In last week’s blog, we walked through the various reasons why it’s important for critical infrastructure providers to develop and implement cybersecurity countermeasures tailored to the specific needs of physical and digital infrastructure.
Truth #5: Most critical infrastructure providers lack the tools, skills and mindset to deal with cyberattacks and APTs
Baking in an appreciation for security among organizations’ employees is just as important, if not more so, than baking security into IT systems themselves. Unfortunately, critical infrastructure providers face difficult personnel-related challenges when it comes to cybersecurity. A key obstacle is that certification requirements for control systems engineers – providers’ front-line troops in cyber-related conflicts – put little or no emphasis on cybersecurity for critical infrastructure.
For example, the certification exam to get a Control Systems Engineer (CSE) license from the International Society of Automation (ISA) devotes less than 10 percent – and possibly closer to just 1 or 2 percent – of its content to network security. The test makes no mention at all of cybersecurity for critical infrastructure. Neither do the audit criteria for certification by the Control Systems Integrators Association (CSIA), which do include risk management and configuration management as part of CSIA’s Project Management and Supporting Activities responsibilities.
This blind spot makes it difficult for providers to become more proactive and informed in applying cybersecurity best practices. “Until critical infrastructure organizations see themselves as probable targets and gain an understanding of the threat actor capability to penetrate, avoid detection, and maintain a presence on their networks, they will not make the necessary investments in cybersecurity,” the ICS-CERT report concluded.
Fortunately, the critical infrastructure and IT communities as a whole have taken numerous steps to improve training and education about cybersecurity. ISA has created ISA99, its Industrial Automation and Control System Security Committee, which is developing a series of American National Standards Institute (ANSI) standards. Additionally, many colleges, universities and professional organizations and conferences have created training programs and certifications. These options and others offer critical infrastructure providers the chance to educate employees and enable them to pick the right partners, processes and technology for their particular needs.