Does Critical Infrastructure Cybersecurity Training Need to Change?

Does Critical Infrastructure Cybersecurity Training Need to Change?

Catalina Joseph, Gov CIO Outlook | Tuesday, March 09, 2021

Cyber threats are not new to the industry. Cyber challenges are faced not only by the energy sector but also in fifteen other critical infrastructure sectors on which the way of life depends.

Fremont, CA: The three former secretaries of the Department of Homeland Security (DHS) recently stated about the increased risk of cyber threats in the US. Additionally, a recent study revealed that 90 percent of professionals in operational technology (OT) and industrial control systems (ICS) environments reported a minimum of one negative impact of a cyberattack in the past two years. While the adversaries remain unknown, these attacks have resulted from flawed IT/OT integration, Data Acquisition (SCADA) systems, the complexities of Supervisory Control's inadequate cyber policies, and lack of asset visibility other vulnerabilities. Top 10 Security Companies in Europe - 2020

The CIP Workforce Challenge

Organizations throughout the industry witness the challenges of recruiting and retaining cybersecurity talent. Thus, since 2015, the number of unfilled cybersecurity jobs has increased by more than 50 percent, and by the end of 2021, it is expected to reach upwards of 3.5 million. These numbers provide insight into an industry that is under high pressure from internal and external factors. As far as critical infrastructure is concerned, the workforce shortage is even more threatening. A typical IT security professional acquires skills that do not necessarily transfer to critical infrastructure that runs within ICS environments. However, ICS was initially designed to stand alone, but now the businesses' needs have forced ICS to interconnect with external networks.

Current Programs Fall Short of Success

Traditionally, evaluations have looked into cybersecurity workforce initiatives to supervise if the programs are preparing students for the highly technical roles associated. As stated by the Center for Strategic and International Studies (CSIS), these programs are failing. Although CSIS identified three programs that are working to establish best practices, they still have flaws. Most of these programs are irrelevant to the students' needs within a CIP cyber environment, but many employers have expressed dissatisfaction with graduates lacking practical experience upon entering the workforce.

Changing CIP Cyber Training

In the case of critical infrastructure protection, practical experience is invaluable. CIP cyber has specific nuances that is typically not found in enterprise cybersecurity, in making the change for IT security professionals, or students difficult. For instance, once dependent upon ICS as isolated networks, organizations have evolved to inculcate modernized connections between ICS and business and external networks. This enhanced productivity has left critical infrastructure sectors to be exposed to external and internal threats. Furthermore, in order to support critical infrastructure's workforce needs, training must evolve to emphasize on levant technologies and processes and also interoperability with the existing IT security infrastructures, particularly access control.

Weekly Brief

Read Also