I think there is a gap between existing HR/management hiring expectations and the thriving talent pool that is out there. If you have a job posting that asks for a college degree, five years of experience, multiple programming languages, professional certificates and a security clearance for a salary of $75k, you won’t get anyone. Some engineers are interested in security and IT. Some IT people are interested in engineering and process control. Many entry level people are brilliant and thirsty for more knowledge and just need to be paired with a senior to rocket their way up three levels in a year. Throw out the old hiring models, and the blinders will be lifted.Under that mindset, we can best approach the other part of the answer to our question by recommending that industrial organizations strengthen their security posture as part of an ongoing process. https://youtu.be/dlOqY1H6XTA And like any process, ICS security has a beginning. Kristen Poulos, GM of Industrial at Tripwire, feels that this effort begins specifically when industrial organizations first discuss how to secure their industrial control systems:
First and foremost, organizations can (and should) be constantly talking about cybersecurity. Industry role models have already formed internal committees that regularly meet to discuss how they as an organization can become more cyber secure and how the threat landscape is evolving. It’s those discussions where other skills-gap-closing topics come to light, such as treating cybersecurity like a program (& not a project) and considering external resources like managed service providers to further close the gap.The latter consideration is extremely important, notes Tripwire senior system engineer Nick Shaw, as some industrial organizations are bound by government mandates under which appropriate security measures help deter hefty fines. But regulations (or the lack thereof) don’t drastically affect how industrial entities can address their shortages. Shaw clarifies this point:
Either way, regulated or not, industrial organizations have two ways they could go about solving the skills gap: 1) hire talent and strategically develop a cybersecurity strategy/policy that aligns with best practices or 2) hire a reputable third party to augment their staff capabilities and provide managed services. Industrial organizations will need to identify and strategically align with good partners that have proven experience in the cybersecurity landscape. The right partner will go a long way to develop a comprehensive plan that builds up cybersecurity posture over time.Shaw notes how this work won’t yield much benefit if directed at a single layer of the Purdue Enterprise Model. That’s why he feels it’s essential that industrial organizations address all levels if they are to be successful. In particular, partners should pay special attention to legacy industrial control systems considering how sensitive these assets are to today’s IT security issues. With that said, industrial organizations need to be careful when selecting a digital security product. Galina Antova, co-founder of Claroty, recommended that these entities specifically look for a solution that’s capable of providing visibility into legacy OT networks, identifying ICS devices’ risk profiles and examining OT-specific network traffic:
Automated technology is a very key part of that answer since organizations require integrated cybersecurity posture across IT and OT networks, consolidated processes and teams. Therefore, new technologies that could provide the traditional cyber defense mechanisms but do so in the context of OT networks (which have different uptime/availability requirements) will help a lot with this growing gap.Learn how Tripwire’s ICS security solutions can help in this regard.