NESCO Town Hall Workforce Development Presentation

696 views

Published on

Moderated and Presented by Andy Bochman

Discussion Topic: Workforce Development in the ICS WorkPlace

Discussion Abstract: Ask anyone working in the field at an electric utility about cybersecurity and the conversation will inevitably turn to the shortage of a qualified security staff with knowledge of our industry. The need to comply with NERC CIP standards, secure the rapidly proliferating smart grid technologies, and defend against the threat of cyber attacks targeting control systems, makes the short supply of cybersecurity talent is a critical issue.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
696
On SlideShare
0
From Embeds
0
Number of Embeds
202
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

NESCO Town Hall Workforce Development Presentation

  1. 1. Electric Sector Security Workforce Development NESCO Town Hall Denver, 2013 ab@bochmanadvisors.com @andybochman 1
  2. 2. Scribe please 2
  3. 3. The Whole Workforce 3
  4. 4. The Quest Sr. Mgt Sec Policy & Ops Not to be confused with: 4
  5. 5. Aim High • Many of the most critical security challenges are actively created by business initiatives and leaders who do not consider security • So: business leaders should stop making decisions that make security harder • Organizational acceptance of security values are greatly enhanced when senior management champions those values and shows willingness to support the appropriate actions, even when painful. See: UHCL - Cybersecurity for Decision Makers 5
  6. 6. Perception and a Prize for Utilities • Utilities (could) control their cybersecurity destiny • By demonstrating more proactive approach to security, in ways regulators can understand, that positive shift in perception would give Congress, the Administration, and other oversight agencies the assurance they need to slow down on new rules • Our workforce work can help 6
  7. 7. Agenda 3. Candidate Next Steps • a • b • c 1. Current State & Trajectory 2. Desired Future State • d • e • f • g • h • i 7
  8. 8. Obligatory Grim Beginning: Losses looming Bad news ... or not. Let’s discuss. 8
  9. 9. There’s more bad news The people that really understand policy generally do not understand control systems. The IT community, who develop cybersecurity solutions, generally don’t understand the unique issues association with control systems. And the people that operate the control systems, don’t understand security. Other than that, we’re fine! 9
  10. 10. Slade Responds The number of talented individuals is not what is lacking, rather the ability to discern, hire, and retain the available talent is what the workforce is missing. http://www.us-nesco.org/guest-blog/where-is-the-workforce-we-need/ 10
  11. 11. Solution has arrived: New Bedtime Reading 11
  12. 12. NBISE Sees New World 12
  13. 13. Orgs promoting OT cyber WF Development • NBISE • SANS • DoE • ISC-ISAC • Universities (let’s name some) • Center of Energy Workforce Development • More please 13
  14. 14. University Example 14
  15. 15. WPI’s Industry Education Initiative •To reduce risk, ISO-NE and PJM asked WPI to deliver an industry-specific cybersecurity program in 2013 •Goal: Improve capabilities to prevent, detect, analyze and effectively respond to cyber 15
  16. 16. WPI Program Courses • Computer Network Security (including NERC CIPs) • Software Security • Operational Risk Management • Intrusion Detection (for OT) • Forensics (for OT) • Power Industry Case Studies POC: Mike Ahern mfahern@wpi.edu 16
  17. 17. DOE C2M2 and WF The Workforce Management (WORKFORCE) domain comprises five objectives: 1.Assign Cybersecurity Responsibilities 2. Control the Workforce Lifecycle 3. Develop Cybersecurity Workforce 4. Increase Cybersecurity Awareness 5. Manage WORKFORCE Activities 17
  18. 18. C2M2 - What do you think? We can feed: ES and O&G C2M2 2.0 18
  19. 19. Free for All: Questions round • What are the skills and new skills required to secure the Smart Grid? 19
  20. 20. Question • Thinking about control room environments, what training programs are needed for • Utility security pro’s? • Engineers? • IT staff ? 20
  21. 21. Question • “Programs” that would “encourage” young people to pursue careers in electric sector cybersec? • PSAs? • Can we start with things that already exist? 21
  22. 22. Question • How about security internships? • How formal? A national program? 22
  23. 23. Question • How about security awareness/behaviors in non security people? • What, at a minimum, do you want them to: • Know, do, not do? 23
  24. 24. Role of Execs & BoDs CEO CRO CIO CISO others ... 24
  25. 25. The CEO What’s the optimal mix of CEO skills & experience? 5% 5% 68% 23% CyberSec Tech Business Electric 25
  26. 26. The CRO What’s the optimal mix of CRO skills & experience? 10% 10% 40% 40% CyberSec Tech Business Electric 26
  27. 27. The CIO What’s the optimal mix of CIO skills & experience? 25% 25% 25% 25% CyberSec Tech Business Electric 27
  28. 28. The CSO What’s the optimal mix of CSO skills & experience? 25% 25% 25% 25% IT Sec OT Sec Business Electric 28
  29. 29. Others? What’s the optimal mix of CXO/VPX skills & experience? 25% 25% 25% 25% Skill A Skill B Skill C Skill D 29
  30. 30. Question • SUPPLIER FOCUSED: What knowledge and cybersec skills do engineers need for planning and designing industrial systems and the operational technologies necessary to support them? NBISE/PNNL 30
  31. 31. Question • INTERPLAY BETWEEN SPECIALISTS: How do engineering job roles and cybersecurity roles engage to maximize constructive overlap and differences to address security for these systems? NBISE/PNNL 31
  32. 32. Question • ASSESSMENT: How should we design and conduct tests to differentiate between simple understanding of concepts and skilled performance of actions that effectively resolve problems quickly and despite distractions or the stress surrounding an attack? NBISE/PNNL 32
  33. 33. Question • CERTIFICATIONS:What is the best framework for general cybersecurity certifications that integrate both knowledge and experience? • And do we need OT-or industry specific certifications? NBISE/PNNL 33
  34. 34. Question • COMMUNITY SUPPORT: How do we best support the certified cybersecurity professional and cyber-informed operations and engineering professionals? • Advanced problem-solving tools • Communities of practice • Canonical knowledge bases • Other performance support tools? • Prayer and positive thoughts? NBISE/PNNL 34
  35. 35. Other Questions (or have you had enough?) 35
  36. 36. ThankYou ab@bochmanadvisors.com @andybochman 36

×