/ICS environments
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Through the Lens of a Case Study: What It Takes to Be a Cyber-Physical Risk Analyst
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights