0
Electric Sector
Security Workforce
Development
NESCO Town Hall
Denver, 2013
ab@bochmanadvisors.com
@andybochman
1
Scribe please
2
The Whole Workforce
3
The Quest
Sr. Mgt Sec Policy & Ops
Not to be confused with:
4
Aim High
• Many of the most critical security challenges are
actively created by business initiatives and leaders
who do n...
Perception and a Prize
for Utilities
• Utilities (could) control their cybersecurity destiny
• By demonstrating more proac...
Agenda
3. Candidate Next Steps
• a
• b
• c
1. Current State &
Trajectory
2. Desired Future
State
• d
• e
• f
• g
• h
• i
7
Obligatory Grim Beginning:
Losses looming
Bad news ...
or not. Let’s
discuss.
8
There’s more
bad news
The people that really understand
policy generally do not understand control
systems.
The IT communi...
Slade Responds
The number of talented individuals is not
what is lacking, rather the ability to discern,
hire, and retain ...
Solution has arrived:
New Bedtime Reading
11
NBISE Sees New World
12
Orgs promoting OT
cyber WF Development
• NBISE
• SANS
• DoE
• ISC-ISAC
• Universities (let’s name some)
• Center of Energy...
University Example
14
WPI’s Industry
Education Initiative
•To reduce risk, ISO-NE and PJM
asked WPI to deliver an
industry-specific cybersecurity...
WPI Program Courses
• Computer Network Security (including
NERC CIPs)
• Software Security
• Operational Risk Management
• ...
DOE C2M2 and WF
The Workforce Management (WORKFORCE)
domain comprises five objectives:
1.Assign Cybersecurity Responsibilit...
C2M2 - What do you think?
We can feed: ES and O&G C2M2 2.0
18
Free for All:
Questions round
• What are the skills and new skills required
to secure the Smart Grid?
19
Question
• Thinking about control room
environments, what training programs are
needed for
• Utility security pro’s?
• Eng...
Question
• “Programs” that would “encourage”
young people to pursue careers in
electric sector cybersec?
• PSAs?
• Can we ...
Question
• How about security internships?
• How formal? A national program?
22
Question
• How about security awareness/behaviors
in non security people?
• What, at a minimum, do you want them
to:
• Kno...
Role of Execs & BoDs
CEO
CRO
CIO
CISO
others ...
24
The CEO
What’s the optimal
mix of CEO skills &
experience?
5%
5%
68%
23%
CyberSec Tech
Business Electric
25
The CRO
What’s the optimal
mix of CRO skills &
experience?
10%
10%
40%
40%
CyberSec Tech
Business Electric
26
The CIO
What’s the optimal
mix of CIO skills &
experience?
25%
25%
25%
25%
CyberSec Tech
Business Electric
27
The CSO
What’s the optimal
mix of CSO skills &
experience?
25%
25%
25%
25%
IT Sec OT Sec
Business Electric
28
Others?
What’s the optimal
mix of CXO/VPX
skills & experience?
25%
25%
25%
25%
Skill A Skill B Skill C
Skill D
29
Question
• SUPPLIER FOCUSED: What
knowledge and cybersec skills do
engineers need for planning and
designing industrial sy...
Question
• INTERPLAY BETWEEN SPECIALISTS:
How do engineering job roles and
cybersecurity roles engage to maximize
construc...
Question
• ASSESSMENT: How should we design
and conduct tests to differentiate
between simple understanding of
concepts an...
Question
• CERTIFICATIONS:What is the best
framework for general cybersecurity
certifications that integrate both
knowledge...
Question
• COMMUNITY SUPPORT: How do we best
support the certified cybersecurity professional
and cyber-informed operations...
Other Questions
(or have you had enough?)
35
ThankYou
ab@bochmanadvisors.com
@andybochman
36
Upcoming SlideShare
Loading in...5
×

NESCO Town Hall Workforce Development Presentation

189

Published on

Moderated and Presented by Andy Bochman

Discussion Topic: Workforce Development in the ICS WorkPlace

Discussion Abstract: Ask anyone working in the field at an electric utility about cybersecurity and the conversation will inevitably turn to the shortage of a qualified security staff with knowledge of our industry. The need to comply with NERC CIP standards, secure the rapidly proliferating smart grid technologies, and defend against the threat of cyber attacks targeting control systems, makes the short supply of cybersecurity talent is a critical issue.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
189
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "NESCO Town Hall Workforce Development Presentation"

