Safeguarding digital frontiers in rapidly evolving industrial environments has become supremely crucial nowadays. Advances in interconnected ICS (industrial control systems) and OT (operational technology) systems make them more vulnerable to cyber attacks under increasingly complex circumstances nowadays. Shifting rapidly into industrial cybersecurity demands mastery of highly specialized technical skill sets. Basic expertise generally requires strong knowledge of network security systems and protocols, but industrial cybersecurity professionals must understand the physical process and focus on building cyber resilience.
Certifications like Global Industrial Cyber Security Professional (GICSP) and Certified Information Systems Security Professional (CISSP) supplement qualifications, enabling organizations to better deal with rising adversarial threats and attacks.
Industrial cybersecurity has numerous roles, including security analysts and penetration testers, operating in highly specialized environments. Each occupation plays a crucial role in safeguarding against nefarious cyber threats, and choosing the appropriate one perfectly aligns with distinct skills. IT specialists switching careers into industrial cybersecurity often find this move incredibly rewarding yet supremely challenging. Successful transition hinges on grasping operational nuances specific to ICS and adjusting rapidly in response to demanding security protocols.
Mentorship networks facilitate rapid knowledge gain for enhanced career advancement. Interacting with experts at conferences frequently updates individuals on current trends beneath looming cyber threats. ICS and OT system security holds significance due to escalating cyber threats against vital infrastructure like power plants. Specialists safeguard against vicious cyber threats like ransomware that severely disrupt operations, putting lives in peril suddenly. Specialized knowledge of ICS/OT environments and procedures requires an intricate understanding of security issues faced by legacy systems.
Delving into ICS/OT security realms requires solid IT security fundamentals with specialized expertise tailored for industrial environments. Some of the key skills that industrial cybersecurity professionals are expected to have include risk assessment, network segmentation, and OT-specific incident response. Professionals can choose to do certification courses to help improve their expertise in SCADA (supervisory control and data acquisition) security architecture under rigorous ISA/IEC 62443 training protocols. Also, IT security experts can use certifications like CISSP or CompTIA Security+ to fill any OT-specific knowledge gaps.
Career paths vary from ICS security analysts who are on the lookout for threats to OT security consultants who create secure systems. Roles typically entail penetration testers performing ethical hacking on ICS and Incident Responders handling OT breaches swiftly underwater. Participating in industry organizations such as ICS-ISAC and SANS ICS, apart from finding mentors, can accelerate professional development.
Industrial cybersecurity professionals must also attend conferences like DEF CON, ICS Village, or S4x and engage in online forums that offer insights into prospective threats and employment opportunities. Industrial cybersecurity offers remarkably fulfilling opportunities for safeguarding critical infrastructure installations interconnected through complex digital landscapes.
Clearly, the evolving nature of the industrial cybersecurity space demands dedication and perseverance from professionals. Experts must remain super vigilant and committed to staying ahead of adversarial attackers as technology rapidly advances. It entails staying abreast of cutting-edge technology advancements and security measures while pursuing continual learning experiences that bolster expertise. Professionals must adapt swiftly in industrial cybersecurity’s complex landscape, ensuring critical infrastructure protection from myriad cyber threats.
Defending digital frontier: ICS and OT security threats
Industrial Cyber reached out to experts to evaluate the key challenges and threats faced by industrial cybersecurity professionals in securing ICS and OT systems within today’s increasingly interconnected digital environment.
Tim Conway, technical director of ICS and SCADA programs at SANS, told Industrial Cyber that increased interconnectivity and interdependence add to the complexity of achieving appropriately balanced cybersecurity controls. “However, I believe the unique challenges facing practitioners in the ICS/OT domain is the need to understand how the digital elements are used within the engineered process.”
“The main challenge to securing most OT/ICS environments today is the lack of awareness and support,” Mike Holcomb, a cybersecurity fellow and ICS/OT cybersecurity global lead for Fluor, told Industrial Cyber. “Since the Colonial Pipeline incident (May 2021), the field has seen a significant increase in awareness around the need for OT security, but some environments are still just now realizing it is something that needs to be addressed.”
At the same time, Holcomb identified that most environments (simply based on their limited size) don’t have the resources (e.g., budget, people, time) to secure their OT networks.
M. Yousuf Faisal, founder at Securing Things Limited, said that the key challenges faced by ICS/OT environments include a shortage of talent pool readily available with a combined skill of expertise across OT process/industry-specific knowledge and the cybersecurity domain. Now, couple that with a highly fast-paced emerging technology use and ever-changing threat landscape, and there is a bigger problem to deal with.
