Blog del CCI

lunes, 25 de noviembre de 2013

IACS Workforce Development: An internal framework and external certification (Auke Huistra, ERNCIP)

In a video message specially recorded for the thematic area IACS and Smart grids of the ERNCIP (European Reference Network for Critical Infrastructure Protection) program and TNO, European Commission Vice President Neelie Kroes stated:

“ICT and the Internet are essential to our economic growth. But people won't use what they don’t trust. The more we rely on networks, the more we rely on them to be secure. This calls for two things in particular.
First, our digital networks and systems are secure, resilient and trustworthy. That is the aim of the European Cyber Security Strategy which we launched in February.
Second, we need our people to have digital skills. There is a great demand for those skills, but the market is lagging behind. That is why I set up the Grand coalition for Digital Jobs. This multi-stakeholder partnership will help us close the gap, cut unemployment and boost competitiveness.
Bringing these two together, I see a growing demand for cyber security skills. In the ICT sector in general, and for Industrial ICT in particular. Especially to ensure critical infrastructures like energy, water and transport keep running.
That’s why I support this framework for developing the workforce in Industrial IT Security. It will form a solid base, not just for companies involved in critical infrastructure, but also for their suppliers and the government, helping them train and certify the skilled people that we need to safeguard our digital economy.”
Recent incidents have shown that Industrial Control Systems can be vulnerable to cyber attacks, which may lead to disruptions of physical systems and networks. An integrated approach covering People, Process and Technology is needed.
  1. Technology: Secure components and systems: hardware and software.
  2. Process: Certification of organisations and suppliers according to ISO-standards.
  3. People: Change basic behaviours of all the people that have interaction with the IACS and develop a skilled and well trained IACS Security Workforce to develop and sustain the level of IACS Security needed to keep operation safe, secure and resilient.

People

The human aspect of securing IACS should be one of the top priorities to safeguard our critical infrastructures. A joint approach is needed here between asset owners, vendors, contractors, researchers and governments, since only a strong supply chain will make the difference. We need managers on all levels setting the stage and taking the lead. They need to appoint well-trained people with the operational responsibility for industrial cyber security issues on sites and projects. 

If we look at the workforce accountable and responsible for security in the IACS domain we need to differentiate in several groups from workplace to the executive management:
  1. The people who work in industrial environments and interact with the industrial and automation control systems and networks. They need to now what to do and also what not to do. For this group, therefore, the focus will be on Behaviours.  
  2. Professionals with specific roles in industrial cyber security. They need a rigorous training programme that focuses on Aptitude. There should be no question as to whether they possess the knowledge, the proficiency and the right set of skills, associated with their job roles. These industrial cyber security professionals need a hybrid set of skills and experience in ICT, Cyber Security and Engineering, as well as a sound knowledge of industry, company and professional standards.
  3. People in all management positions, up to the highest levels. They are accountable for keeping the risk As Low As Reasonably Possible and need to understand potential impact of cyber security related incidents on the safety, security and reliability of the operations. 

Industry wide certification 

The focus of the TG on IACS and Smart Grids has been on defining the competences, qualifications and experience needed by the group of Industrial Cyber Security Professionals. The ERNCIP TG has created a high-level profile for these professionals, describing the hybrid skill-set needed, the competencies as well as the proficiency levels on these competencies. This has been the basis for a worldwide industry consortium to create a open body of knowledge describing the hybrid skill-set that industrial cyber security professionals need.  An industry certification called Global Industrial Cyber Security Professional (GICSP) has been built on top of this Body of Knowledge and has been released in November 2013 by GIAC (Global Information Assurance Certification). 

The GICSP is the newest certification in the GIAC family and focuses on the foundational knowledge of securing critical infrastructure assets. The GICSP bridges together IT, engineering and cyber security to achieve security for industrial control systems from design through retirement. This vendor-neutral, practitioner focused industrial control system certification is a collaborative effort between GIAC and representatives from a global industry consortium involving organizations that design, deploy, operate and/or maintain industrial automation and control system infrastructure. GICSP will assess a base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments. The GICSP certification is an important step in getting recognition of this specific field of expertise and grow a pool of professionals that can fill in the IACS security positions in critical infrastructures and beyond. Foreseeable is that new, more specific certifications, will be build on top of this foundational GICSP certification. Multiple training providers from across the world and also in Europe have created training programs to prepare these professionals for this certification.

Implementation

Companies that adopt the IACS Security Workforce Development Framework have to take certain steps to implement it in their own specific business environment. First of all they have to map the hybrid skill-set on their own internal Competence Management System. When the relevant competences are identified, a job competence profile (JCP) can be built describing the expected proficiency levels on all of these competences per job group level. This is needed to create a career path in the company in the IACS security domain. 

