Many parts of industries that make, move and power our world are now automated and controlled by connected technologies, yet owners and operators of these industrial systems aren’t always adequately equipped to combat today’s cybersecurity risks. While newcomers to the workforce often carry very useful, contemporary digital skills, when they join others who are well-established in a job, they quickly find unique challenges that make it difficult to keep pace with the rate of technological change. This leads to an ever-moving cybersecurity skills gap to which a workforce must continually adapt. Doug Wylie, director of SANS Institute’s Industrials & Infrastructure Practice, believes that organisations need to invest in security skills to safeguard their own systems, not only for the present, but also for the future.
Earlier this year, attackers targeted the computer networks of several US companies operating nuclear power plants. Although spokespeople claimed the vital operational systems were not compromised, it still serves as a sombre reminder that businesses need to invest in security personnel, on top of upskilling and training their existing workforce in how to best avoid becoming the victim of a damaging cyber-attack.
Businesses have been upgrading their IT and operating systems, actively investing to embrace the Internet of Things (IoT). Digital convergence now largely bridges the divides between the enterprise, production environment, and company supply chain; however, many companies are failing to tackle basic human-factors that are crucial to addressing security risks. Investments that businesses make to educate personnel about security risks and threats, best practice protocols, and how employees affect a company’s security posture truly do matter to helping ensure safe, reliable and productive operations.
Although technological and connectivity developments have driven productivity through the roof, along with increasing efficiency and growing revenues, a substantial amount of risk has also emerged. The shift to cloud-based IT solutions, introducing more connected devices, and a newfound reliance on digital technology for operations and processes have all left many systems vulnerable to attack, through a multitude of end-points never before seen. When criminal hackers breach IT systems in the business sectors, sensitive data is often compromised and the impacts of an attack can affect revenues. But if this happens to a power plant, transportation system or a host of other critical infrastructures, the disruption and damage can be far more severe and far reaching.
Corporate cyber security breaches have been well documented in recent years, hitting organisations of all sizes across almost every sector. However, securing Industrial Control Systems (ICS) is a potentially more worrying battleground. In industries such as electricity, oil and gas, transportation, water and many others where ICS is employed, our reliance on automation technologies continues to expand. Industry interrelations now move us towards the broad-scale control of our environment, including inside our homes, our cars and buildings, public infrastructures, and the cities and even countrysides where we live. Regrettably, many benefits from automation and connectivity are counteracted by risks. Needless to say, meaningful action is needed now to ensure the systems we rely upon are protected and managed throughout their expected lives.
A recent SANS Institute Report that focused on securing Industrial Control Systems, found that budgets for training and certification of staff responsible for the implementation and maintenance of ICS have fallen considerably from 2016 to 2017 (34 per cent to 26 per cent respectively). Despite a rise in cyberattacks, prominent media coverage, and highly-publicised ransomware incidents increasing 300 per cent since 2015, budgets are being cut when it comes to organically fostering the training of security staff with skills necessary to plan, protect and respond to unrelenting cyber threats.
Turning a blind eye to the importance of training will only serve to increase the skills gap we are already seeing. In a recent study conducted by McAfee, 82 per cent of IT decision makers reported a shortage of cybersecurity skills within their own companies. A further 71 per cent admitted that a shortage of skills does measurable and direct damage to their businesses.
Although gaps and perceived weaknesses in IT systems can be to blame for cyber breaches, people pose a far greater risk. Recent studies show that 90 per cent of cyberattacks are caused by either malicious behaviour, or just plain human error. Some instances will be due to deliberate activity by staff members. But a great deal of incursions will be accidental, caused by employees who haven’t received appropriate training, or have a lack of knowledge of how to configure, operate and maintain IT systems in a secure manner. This could even be simply spotting that there is an issue in any given system—and keep in mind, these statistics represent the current state of the Information Technology (IT) realm where consequences and impacts are digital, not physical as they so often are with Operational Technology (OT).
Simply put, cybersecurity education programmes provide the best return on investment. If training and certification budgets are reduced, the rise in threats like ransomware, the expanding number of attack vectors and overall threat levels all become far greater, inadequately addressed problems. Education is the best way to combat this. As we all know, attacks take place in industry on a daily basis. Education needs to take priority before putting more technologies in place and it is an essential component to every rational risk management decision.
By funnelling technology funds into sustainable education programmes, and bringing in external parties to share their security expertise, businesses will be able to help ensure their employees are equipped with the right knowledge, skills and abilities to mitigate risks and impacts from cyberattacks. These investments can also pay out dividends through the knowledge-sharing they encourage. This helps a company culture mature over time to plug the skills gaps that we are facing, allowing companies to focus primary energy towards profitable results, not response and recovery.
The foundations for the future are here
It may seem all doom and gloom, but the situation is not all negative. SANS’ ICS research reported that employees are giving time to securing industrial control systems. Larger organisations are spending more than three-quarters of their total cybersecurity practice allocation purely to ICS security. In contrast, moderately sized organisations are spending anywhere between 10-25 per cent of their time overall, and the smallest organisations polled won out selecting the “more than 76 per cent” category”. The problem, as we see, is not that ICS security is falling by the wayside, but that the internal skills gap and sometimes spotty investments in industry-relevant cybersecurity education is aggravating the issue for organisations.
This gap appears to show that for many businesses, there is a shortage of those with specialist skills who are solely devoted to ICS security. The SANS ICS report revealed that most respondents had to balance their own ICS security duties with a great deal of secondary responsibilities. Companies are not upskilling their staff to become dedicated security professionals. Instead, roles are being split between security and other duties, conflicting priorities continue to emerge, both of which allow cracks to appear that negatively affect a company and those who rely on its products and services.
Informing change from the outside
Closing the skills gap isn’t purely about hiring new staff or investing in growing one’s own talent pool. Organisations should also look to bring in external advice on best practices to secure existing systems, especially for tasks such as security analysis and assessment services. This is invaluable since these trained, often certified and accredited security practitioners can provide unvarnished evaluations while also offsetting workforce skills shortages. They can help underscore particular areas where cybersecurity educational investments make the most fiscal sense and offer a return on investment.
Although many organisations embrace new technology on a regular basis, a workforce that isn’t consistently trained in how to safeguard and securely operate and maintain today’s converged IT/OT systems will likely bring more harm than benefit from these investments. The security skills gap will only begin to close when companies take a rational approach to complementing technology investments with cybersecurity education. When combined, these build an educated, informed, and well-equipped personnel base that grows its skill sets over time and better safeguards the future, today.
Doug Wylie, Director of Industrials and Infrastructure Portfolio, SANS Institute
Image Credit: ESB Professional / Shutterstock