He added that the lack of resources that have a complete understanding of the end-to-end OT operations lifecycle due to a siloed working environment. He also cited undefined shared responsibility and lack of understanding in terms of relationship to safety, availability, and reliability needs.
Noting that threats vary by industry, with some having unique exposures and scale, Faisal said the common ones are protection of legacy systems (mostly designed for functional or safety perspective); lack of network segmentation, network traffic control, and visibility in terms of assets, data flow, activities, threats and vulnerabilities; insecure remote access practices, lack of access control separation between IT and OT; and other challenges include but not limited to, uncontrolled use of transient devices, like lack of configuration.
Skills and certifications to launch industrial cybersecurity career
The executives highlight typical entry points into an industrial cybersecurity career and backgrounds that are most common (e.g., IT, engineering, or operations). They also detail specific certifications or training programs that are highly valued in the industrial cybersecurity field.
“Each of us has our own story on what brought us into this field and why we stay in it,” Conway said. “I have worked with some amazing system operators who were zoology majors, control technicians who were mechanics, and some of the most impactful leaders in this community who came from political science backgrounds.
Conway thinks the “biggest mistake we can make is to insist that everyone needs to follow the same path or learn the same way.”
He noted that there are so many focus areas across the ICS/OT cybersecurity world now that he believes there is a role for everyone and that all can equally teach and learn from one another. “Find a great organization with a great leader and don’t look back.”
Holcomb identified that IT cybersecurity and OT roles (e.g., engineering, automation, maintenance) are the two main entry points into OT cybersecurity.
He added, “While we previously saw an even split between IT cybersecurity and OT people come into the field, we now see proportionately more IT cybersecurity professionals moving into OT cybersecurity.”
“The two main certification programs which exist today are the ones from ISA and SANS,” according to Holcomb. “The ISA training, provided across four courses and exams, results in those that complete the program receiving the unfortunately named ‘ISA/IEC 62443 Cybersecurity Expert’ certification. SANS offers three classes with certifications including the GRID course from Rob Lee. GRID is the most valued from an OT cybersecurity perspective as it teaches students practical steps on how to defend OT networks unlike any other course.”
Faisal detailed two types of roles that are most seen transitioning into industrial cybersecurity. These include people with an IT security background working in an industrial environment who have been given or expected to support OT security for the industrial operations and automation professionals who learn and transition to take ownership of security activities. Others are fresh graduates and/or people from other industries.
“There are several options available for getting trained/certified now (both free and commercial) to get trained – unlikely a few years ago,” he added. “One aspect that may be overlooked is a number of non-security trainings that could eventually help one getting better at OT security and that is on – how industrial processes, systems and components works.”
Career path diversity of industrial cybersecurity professionals
The executives describe the diverse roles of industrial cybersecurity professionals, such as OT security analysts, ICS security engineers, and industrial cybersecurity consultants, and clarify how their responsibilities vary.
“In my experience, this community has gone through decades of dynamic changes to job roles and scope with ever-expanding responsibilities, meanwhile maintaining very loosely aligned job titles,” Conway said. “In addition, I think the degree of severity in my previous statements is more intense for small entities with little resources and more focused and possibly restrictively defined in silo’s for the extremely large organizations. Meaning an ICS security engineer for a small entity may have an accurate job description of – design, monitor, defend, and recover all of the things that make the things work.”
He added that while the same job title at a large organization may perform a very specific task that is essential to a broader program but have little exposure to other elements of the program. “I think titles are hard and I think they always will be in this community.”
Holcomb notes that job titles in the OT/ICS cybersecurity world aren’t as defined as in other fields, such as IT, so each can mean something different depending on the environment.
“Generally speaking, an OT security analyst role is a general catch-all for someone responsible for any number of OT security tasks, from performing network security monitoring of an OT network to performing OT vulnerability management,” he added. “An ICS security engineer could be seen as a more senior level role for someone with years of experience, including hands-on OT experience in designing and operating control system networks, that is responsible for the design and implementation of a secure OT network.”
Holcomb pointed out that an OT cybersecurity consultant, as a ‘jack of all trades’ could be asked to provide advisory services in the areas in which these roles work.
“OT/Industrial cybersecurity encompasses various specialized roles with distinct responsibilities, reflecting the complexity of protecting OT environments. Role structures vary significantly based on organization structure, size, geography of operations, etc.,” Faisal said.
“For SMBs, professionals typically carry multiple hats in terms of R&Rs, e.g., enterprise CISOs are required to take CISO responsibility for OT environments as well,” he added. “For larger enterprise industrial organizations, often have dedicated teams with specialized roles and may create full-fledged joint cybersecurity governance steering committees comprised of both factory automation, risk management and IT personnel, with the automation group taking the lead with a dedicated OT CISO as well, in addition to IT CISO.”