  1. 1. Electric Sector Security Workforce Development NESCO Town Hall Denver, 2013 ab@bochmanadvisors.com @andybochman 1
  2. 2. Scribe please 2
  3. 3. The Whole Workforce 3
  4. 4. The Quest Sr. Mgt Sec Policy & Ops Not to be confused with: 4
  5. 5. Aim High • Many of the most critical security challenges are actively created by business initiatives and leaders who do not consider security • So: business leaders should stop making decisions that make security harder • Organizational acceptance of security values are greatly enhanced when senior management champions those values and shows willingness to support the appropriate actions, even when painful. See: UHCL - Cybersecurity for Decision Makers 5
  6. 6. Perception and a Prize for Utilities • Utilities (could) control their cybersecurity destiny • By demonstrating more proactive approach to security, in ways regulators can understand, that positive shift in perception would give Congress, the Administration, and other oversight agencies the assurance they need to slow down on new rules • Our workforce work can help 6
  7. 7. Agenda 3. Candidate Next Steps • a • b • c 1. Current State & Trajectory 2. Desired Future State • d • e • f • g • h • i 7
  8. 8. Obligatory Grim Beginning: Losses looming Bad news ... or not. Let’s discuss. 8
  9. 9. There’s more bad news The people that really understand policy generally do not understand control systems. The IT community, who develop cybersecurity solutions, generally don’t understand the unique issues association with control systems. And the people that operate the control systems, don’t understand security. Other than that, we’re fine! 9
  10. 10. Slade Responds The number of talented individuals is not what is lacking, rather the ability to discern, hire, and retain the available talent is what the workforce is missing. http://www.us-nesco.org/guest-blog/where-is-the-workforce-we-need/ 10
  11. 11. Solution has arrived: New Bedtime Reading 11
  12. 12. NBISE Sees New World 12
  13. 13. Orgs promoting OT cyber WF Development • NBISE • SANS • DoE • ISC-ISAC • Universities (let’s name some) • Center of Energy Workforce Development • More please 13
  14. 14. University Example 14
  15. 15. WPI’s Industry Education Initiative •To reduce risk, ISO-NE and PJM asked WPI to deliver an industry-specific cybersecurity program in 2013 •Goal: Improve capabilities to prevent, detect, analyze and effectively respond to cyber 15
  16. 16. WPI Program Courses • Computer Network Security (including NERC CIPs) • Software Security • Operational Risk Management • Intrusion Detection (for OT) • Forensics (for OT) • Power Industry Case Studies POC: Mike Ahern mfahern@wpi.edu 16
  17. 17. DOE C2M2 and WF The Workforce Management (WORKFORCE) domain comprises five objectives: 1.Assign Cybersecurity Responsibilities 2. Control the Workforce Lifecycle 3. Develop Cybersecurity Workforce 4. Increase Cybersecurity Awareness 5. Manage WORKFORCE Activities 17
  18. 18. C2M2 - What do you think? We can feed: ES and O&G C2M2 2.0 18
  19. 19. Free for All: Questions round • What are the skills and new skills required to secure the Smart Grid? 19
  20. 20. Question • Thinking about control room environments, what training programs are needed for • Utility security pro’s? • Engineers? • IT staff ? 20
  21. 21. Question • “Programs” that would “encourage” young people to pursue careers in electric sector cybersec? • PSAs? • Can we start with things that already exist? 21
  22. 22. Question • How about security internships? • How formal? A national program? 22
  23. 23. Question • How about security awareness/behaviors in non security people? • What, at a minimum, do you want them to: • Know, do, not do? 23
  24. 24. Role of Execs & BoDs CEO CRO CIO CISO others ... 24
  25. 25. The CEO What’s the optimal mix of CEO skills & experience? 5% 5% 68% 23% CyberSec Tech Business Electric 25
  26. 26. The CRO What’s the optimal mix of CRO skills & experience? 10% 10% 40% 40% CyberSec Tech Business Electric 26
  27. 27. The CIO What’s the optimal mix of CIO skills & experience? 25% 25% 25% 25% CyberSec Tech Business Electric 27
  28. 28. The CSO What’s the optimal mix of CSO skills & experience? 25% 25% 25% 25% IT Sec OT Sec Business Electric 28
  29. 29. Others? What’s the optimal mix of CXO/VPX skills & experience? 25% 25% 25% 25% Skill A Skill B Skill C Skill D 29
  30. 30. Question • SUPPLIER FOCUSED: What knowledge and cybersec skills do engineers need for planning and designing industrial systems and the operational technologies necessary to support them? NBISE/PNNL 30
  31. 31. Question • INTERPLAY BETWEEN SPECIALISTS: How do engineering job roles and cybersecurity roles engage to maximize constructive overlap and differences to address security for these systems? NBISE/PNNL 31
  32. 32. Question • ASSESSMENT: How should we design and conduct tests to differentiate between simple understanding of concepts and skilled performance of actions that effectively resolve problems quickly and despite distractions or the stress surrounding an attack? NBISE/PNNL 32
  33. 33. Question • CERTIFICATIONS:What is the best framework for general cybersecurity certifications that integrate both knowledge and experience? • And do we need OT-or industry specific certifications? NBISE/PNNL 33
  34. 34. Question • COMMUNITY SUPPORT: How do we best support the certified cybersecurity professional and cyber-informed operations and engineering professionals? • Advanced problem-solving tools • Communities of practice • Canonical knowledge bases • Other performance support tools? • Prayer and positive thoughts? NBISE/PNNL 34
  35. 35. Other Questions (or have you had enough?) 35
  36. 36. ThankYou ab@bochmanadvisors.com @andybochman 36
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×