As operational technology (OT) becomes more and more digitized, the cyber threat landscape grows exponentially, leaving industry scrambling to find cybersecurity experts to protect their assets. John Ellis of Siemens Energy and Tim Conway of SANS Institute outline a new program designed to meet those workforce needs.
By Leane Clifton
It’s the old story of supply and demand. Critical infrastructure, oil, natural gas, energy, has traditionally relied on the experience of long-time operators who know their equipment, firewalled off, in a single location. That scenario has drastically changed in the last 20 years with entire supply chains becoming digitally connected and operated by single master control systems monitoring it all. Every connection has become a potential access point for cyberattacks. While cybersecurity is a growing field, academic education is not keeping up with industry needs, which require a more specialized skill set.
Tim Conway, Technical Director of ICS at SANS Institute, has been working in operational technology for decades and recalls: “We would constantly have job postings up, we just wouldn’t take them down – we were never fully staffed, and even if we were fully staffed, we still didn’t have adequate resources to do what we needed to do daily.” OT cybersecurity, like the operators of old, requires a familiarity with the equipment, hardware, and systems being monitored. “The combination of engineering, operations as well as technology and cybersecurity – it’s really unique to get people with those skill sets,” Conway says.
John Ellis, in charge of Strategic Digital Programs & Partnerships at Siemens Energy, agrees. “That’s what we’re hoping to alleviate with the Cybersecurity & Industrial Infrastructure Security Apprenticeship Program (CIISAp). On the demand side, we’re seeing explosive demand for this type of skill set. So, with this ecosystem we’re trying to build both ends of that.”
“It’s important that people in this space have the hands-on experience, understand what it is they’re protecting and defending and have a full appreciation of the operational environment.”Tim Conway, Technical Director of ICS at SANS Institute
An educational ecosystem for industry
CIISAp includes academic partners and industry partners, including Siemens Energy, as well as nonprofits, like ICS Village. Idaho State University, Capitol Technology University and SANS Institute will provide the classroom education while industry partners will provide on-site job rotations in a four-year paid training program. Conway states: “What we’re looking at is a field of study where there are jobs in the pipeline that absolutely need to be filled in the area of OT industrial control systems.”
Ellis highlights the work done by Idaho National Labs and their industrial cybersecurity program, or industrial control system community of practice, ICS COP. “This is a volunteer organization, which Siemens Energy joined, where individuals from many different organizations came together and said, ‘let’s build the standards, let’s talk about what a curriculum could look like’.” Siemens has experience developing apprenticeships with academic partners across other roles like electricians, welders, mechanics, and engineers. “We thought, if there’s a problem – well, we’ve got a playbook,” says Ellis. “We think we’re in a really good position to help lead this initiative as an industry player.” The reason for that is Siemens Energy is both an OEM, creating the machines that are at the core of this discussion, as well as a cybersecurity solutions and service provider.
Call for Industry Partners
The Cybersecurity & Industrial Infrastructure Security Apprenticeship Program (CIISAp) – Building the Next Generation of Industrial Cyber Defenders.
The interconnectedness of modern OT – bringing data from different parts of a plant together while sharing operational data in real time in order to make better business decisions on maintenance, emissions, and predictive outages – creates many opportunities for hackers. COVID has also given rise to more security problems with remote workers, which, as Conway states, “we would have never allowed certain job roles and tasks to be performed remotely in critical infrastructure environments prior to COVID, and the attack vectors have expanded in every area.” In addition, he says, “it becomes really important that people in this space have the hands-on experience; understand what it is they’re protecting and defending, and just have a full appreciation of that operational environment.”
Past initiatives focused on developing a skill set and then finding the job. The concept behind CIISAp is experiential learning. As Ellis puts it: “We want to be able to create opportunities for these individuals where they’re not only learning about the newest technologies, the way to use them, to connect them, to bring them to market, but also to give them experience in servicing these machines and working with customers.”
Learning on the job - no experience necessary
The four-year program is slated to begin in the fall of 2022 and applications will be accepted starting this summer. Individuals just entering the job market or changing their careers are welcome, also people with IT experience, but no OT experience with industrial control systems, including veterans with IT experience. The third group will be those with OT experience, but no cybersecurity or IT experience. “As we’re moving more towards regionalized distributed energy systems, we’re going to need more of these professionals that have that industrial asset experience, and then essentially add cybersecurity and IT networking skills on top,” says Ellis. Apprentices will focus on new skills, re-skills, and up-skilling, as well as receiving the professional certifications needed to advance in the industry.