For asset owners, Faisal said that besides CISOs with OT experience, other typical roles are OT security architects, OT security advisors/consultants, OT security practitioners, OT GRC, OT security analyst/specialist, OT security engineers, OT security system admins, OT network security specialist, OT security pen-testers and OT incident responders.
For service providers (managed or Sis), he mentioned OT field CISOs, OT security advisors/consultants, OT security architects, and other similar roles as highlighted for asset owners above are available. “These roles are either consultative, strategy, discovery/assessment or design/architecture focused, and or specialized for Security operations (OT SecOps). There are several government-level competence frameworks available from the US, EU, SG, and other cybersecurity agencies that one can refer to understand the environments better.”
Bridging gap as IT professionals transition to industrial cybersecurity
The executives focus on professionals with an IT cybersecurity background to address the need for additional skills and knowledge to transition into industrial cybersecurity professionals. Furthermore, they explore how professionals can stay updated with the latest threats, tools, and best practices in this rapidly evolving field.
Conway said that identifying where each person excels, contributes, and has a desire to pursue development interests are extremely important factors in navigating someone through various stages of their work. “This is definitely a field where you need to enjoy being a continuous learner, if you do not have a strong desire for learning new things or if you feel like you are an SME in all things ICS and your knowledge cup is already full with little to gain from other perspectives; then I think you may not find much joy working in this field, you may be successful but not love it.”
He added that for those who are looking to learn and grow, there are so many people and resources across the community that can provide a path – formal training, webcasts, whitepapers, conferences, summits, free resources, and plenty of opportunities to challenge everyone to give back.
“For those with an IT cybersecurity background, the ability to think like an engineer and understand how control systems engineering works is absolutely required to succeed in industrial cybersecurity,” Holcomb said. “While there are many similarities between IT and OT cybersecurity, it is vital to understand where both are different and HOW they are different. This is necessary to ensure safety in our environments and continued operations. Unfortunately, the OT/ICS community and associated resources for staying current are limited, which is one of the reasons I post on LinkedIn and YouTube.”
He added that there are some great resources to keep current, such as the various ISACs, including Dragos’ own OT-CERT for environments with limited resources and Dan Ricci’s ICS Advisory Project. “Podcasts are another way that everyone can learn about different aspects of OT/ICS cybersecurity from other practitioners.”
“It starts with learning the fundamentals of OT environments, understanding the industrial automation stack (Cloud, ERP, MES, SCADA/DCS, HMI, PLC, Edge, Sensors) and physical equipment and OT processes and then build on the OT security concepts while understanding the difference in terms of principles of security for OT vs. IT Security,” Faisal said. “Make your automation expert in the OT department a friend to learn on things work on plant floor. YouTube university, attending webinars, ICS/OT focused conferences, and free and paid training and certifications (online and in-person) are a definite must in the process. Best bet is to learn by doing whether in a lab environment and or while on the job.”
He noted staying updated on the latest trends in OT security through continuous learning. This can be achieved by exploring published content with a specialized focus on OT security available on social platforms, subscribing to newsletters, attending conferences, and engaging in professional networking.
Power of mentorship and networking in industrial cybersecurity
The executives examine key milestones and career development trajectories for industrial cybersecurity professionals. They also investigate how mentorship, networking, and participation in professional organizations can play a pivotal role in advancing careers within this specialized field.
“I think they are the most important tools we have,” Conway said. “Training and the ability to pass on lessons learned and sharing of experiences all help to make us stronger as practitioners. How do we do each of those things with certainty and measured outcomes is a tougher question to answer, but we are ferociously trying.”
Holcomb pointed out that the progression path in OT cybersecurity can look very similar to that of IT cybersecurity. “For the first few years, an individual would be considered entry-level as they begin to gain not only OT cybersecurity knowledge but experience working in an industrial setting. After a few years, team members are considered more senior members as they continue to increase their knowledge and skillsets. After a few more years, individuals tend to become much more specialized in the field or move into a management role.”
He added that networking, mentors, and participating in professional organizations can help individuals grow in every aspect of their career. “While there is a flood of resources in IT cybersecurity, limited resources in OT cybersecurity make these resources exponentially more valuable and critical to someone’s individual growth and success.”
“Joining professional bodies, industry associations, standards committees, network with peer and senior professionals, influencers, identifying mentors and following latest trends in the market, will surely put you on a path to advancing your skills and boosting career opportunities,” according to Faisal. “Organisations and individuals alike now need strong mentorship programs to facilitate knowledge transfers of technical and leadership skills to tackle OT security challenges and threats.”
