In a video message specially recorded for the thematic area IACS and Smart grids of the ERNCIP (European Reference Network for Critical Infrastructure Protection) program and TNO, European Commission Vice President Neelie Kroes stated:
“ICT and the Internet are essential to our economic growth. But people won't use what they don’t trust. The more we rely on networks, the more we rely on them to be secure. This calls for two things in particular.
First, our digital networks and systems are secure, resilient and trustworthy. That is the aim of the European Cyber Security Strategy which we launched in February.
Second, we need our people to have digital skills. There is a great demand for those skills, but the market is lagging behind. That is why I set up the Grand coalition for Digital Jobs. This multi-stakeholder partnership will help us close the gap, cut unemployment and boost competitiveness.
Bringing these two together, I see a growing demand for cyber security skills. In the ICT sector in general, and for Industrial ICT in particular. Especially to ensure critical infrastructures like energy, water and transport keep running.
That’s why I support this framework for developing the workforce in Industrial IT Security. It will form a solid base, not just for companies involved in critical infrastructure, but also for their suppliers and the government, helping them train and certify the skilled people that we need to safeguard our digital economy.”
Recent incidents have shown that Industrial Control Systems can be vulnerable to cyber attacks, which may lead to disruptions of physical systems and networks. An integrated approach covering People, Process and Technology is needed.
- Technology: Secure components and systems: hardware and software.
- Process: Certification of organisations and suppliers according to ISO-standards.
- People: Change basic behaviours of all the people that have interaction with the IACS and develop a skilled and well trained IACS Security Workforce to develop and sustain the level of IACS Security needed to keep operation safe, secure and resilient.
The human aspect of securing IACS should be one of the top priorities to safeguard our critical infrastructures. A joint approach is needed here between asset owners, vendors, contractors, researchers and governments, since only a strong supply chain will make the difference. We need managers on all levels setting the stage and taking the lead. They need to appoint well-trained people with the operational responsibility for industrial cyber security issues on sites and projects.
If we look at the workforce accountable and responsible for security in the IACS domain we need to differentiate in several groups from workplace to the executive management:
- The people who work in industrial environments and interact with the industrial and automation control systems and networks. They need to now what to do and also what not to do. For this group, therefore, the focus will be on Behaviours.
- Professionals with specific roles in industrial cyber security. They need a rigorous training programme that focuses on Aptitude. There should be no question as to whether they possess the knowledge, the proficiency and the right set of skills, associated with their job roles. These industrial cyber security professionals need a hybrid set of skills and experience in ICT, Cyber Security and Engineering, as well as a sound knowledge of industry, company and professional standards.
- People in all management positions, up to the highest levels. They are accountable for keeping the risk As Low As Reasonably Possible and need to understand potential impact of cyber security related incidents on the safety, security and reliability of the operations.
Industry wide certification
The focus of the TG on IACS and Smart Grids has been on defining the competences, qualifications and experience needed by the group of Industrial Cyber Security Professionals. The ERNCIP TG has created a high-level profile for these professionals, describing the hybrid skill-set needed, the competencies as well as the proficiency levels on these competencies. This has been the basis for a worldwide industry consortium to create a open body of knowledge describing the hybrid skill-set that industrial cyber security professionals need. An industry certification called Global Industrial Cyber Security Professional (GICSP) has been built on top of this Body of Knowledge and has been released in November 2013 by GIAC (Global Information Assurance Certification).
The GICSP is the newest certification in the GIAC family and focuses on the foundational knowledge of securing critical infrastructure assets. The GICSP bridges together IT, engineering and cyber security to achieve security for industrial control systems from design through retirement. This vendor-neutral, practitioner focused industrial control system certification is a collaborative effort between GIAC and representatives from a global industry consortium involving organizations that design, deploy, operate and/or maintain industrial automation and control system infrastructure. GICSP will assess a base level of knowledge and understanding across a diverse set of professionals who engineer or support control systems and share responsibility for the security of these environments. The GICSP certification is an important step in getting recognition of this specific field of expertise and grow a pool of professionals that can fill in the IACS security positions in critical infrastructures and beyond. Foreseeable is that new, more specific certifications, will be build on top of this foundational GICSP certification. Multiple training providers from across the world and also in Europe have created training programs to prepare these professionals for this certification.
Companies that adopt the IACS Security Workforce Development Framework have to take certain steps to implement it in their own specific business environment. First of all they have to map the hybrid skill-set on their own internal Competence Management System. When the relevant competences are identified, a job competence profile (JCP) can be built describing the expected proficiency levels on all of these competences per job group level. This is needed to create a career path in the company in the IACS security domain.
This job competence profile is the basis for further steps and implementation in the businesses. Based on the JCP a set of follow up activities can be done:
- Creation of an in- and external training and certification curriculum
- Creation of IACS Security related job descriptions
- Mapping of the job positions to the JCP
- Assessment and development of the existing workforce (companies’ own staff and contractors)
- Development of a hiring and sourcing strategy for IACS Security related positions together with internal HR and procurement as well with external sourcing companies.
- Implementation in the business
- Create for every business unit an IACS Security Workforce Development Policy Document describing
- IACS Security Strategy
- Governance model
- Roles & Responsibilities
- Organizational Chart
- Job Positions
- JCP Mapping
- Assess people
- Do a gap-analysis
- Create individual development plans
- Create an training plan on the level of the organizational entity
- Repeat and Audit this cycle every year
I recommend every organization to follow the high-level implementation path described above and embrace the industry certification to create a baseline for the knowledge that IACS Security professionals should have before they enter this field. Especially companies in the critical infrastructures should develop a IACS Security Workforce Development policy in which they describe the governance, the roles & responsibilities, the job positions and the way the company develops and sustains the professional expertise of their IACS Security Community of Practice, internally as well as externally. In this policy document the companies should describe how their hiring and sourcing strategy looks like.
It is time to take IACS Security seriously and start developing your workforce.
Auke Huistra (firstname.lastname@example.org)
Project manager National Roadmap to Secure Process Control Systems and
Lead Workforce Development Thematic Group IACS and Smart Grids ERNCIP (Joint Research Center project)