This job competence profile is the basis for further steps and implementation in the businesses. Based on the JCP a set of follow up activities can be done:
  • Creation of an in- and external training and certification curriculum
  • Creation of IACS Security related job descriptions
  • Mapping of the job positions to the JCP
  • Assessment and development of the existing workforce (companies’ own staff and contractors)
  • Development of a hiring and sourcing strategy for IACS Security related positions together with internal HR and procurement as well with external sourcing companies. 
  • Implementation in the business
    • Create for every business unit an IACS Security Workforce Development Policy Document describing
      • IACS Security Strategy
      • Governance model
      • Roles & Responsibilities
      • Organizational Chart
      • Job Positions
      • JCP Mapping
    • Assess people
    • Do a gap-analysis
    • Create individual development plans
    • Create an training plan on the level of the organizational entity
    • Repeat and Audit this cycle every year

Recommendations

I recommend every organization to follow the high-level implementation path described above and embrace the industry certification to create a baseline for the knowledge that IACS Security professionals should have before they enter this field. Especially companies in the critical infrastructures should develop a IACS Security Workforce Development policy in which they describe the governance, the roles & responsibilities, the job positions and the way the company develops and sustains the professional expertise of their IACS Security Community of Practice, internally as well as externally. In this policy document the companies should describe how their hiring and sourcing strategy looks like. 

It is time to take IACS Security seriously and start developing your workforce.

Auke Huistra (aukehuistra@suver.org) 
Project manager National Roadmap to Secure Process Control Systems and
Lead Workforce Development Thematic Group IACS and Smart Grids ERNCIP (Joint Research Center project)

miércoles, 13 de noviembre de 2013

ISA Automation Week at Nashville, Tennessee, USA: “Safety, the other face of the industrial cyber security coin” (Ayman AL-Issa)

“Safety, People, Business, and Technology in the world of automation, they are all connected”, this was the logo for the automation week 2013 held at Nashville, Tennessee, USA.  The conference covered several tracks that addressed the challenges that the world is facing to improve and revolutionize in the IACS “industrial automation and control systems” arena.

Industrial network cyber security was one of the main tracks and topics that was discussed during the conference, and took a lot of importance as it was transparently clear that industrial cyber security is moving very slow compared to the increase and sophistication of industrial cyber threats.  This was clear in the speech of Major General Robert Wheeler, Deputy Chief Information Officer C4 & IIC where he referred to that as ‘Speed of Change’, without which our nation would not be able to stay ahead.

Industrial cyber security is not only seen today as a concern on a virus spread or malfunction of a system, but it is the means to protect human lives, environments and the critical infrastructures themselves.  It is indeed true that cyber security in the industrial network is an inherent part of safety in these environments.

There is no doubt that industrial security measures are always behind the emerging cyber risks, and the bad guys are still and will continue to be ahead, so knowing about what is happening in the industrial network is an essential part of securing such network and systems.

Eric Knapp of Wurldtech and North America Chief Technical Advisor in CCI, one of the world top experts in the industrial cyber security and the author of the two books “Industrial Network Security” and “Applied Cyber Security and the Smart Grid” said in his interesting presentation about “If your network was under attack today, would you be able to till?” that providing visibility into industrial control systems is an important approach towards securing these control systems.  He also mentioned that these networks get hacked once the developers start modifying these control systems to fit their environment.  I do put my hand with Eric and I emphasize that it shall be clear to everyone in this field that these networks are not ideal - as many think - due to the major changes that are done to these networks at  the implementation phases and when integrating automation systems DCS, ESD, F&G and many other utilities with each other.

Industrial cyber security expert Eric Byers who received ISA award and was officially recognized for his “leadership in developing numerous innovations, industry standards, and best practices in industrial cyber security” talked about the importance of segmenting the industrial networks by industrial security systems and how that would help in protecting these networks and narrowing the spread of infections to smaller parts of the plants rather than having larger parts of the plants affected by such infections.  Eric also mentioned that Air gaps do not exist at any system that needs any kind of update during the lifetime of the industrial control system, and little of these systems need no updates.

I emphasized in the conference on the need for industrial cyber security by design and the need for adopting and implementing an industrial defense-in-depth model to protect the modern industrial systems.  Doing this at the design phase is much easier and less complicated that doing it as a make up at the end of implementing the IACS.

I also discussed the importance of thinking about “how the plant cyber security solution can be implemented/supported/operated during the plant long-life span “20 to 30 years or more”.  For that it is apparently important to realize that the only way for enabling this support is to have long-term partnerships between the automation and cyber security vendors to reduce the chances of system conflicts and to have an “automation/cyber security” joint-testing environment for the cyber security updates prior to releasing them by cyber security vendors.  Plant floor is never the right place for testing the continuous cyber security updates.

Lots of very interesting presentations were delivered during the conference days, and many exiting cyber security discussion took place.  It was an admirable gathering of the industrial cyber security gurus in a step to bring industrial cyber security forward.

It worth mentioning that another ISA conference will be held on December this year at Dammam, Saudia Arabia trusting that these conferences will shed more light on the importance of development, improvement, and security within the industrial automation and control systems.

Ayman AL-Issa
Digital Oil Fields Cyber Security Advisor
ADMA OPCO