The Colonial Pipeline attack exposed an ongoing problem facing the nation’s critical infrastructure: A gap in the cybersecurity workforce. Future wars will no longer be traditional, and the country needs to be prepared on both the defensive and offensive sides, which starts by addressing this shortage. Our problem statement, then, becomes a lack of cybersecurity resources.
How is this Solution Getting Addressed?
Due to an increase in demand for cybersecurity services, several companies including government organizations and multinational companies that provide cybersecurity consulting and implementation services started hiring candidates, which resulted in a resource crunch and a need to increase budget for hiring. Companies that didn’t get the right candidate started contracting services from these consulting companies.
There are many companies and organizations which are running their cybersecurity projects with the help of third-party consulting and service support. It has escalated the economic impact and data security impact on these companies.
How Can it be Resolved in a Better Way?
Every critical infrastructure industry, whether it is oil & gas, power utility, grid, food processing, manufacturing, etc., have adequate manpower for automation or engineering. They have shift engineers for operation, maintenance engineers for maintenance, and project engineers for ongoing or future projects.
The key is to train and upgrade, but how? They are already working, and cybersecurity is not their domain. ISA/IEC 62443 has provided a solution, and in this standard, there are seven functional requirements:
- Identification and authentication
- Use control
- System integrity
- Data confidentiality
- Restricted data flow
- Timely response to events
- Resource availability
These seven areas are easy to train. These are technical controls, and our industrial engineers are very good at learning technical skills. If they are good at operating a complex system and monitoring critical parameters minute-by-minute to keep them within safe limits, we should trust them to take care of cybersecurity as well. Often, organizations turn to informational technology (IT) teams for cybersecurity of operational technology (OT). However, there are many benefits to training industrial engineers for OT cybersecurity, including:
- Upskilling existing resources
- Keeping it closer to the production environment
- Better emergency handling
- Close cooperation among teams
- Economic gains in terms of resource hiring
How to Train?
A trainer or online course is the first step to providing background knowledge hands-on, which, in my opinion, is the best way to learn anything. First, we need to figure out our environment and then depending on our security requirements, we can curate courses for engineers. We can start with basic technologies, such as:
- Patch management: Patch management is a subset of vulnerability management. We need to learn about solutions that we are using or that need to be implemented in our plant premises like Windows Server Update Services (WSUS) or any third-party application. There are many third-party solutions available for test purposes. Also, if we implement some agent-based solutions, then we will need to understand them from the original equipment manufacturer (OEM).
- Backup and restore management: All supervisory control and data acquisition (SCADA) and distributed control systems (DCS) have built-in functionality for creating and saving backups. However, for cybersecurity, we need to go for a centralized solution with multiple copies at different locations. Therefore, there are commercially available, off-the-shelf solutions in the market which are approved by the majority of DCS/SCADA OEMs. In industrial control system (ICS) environments, we have virtual machines, Linux, Windows, and proprietary system software; we need to see a solution that can support all of them. How do we create such a solution, and what other controls are to be in place for securing data in transit and data in rest security? A mix of solutions can be combined with a common repository or storage.
- Endpoint protection: This protection is the last line of defense in a cybersecurity scenario. What type of endpoint protection is authorized by OEM? We will need to investigate this and whether it is maintained well. Does a system have anti-virus, is fully updated, and has scheduled updates? These can be included in the operation logbook. What other endpoint protection is in place? Is it a host-based firewall or host-based intrusion, or do we have some agents for log collection and backup? We need to learn about all the applications that are installed or will be installed.
- Network security: Network security is the most feared term when it comes to cybersecurity, but it should not be. You do not need to master all the switches or firewalls to learn network security. You just need to understand the concepts and how they are installed and for what purpose. In network security, firewall, router, network-based intrusion detection system (NIDS), encryption, segmentation, access controls, etc., are the solutions to keep in mind, and their implementation is not so complex. For example, ISA/IEC 62443 starts with zoning and segmentation, and if you want to achieve a security level you can go with logical segmentation. This is by using a virtual local area network (VLAN); for higher security levels, go with physical segmentation using firewalls or different switches for different VLANs. If some engineers do not know what a VLAN is, this can be learned by configuring a switch using the configuration manually.
- Log management: Finally, for detection and response, we need log collection, analysis, and incident monitoring. Based on the types of devices, we need to see what type of logs it is generating. If it is not generating any logs, then configure it to generate (i.e., enable syslog) in network devices. Almost all log management solutions have similar architecture; either they will install an agent of endpoints to collect logs, or they can get it via agentless methods. Once the log collector receives logs, it will do basic analysis and forward it to a log management or security information and event management (SIEM) solution, which will further correlate with all logs in a timeline and eventually generate incidents if possible. Once an incident is reported, we need to tackle it via ticketing mechanisms or any existing maintenance solutions.
As a very high-level explanation of solutions, basic controls training can be provided to all industrial engineers that require them, so in case of emergencies they know what is expected of them and what needs to be done. Specialized training can also be provided to engineers so that a resource pool of skilled cybersecurity engineers can be further developed. This process will take some time, but this is a long-term solution. Attrition might be there in the short-term, but these processes and an increased development of a cyber-aware culture will compensate for that.