We have a great challenge with the gap in cybersecurity jobs in general, with estimates ranging from 2.72 million to 3.5 million job openings in 2021. However, the gap in very specialized Operational Technology (OT) cybersecurity is even greater since IT has a decades-long head start in building expertise and, therefore, a larger talent pool. According to a global survey of IT and OT security professionals conducted by Pollfish in September 2021, 90% of respondents say they are looking to hire more industrial cybersecurity professionals and roughly the same number (88%) say it has been difficult to find enough candidates with the skills and experience required to properly manage an OT network’s cybersecurity.
There are no easy solutions to close the OT cybersecurity talent gap, but here are few ideas to help you get started:
1. Cross-train your IT security staff. If you’re having challenges hiring for OT cybersecurity positions, run a hands-on training for some of your IT staff so that they can spend time shadowing OT engineers and operators. OT systems do have very different specifications, however given their long lifecycles, most of them are dated. Therefore, experienced IT staff should be pleasantly surprised to find they are familiar with many of the underlying technologies.
From there, IT staff will need to grasp the different requirements of those systems and networks, and there is no better way than with practice. This includes understanding what it takes to patch a programmable logic controller (PLC), how to implement a maintenance window, and how to plan for all the safety measures that need to be in place as you update and maintain OT systems and networks. The benefit of this approach is that your IT staff is already familiar with the company and its processes and likely know where to seek the knowledge needed. When you’re having challenges with recruitment, this might be a more time-efficient and cost-effective way to jump-start your OT security program. Not to mention that it offers the additional benefit of creating bridges between your IT and OT teams that will pay dividends down the road.
2. Engage with educational institutions. Look into the new OT cybersecurity programs being offered by different educational institutions. There aren’t enough programs yet, but many are starting to get created across colleges and universities. Idaho State University offers a two-year program in which graduates earn an AAS in Industrial Cybersecurity Engineering Technology, Wilmington University offers a Graduate Certificate in Supervisory Control and Data Acquisition (SCADA) Cybersecurity, and other schools offer individual OT security courses as part of degrees in cybersecurity. Contributing to the curriculum, establishing a scholarship program, and offering internships are great ways to attract talent when students graduate.
3. Consider the role of government initiatives. At the government level, Singapore recently made huge progress towards this challenge and can serve as a role model. In October 2021, the Cyber Security Agency of Singapore (CSA) launched the Operational Technology Cybersecurity Competency Framework (OTCCF) with support from private sector entities, to provide the foundation to attract and develop talent for the country’s OT cybersecurity sector. While CSA has offered courses on OT cybersecurity for several years, the increased connectivity between IT and OT systems is driving greater demand for job roles requiring competencies in both IT and OT, so OT engineers need deeper technical training. Not only does the OTCCF map the job roles, technical skills, and core competencies that are in need, it also captures the possible career pathways, showing the options for vertical and lateral progression.
With heightened attention from the Cybersecurity and Infrastructure Security Agency (CISA) and the White House on OT systems and their importance given geopolitical tensions, a similar initiative from the U.S. federal government would help catalyze this fairly new domain. Although CISA does offer some training, a more broad-based approach that encourages public-private collaboration would not only fuel the demand side, but also the supply side as it could provide educators and trainers with much needed best practices and requirements for well-rounded OT cybersecurity education programs.
4. Lean into technology to help. Assets in industrial environments are hard to detect, hard to manage, and even harder to secure—particularly in our expanding universe of connected equipment and devices. Technology is making huge strides towards interpreting the obscurity of OT network all the way out to the Extended Internet of Things (XIoT) which includes your OT environment, Industrial IoT devices (IIoT), Internet of Medical Things (IoMT), and enterprise IoT.
Agentless solutions that are purpose built for asset visibility help identify vulnerabilities and suspicious behavior across the XIoT and provide the foundation for continuous threat monitoring to detect and track threats that cross the IT/OT boundary. Such solutions can be implemented quickly, integrate equally well with OT and IT systems and workflows, and allow IT and OT teams to look at OT environments together. Working from the same set of information, these teams can take specific steps to start minimizing risk and strengthening security in weeks, not months.
We have to tackle the OT cybersecurity gap across multiple fronts—academia, government, as well as within our own organizations. Applying our expertise and institutional knowledge alongside technology advancements, we can accelerate progress to protect critical OT environments that threat actors are now targeting, while building an increasingly robust OT cybersecurity workforce.