The rise of the internet of things (IoT) and other Industry 4.0 technologies have led to blurring lines between IT and operational technology (OT), and cyber-physical systems come with unique security considerations.
In light of these differences, securing OT systems often requires an unusual combination of skills and experience. Ongoing workforce challenges may further complicate the issue, but it is possible to work past these barriers.
Cybersecurity talent gaps affect virtually every industry. However, the demand is higher in heavy industries than in work environments mainly dealing with IT infrastructure. In sectors like construction and manufacturing, between 91% and 94% of organizations report having security skills gaps.
This demand can be challenging to fill because OT cybersecurity looks different from IT-focused security. While employees may acquire experience in securing Windows or Mac environments fairly easily, fewer people are knowledgeable about industrial control systems and their underlying frameworks. The software is often specialized and the hardware is fundamentally different. It is critical to ensure the safety and continuity of essential functions in OT environments, so the same steps in cybersecurity don’t always apply.
Many OT systems also use legacy software incompatible with modern security software. Safety concerns or other operational issues may prevent OT cybersecurity specialists from upgrading or using some protections that are common in IT today, requiring a different approach.
Finally, the sheer volume of attacks compounds these other challenges. Manufacturing accounts for 25.7% of all cyberattacks, making it the most-targeted sector. Energy falls in fourth place. Such a considerable amount of incidents may leave already-strained security workforces with even greater workloads.
Something must change to address the OT cybersecurity skills gap. Thankfully, businesses have options. Here are five strategies to begin developing a skilled workforce to meet this growing need.
First, companies should consider how they can foster necessary skills instead of searching for workers who already possess them. The Bureau of Labor Statistics expects there to be 17,300 open roles in cybersecurity in the U.S. each year over the coming decade. Amid such a massive shortage, the broader labor market is too competitive for businesses to fulfill every position with an external hire, so they must turn inward.
Any technical skill is teachable. Consequently, organizations can gain much from finding adaptable employees with relevant soft skills already on their payroll. Offering training courses and certificate programs to these workers to equip them to serve OT security needs may fill the gap faster than external hires can.
Companies can lean further into this strategy by emphasizing ongoing learning opportunities. Many employees already want to gain new knowledge and skills — studies find that career development options lead to decreased turnover, especially among younger workers. Given this demand, encouraging staff to undergo OT security training can fulfill two demands simultaneously.
These programs can either pair employees with existing OT cybersecurity professionals in a mentorship or provide access to external educational resources. In either case, businesses can use them to incentivize veteran staff members and new hires. Training people to acquire new skills allows HR teams to hire recruits without all the necessary experience, as they’ll gain it on the job.
Another way to foster OT cybersecurity talent is to combine training programs for IT and OT professionals. Hybrid approaches can yield impressive results, as some goals are more closely aligned than they initially seem. In the same way that manufacturers have saved 32,000 USD a month and improved safety through a single material handling change, combining IT and OT training can benefit both sides.
IT employees must learn how industrial control systems work to protect them effectively. OT specialists have that knowledge but may lack understanding about general IT cybersecurity threats and best practices. By combining teams during training, each side can help the other learn what they need, leading to a stronger overall OT cybersecurity workforce.
As businesses revamp their cybersecurity training workflows, they should consider partnering with third-party education providers. Many colleges, professional development organizations and online learning platforms now offer courses in OT security as the demand for such skills has grown. Companies shouldn’t overlook that opportunity.
The simplest way to approach such partnerships is to cover employees’ educational costs if they take these courses.
Finally, organizations can reduce the pressure on their cybersecurity workforce by automating certain repetitive IT tasks. Today’s software solutions can automate data management — which 52% of IT teams say they spend too much time on — and more. Taking advantage of these programs gives a smaller workforce time to upskill and accomplish mission-critical work.
Of course, human experts must always have the final say in sensitive matters. However, IT automation can reduce the burden on IT staff so they can spend additional time deepening their understanding of complex OT environments without external help, which may be difficult to acquire.
The OT cybersecurity talent gap is too big and too threatening to ignore. While filling it may not be easy, it’s not impossible. Businesses should consider how they can implement these five strategies today to equip their workforce for the needs of tomorrow.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to thought leadership, research and other insights from the OT cybersecurity community.