Tim Conway points out that diversity is essential for cybersecurity. “This is something that we absolutely have to focus on and invest in to intentionally pursue diversity in this area of ICS and cybersecurity. Adversary groups are pursuing the right people with the right skills, and that’s absolutely what we should be doing from a defender perspective as well.” Ellis adds, “adversaries like to think in new ways to try to get into these sites. So, the broader and more diverse our thinking is, as well, the better we collectively become at defending.”
The first year will be customer site-based: doing installations, job shadowing, and actually seeing the machines in real life settings. “Wherever customers are, that’s where they’ll be,” Ellis says. “We travel all over the place, we’re a global company, we work in over 90 countries right now. So, these apprentices are going to get a whirlwind global experience.” Along with that experience there will be lab work at one or more of the educational partners facilities and online classroom work.
What will the ideal industrial cybersecurity defender look like? According to Ellis, it is someone who possesses IT cybersecurity skills, but is also knowledgeable in networking, understanding devices and protocols, and has an understanding of the physical process that underlies their work. “We really want them to be able to put their hands on, touch these physical machines, understand the process that they’re responsible for, but then also to understand the layers of digitalization that are on top – from protocols and networks all the way up to using the cybersecurity tools that are out there.”
Can you meet your cybersecurity needs?
A recent SANS survey amongst OT asset owners found that 56 percent of OT cybersecurity projects right now are actually unable to move forward because of lack of staff. The study also found that current estimates of available cybersecurity experts and trainees is only expected to meet 68 percent of the industry’s needs. Further complicating the issue is that 50 percent of the current OT workforce is set to retire in the next five to ten years, taking their knowledge and experience with them. CIISAp plans to bring people into ICS environments to learn specific systems. As Ellis explains, it’s about “exposing them to an industry and a community, and hopefully retaining them.”
More corporate partners and government agencies planning to participate in CIISAp will be announced shortly. “We also have an open call right now to anyone that’s interested in joining us in this initiative, that is an asset owner, a utility, a power company, or an oil and gas company,” says Ellis. “If any of these industries are interested in joining, we are very welcome to the idea and look forward to that collaboration.”
“We are in a really good position to help lead this initiative as an industry player, and the reason for that is we are both an OEM, so creating those machines that are really at the core of this discussion, as well as the fact that we’re a solutions and service provider.”John Ellis, Strategic Digital Programs & Partnerships at Siemens Energy
The rotational structure of the program is key to its success. Mentorship is built into the curriculum, allowing apprentices to work with knowledgeable professionals in a variety of roles. While they learn the cybersecurity protocols and specialties they will also get hands-on field, installation and maintenance experience on physical assets. Whether in power generation or on a pipeline, the goal is to create – and retain – the workforce industry needs. “It’s a model that’s worked for us, and we know from previous experiences with apprenticeships that retention rates are fantastic when you get paid,” Ellis says. “When you bring someone into the culture of your organization, and you help them to grow in that organization, you are providing people with the experiences and the skills they need to be successful in their jobs.”
Knowledge is power in cyberspace, too
When considering the cyber threat landscape, knowledge of a system is imperative to defending it against attack. Tim Conway explains: “Looking at a target environment from an adversary perspective, when they get into a target, it’s unique to them. They need to learn that environment to achieve the goals that they want to achieve.”
“For that reason the system defenders should know the environment better, should be able to detect adversary actions, and ultimately should have the upper hand. However as the world continues to have challenges with retirements, retention, and access to training programs then the world turns upside down and adversaries might be in the environment for 18 to 24 months and they may end up knowing it better than the operator,“ says Tim Conway. “So, growing people into the space and hoping they find a home is extremely important. Especially since many of the contracts that you see in the energy market are often running for multiple years and you need that day to-day working relationship between the customers and the supplier.”
Apprentices will receive a very competitive starting salary, which scales up through the four-year program. What differentiates CIISAp from other programs is that “we’re starting from a job and we’re going to place you into a program to develop the skills alongside your on-the-job training,” says Ellis. The goal is to start these two programs, one East Coast and one West Coast campus in North America this year and then expand globally. Ellis is confident: “It needs to be localized, it needs to have the context and understanding of how education systems work, and how they’re tied to the industrial sector, but the overall intention is, yes, to eventually take this model to the rest of the world.”
Leane Clifton is a New York based TV producer, author and documentary filmmaker, with a focus on society, health and technology.
“OT cybersecurity is a core business need for every energy company in this century. Business models now rely on digitized assets, and sophisticated attackers are constantly evolving new attacks. Defenses need to stay a step ahead. The main advantage defenders have is knowing their own systems – and that’s why a robust pipeline of cybersecurity talent with understanding of operating technologies is so important. Energy companies need people who can quickly trace anomalies and understand – will this break my turbine? What other systems will be affected? How do I block this threat going forward?”Leo Simonovich is the Vice President and Global Head, Industrial Cyber and Digital Security at Siemens Energy.