Many organizations are still struggling to fill out their digital security workforces. This task isn’t getting any easier with time, either.
In a Tripwire-commissioned survey of 336 IT security professionals, four-fifths of respondents told Dimensional Research that they feel it’s gotten more difficult to hire skilled personnel since 2017. That’s a problem considering the fact that 85 percent of survey participants said their organization’s security teams are understaffed, with nearly half (47 percent) of respondents blaming these shortages on the skills gap.
The persistence of this skills gap is especially concerning for industrial organizations.
Unlike in other sectors, industrial entities need to protect both IT and OT environments against digital threats. And as these two environments continue to converge, it’s all the more imperative that industrial organizations have the resources to defend against IT security issues that seek to disrupt their OT assets. Depending on the threat level, such issues can undermine the functionality of the industrial organization as a whole and in the process threaten public safety.
These pressures lead us to the following question: with an increasingly pervasive skills-gap in industrial cybersecurity, how should industrial organizations strengthen their security posture?
Part of the answer might come from reconceptualizing the skills gap overall. Patrick Miller, Managing Partner of Archer Energy Solutions, is a firm advocate of this idea, as he hasn’t found evidence of a skills gap. Instead, he’s found indicators of something else going on:
I think there is a gap between existing HR/management hiring expectations and the thriving talent pool that is out there. If you have a job posting that asks for a college degree, five years of experience, multiple programming languages, professional certificates and a security clearance for a salary of $75k, you won’t get anyone. Some engineers are interested in security and IT. Some IT people are interested in engineering and process control. Many entry level people are brilliant and thirsty for more knowledge and just need to be paired with a senior to rocket their way up three levels in a year. Throw out the old hiring models, and the blinders will be lifted.
Under that mindset, we can best approach the other part of the answer to our question by recommending that industrial organizations strengthen their security posture as part of an ongoing process.
And like any process, ICS security has a beginning. Kristen Poulos, GM of Industrial at Tripwire, feels that this effort begins specifically when industrial organizations first discuss how to secure their industrial control systems:
First and foremost, organizations can (and should) be constantly talking about cybersecurity. Industry role models have already formed internal committees that regularly meet to discuss how they as an organization can become more cyber secure and how the threat landscape is evolving. It’s those discussions where other skills-gap-closing topics come to light, such as treating cybersecurity like a program (& not a project) and considering external resources like managed service providers to further close the gap.
The latter consideration is extremely important, notes Tripwire senior system engineer Nick Shaw, as some industrial organizations are bound by government mandates under which appropriate security measures help deter hefty fines. But regulations (or the lack thereof) don’t drastically affect how industrial entities can address their shortages. Shaw clarifies this point:
Either way, regulated or not, industrial organizations have two ways they could go about solving the skills gap: 1) hire talent and strategically develop a cybersecurity strategy/policy that aligns with best practices or 2) hire a reputable third party to augment their staff capabilities and provide managed services. Industrial organizations will need to identify and strategically align with good partners that have proven experience in the cybersecurity landscape. The right partner will go a long way to develop a comprehensive plan that builds up cybersecurity posture over time.
Shaw notes how this work won’t yield much benefit if directed at a single layer of the Purdue Enterprise Model. That’s why he feels it’s essential that industrial organizations address all levels if they are to be successful. In particular, partners should pay special attention to legacy industrial control systems considering how sensitive these assets are to today’s IT security issues.
With that said, industrial organizations need to be careful when selecting a digital security product. Galina Antova, co-founder of Claroty, recommended that these entities specifically look for a solution that’s capable of providing visibility into legacy OT networks, identifying ICS devices’ risk profiles and examining OT-specific network traffic:
Automated technology is a very key part of that answer since organizations require integrated cybersecurity posture across IT and OT networks, consolidated processes and teams. Therefore, new technologies that could provide the traditional cyber defense mechanisms but do so in the context of OT networks (which have different uptime/availability requirements) will help a lot with this growing gap.
Learn how Tripwire’s ICS security solutions can help in this regard.