Dale Peterson on his Digital Bond website has a discussion on “Why Security Talent Capitalization Rate is Low”. Dale provides the following reasons:
- Security 101 is dull – All too many control systems are at the point where they need to get security patching, user management, anti-virus updates, firewall rulesets, hardened configurations, … under control. This is important, but not exciting work. A lot of the ‘excitement’ in the first couple of years with a new client is more related to the personal and personnel issues of getting understanding, buy-in and huge initial improvement in the security posture rather than any cool technical work. [Also seeing the process being controlled can be very cool] It is in years 3+ when the challenging and fun technical work gets started. We would have a tough time keeping our technical talent if we didn’t have longer term clients far along the security curve and research projects to go along with the assessment work.
- Security talent is not valued – Many of the skills that would make one talented in cyber security also can be applied to other control system endeavors. People will tend to focus on what is rewarded. There are exceptions with passionate people, but they are a happy exception.
- Little sense of community, peers, training – There are now a number of SCADA security 101 events, guideline documents, webcasts, etc. But the talent we need is going to become quickly past this and bored with it. It is still necessary because the majority has not grasped and implemented 101 level security. However I’m still surprised at how little advanced work is out in the public after ten years in the SCADA security world.
My thoughts are similar but with some important differences:
- Security 101 is dull - I helped start the EPRI ICS cyber security program in 2000. Ten years later, there is still a need to increase awareness and understanding of the unique issues surrounding ICS Security. Several months ago, Control Engineering had a survey on ICS cyber security. On December 22, 2009, Peter Welander published the results. It was entitled “Control system cyber security worries - What do process control system owners worry about?” According to Peter, “…It's clear from the results that many users have a realistic concept of the threats facing industrial control systems. Still, 23.6% of the respondents answered "no" to the question, "Does your organization believe there are threats and risks associated with your information control system that could affect your business?" The fact that so many don't believe there is a risk may, in some ways, be one of the biggest risks in itself.” Moreover, we are still learning as the Hatch nuclear plant incident demonstrated. Business IT systems and ICS are vastly different. Effectively securing ICSs requires ICS domain expertise to be an integral part of the solution. The only way to understand ICS security is to start at the beginning. And that means ICS Security 101. It may be dull to some, but it’s necessary. If done right, it would interest any ICS professional.
- Security talent is not valued - It should be, but in perspective. Cyber security is definitely one issue, but not the only one. Approximately five years ago, I came up with the Venn diagram identifying why there are so few ICS cyber security experts. Unfortunately, not much has changed including the lack of any credible certification for ICS cyber security. I still believe there are less than a few hundred ICS cyber security experts. Find talent that understands how to maintain and optimize ICSs in the face of intentional and unintentional threats - those talents will be valued.
- Little sense of community, peers, training – In the post Y2K timeframe, there was little understanding of ICS security. However, there was an accepted BUSINESS reason to secure the organization’s most important assets - their ICSs. At that time, ICS cyber security was still viewed as an ICS, not an IT issue. Following 9/11, everything changed. Securing ICSs became a NATIONAL SECURITY issue and generally was no longer viewed as a business issue. IT often took the lead since cyber security was under their purview. This IT-centric view permeated all of the cyber security conferences at the time which is why I started the ICS Cyber Security Conference in 2002 (I was at KEMA at the time).
- The ACS Control Systems Cyber Security Conference addresses an unmet need as there is still a significant part of industry that lacks an appreciation of what exactly is ICS (not just SCADA) cyber security, how is it different than IT, and what should be done to maintain the performance and safety of the ICS while electronically securing it (see Control Engineering note above). I have maintained the ACS Conference as an ICS reliability conference because we need to understand how intentional and unintentional ICS cyber problems occur (and sometimes recur). How can you solve a problem if you don’t know what the problem is? That is why I have people who have had their ICSs impacted by cyber speak which in turn helps generate interest and participation from key players in Washington and elsewhere. ICS security is a broad field and no one conference can do it justice. The S4 Conference focuses on the bits and bytes. The ICSJWG Conference has more of a government and vendor-focus. These are all valid aspects of the same issue.
- As for the comment about how little advanced work is out in the public, Dale is right in that industry has had a hard time implementing the security basics, let alone anything advanced. Recognizing that ICS reliability and safety must be maintained regardless of the threat, the advanced work should be implementing the appropriate level of security to complement work on optimizing ICS performance. There have already been too many cases where security tools (one can argue whether they were basic or advanced) have actually shut down ICSs. The advanced work of optimizing the union of ICS performance and cyber security is sorely needed but is still in its infancy.
Joe Weiss
