The impact of lacking deep industrial cybersecurity skills at your plant goes well beyond the obvious risk of heightening vulnerability to damages from cyberattacks. The more you can dissect and address interrelated skill shortages challenges, the better you can overcome them to run a safe operation – digitally and physically. Articulating the impact can also help better manage budgets, hiring, interdepartmental coordination, and other key activities that make for successful production, day in and day out.
At its most superficial level, missing cybersecurity skills means security is always lagging behind on the to-do list. If your plant is like most, the range of required tasks already is far and wide for personnel, and unlike safety, security is not always top of mind for those operational experts. On the other hand, if you have certified information systems security professionals (CISSPs) or other certified security professionals on your team, chances are the software patching will get done on time and nobody will be allowed to walk right up to an engineering workstation with an unchecked USB device (Stuxnet, anyone?). Trained cybersecurity personnel are the first to think differently about how and why your operations are running. They are also the first to act when it comes to security concerns.
As you scope core work needed across your organization, include cybersecurity tasks so that you quickly make clear what is lost when you’re missing the right people. Find out who in your organization, if anyone, has a cybersecurity skill set/perspective and at the very least can review plans to offer feedback. Often, a trained cybersecurity resource can identify key gaps immediately, such as noticing that your network assets are not segmented based on their criticality to operating the plant (they are often organized purely by physical location or functionality). As you plan for the year ahead, map out what resources you need and formally request them – corporate boards today are far more savvy about the dangers of exploitable software and the ruthlessness of ransomware. With luck, you’ll find common ground to “do the right thing.” If you don’t, documenting your request will help build the case should, unfortunately, a malware infiltration occur. A plant’s inability to perform basic industrial cybersecurity work is the most obvious outcome of a cyber skills shortage, but now is a good time to get ahead of it.
OT cybersecurity affects physical equipment
The next layer many companies don’t realize is that even having cybersecurity experts is not enough if you’re running any type of process control network. Building cars, creating paper products, and mixing chemicals all require interactions with equipment in ways that IT security professionals do not naturally live and breathe in office environments. Even cybersecurity standards require a deep understanding of how your complete set of IT systems and OT equipment work together.
As one example, the Center for Internet Security (CIS) standard that is commonly used to benchmark system hardening cannot be applied “as is” into your plant’s process control network. Even if you have common off the shelf (COTS) servers, software systems behave differently depending on how they are configured and integrated with other systems in your industrial control system environment. Turning a feature on or off or changing default settings on a router or switch can inadvertently create dangerous vulnerabilities. Personnel skilled in OT environments will carefully review IT-driven recommendations evaluating and adjusting them one by one based on a variety of operational inputs. As you consider your plant’s needs, look for opportunities to introduce operations staff to cybersecurity training or IT staff to learning the ins and outs of OT’s security impact. Cross-breeding these two can help build cybersecurity resilience across the organization.
IT security needs visibility, enforcement, reporting
For the chief information security officers and IT security teams at your organization, if you don’t have the skills mentioned above at the plant level, it becomes more difficult to standardize the organization’s security posture. Similarly, it becomes far more complicated to gain business benefits such as large equipment procurement discounts or efficiencies created through automation and standardization. A lack of skills to identify, detect, and perform all of the other NIST-recommended cybersecurity steps will leave IT blind to issues across operational assets. Even if policies call for regular patching, IT personnel can’t simply push or apply these patches on machines critical to production. This will put your greater organization at risk – teams don’t know what they don’t know.
On the flip side, if you can introduce industrial cybersecurity software at your plant, the metrics and monitoring that these system deliver can increase visibility for you and for your corporate IT team. More-advanced solutions include simplified instructions and interfaces that prescribe exactly what to do when alerts occur or thresholds are met. This means that even non-cyber personnel can find and download the latest patch, if not deploy it.
Similarly, you can work around your skills gap by streamlining how, where, and by whom reporting will be performed. Enterprise-wide software can share all or some of the collected data, and tools often allow for offline processing for threat analytics or other specialist activities. Other tools help reduce the number of unauthorized remote users trying to access your process control network. These solutions can help OT and IT teams work together to identify what activities are authorized by whom and when, enabling a far larger pool of external experts to help remotely.
Of course, any of these skill sets can be onboarded rapidly through managed service contracts that deliver the monitoring and reporting as a service, as well as a wide range of industrial cybersecurity services. Some offer on-site personnel who can sit side-by-side with your team. This has the added benefit of knowledge transfer and the ability for supporting personnel to learn more deeply the intricacies of a plant’s operation. Trusting partners to perform security work also ensures a level of consistency, competency, and accountability that is uncomfortable to demand of employees who are also tasked with fixing broken equipment and supporting sudden top-down management requests.
Another way to manage through your skill-set gaps is to leverage vendor facilities, such as centers of excellence or solution centers. Consulting staff often are available at such centers and can be engaged for various lengths of time or at various stages of an initiative. Typically, you can share your configuration data and replicate your environment in these centers, letting the experts there explain potential security issues and how to address them. Back at your site, the same experts can perform assessments, design networks that are more resilient to attacks, and implement technology upgrades that eliminate particular risks.
With many companies recognizing the criticality of industrial cybersecurity measures, you have timing on your side to identify your needs and propose ways to get ahead of them. Nothing is worse than explaining to leadership teams why basic security work was never performed, especially while in the middle of a plant outage caused by the latest cyberattack. Understand the impact of the skills shortage and do your best to take proactive measures.