workforce development for ics security agenda: cross cutting challenge … · 2012-12-17 ·...
TRANSCRIPT
Workforce Development for ICS Security
Agenda:
Item 1
Item 2
etc...
1
• Cross cutting challenge shared by asset owner & supplier
• Spans professional training to simple awareness • No identified pipeline to recruit from and invest in
- Few educational programs in cyber or engineering
• ICS security & modernization efforts require:
- Integration of cyber security and engineering
Specific Challenges
Agenda:
Item 1
Item 2
etc...
2
• Definition of cyber functional roles
- Competency maps (task execution level)
• Identification of ICS engineering touch points • Integration of skills through mission oriented teams
- Common/effective language
- Operations consideration of cyber into procedures
- Design & planning considering cyber
- Maximize constructive overlap
- Avoid competitive overlap
• Aging power infrastructure
• Difficulty scaling the cybersecurity workforce
• Retire crucial engineering & operations knowledge • Including workforce measures into models
• Identified as a risk to reliability
Challenge facing the North American Power Grid: Vast and Ever Growing Cyber-Attack Surface
Electric Sector Challenges • Smart Grid ̶ emerging technologies
• Security Ops ̶ poorly defined
• Skills and operational job roles ̶ poorly defined • Education and training ̶ does not conform to
OT/Smart Grid applications • Methods for assessing OT competency ̶
inadequate
• Limited experience applying cybersecurity practices to OT systems
Foundational support for Grid modernization
• Purpose: Develop a competency model
• Contributes to Department of Energy’s efforts to develop a competency model • Explores assessment methods • Identifies unique skill sets • Provides foundation for ongoing efforts to transform and develop the workforce
• Who: Operational security teams
• How: Assessment of skills
• Verify: A measurement model for:
- Knowledge - Skills - Abilities
DOE Mandate: A Competency Model for Smart Grid Cybersecurity Specialists
Subject Matter Expert Panel and Advisory Group (Phase I)
Panel Officers Chair – Justin Searle UtiliSec Vice Chair - Scott King Sempra Energy
Advisory Group John Allen – IEIA Forum Joel Garmon – Former FPL Dr. Emannuel Hooper – Global Info Intel & Harvard Univ. Bill Hunteman – Former DoE Jamey Sample - PG&E
Panel Members • Lee Aber - OPower
• Sandeep Agrawal - Neilsoft Limited
• Bora Akyol - PNNL
• Andres Andreu - NeuroFuzz, LLC
• Balusamy Arumugam - Infosys
• Chris Blask - AlienVault
• Andy Bochman - IBM
• Jason Christopher - FERC
• Art Conklin - University of Houston
• Benjamin Damm - Silver Springs Network
• Anthony David Scott - Accenture
• Steve Dougherty - IBM Global Technology Services
• Ido Dubrawsky - Itron
• Michael Echols - Salt River Project
• Dr. Barbara Endicott-Popovsky - University of Washington
• Cliff Eyre - PNNL
• Maria Hayden - Pentagon
• Charles Reilly – Southern California Edison
• Craig Rosen - PG&E
• Scott Saunders - SMUD
• Chris Sawall - Ameren
• Paul Skare - PNNL
• Clay Storey - Avista
• Dan Thanos - GE Digital Energy
• Kevin Tydings - SAIC
• Don Weber - InGuardians
• Mike Wenstrom - Mike Wenstrom Development Partners
• Nic Ziccardi - Network & Security Technologies
Panel Member Representation
Smart Grid Consultant
Government
Electric Utilities
ResearchOrganizations
Electricity IndustryVendors
Smart Grid Cyber Security Specialist Certification
6. Ongoing Performance
Support & Simulation
1. Job Definition
and Competency
Analysis
2. Aptitude Assessment
3. Instructional & Simulation
Design
4. Proficiency
and Performance
Assessment
5. Professional Developmen
t Plans
Challenge: Approach:
Phase I Results: Work:
Background: The Process:
NBISE facilitates SMEs in a three-step process:
- Phase 1: Job Definition
- Phase 2: Critical Incident Analysis
- Phase 3: Assessment Item Development
This suite of capabilities includes:
• Vignette driven elicitation
• Collaboration tools
• Performance measurement
• Task characterization
• Role identification
• 109 Initial cybersecurity “Vignettes” (attack/protect
events)
• 13 Master Vignettes were condensed from initial
vignettes
• 82 Job Responsibilities were defined and analyzed
• 44 Job Roles were identified; 3 selected for task
analysis
• 147 Activities were defined
• 108 Job Goals were defined and classified
• 516 Job Tasks were defined and analyzed
• 9,374 JAQ task evaluations to date
The North American electric grid is challenge by a vast
and ever-growing cyber-attack surface. This challenge is
complicated by aging power infrastructure and the lack of
a viable cybersecurity workforce. To begin addressing
these challenges, US DOE awarded a project to PNNL in
partnership with the NBISE to develop a set of guidelines
to enhance the development of the smart grid cyber
security workforce and provide a foundation for future
certifications. This is the first comprehensive analysis of
Smart Grid cybersecurity tasks.
What is a Vignette?
A collection of: • a critical incident title or description • when the incident occurs (frequency and/or action
sequence) • what happens during the incident (problem or situation) • who is involved (entities or roles) • where the incident might happen, now or in the future
(systems or setting)
Further definition of a vignette might include: • why it is important (severity or priority of response) • how the critical incident is addressed (method or tools that
might be used)
Elicitation Tools and Methods
Sample SGC Critical-Differentiation Matrix
11
Task Criticality
Task D
iffe
rentiation
Quadrant 4: Differentiating
9627: Implement vulnerability mitigations in
accordance with the plan to include patches or
additional security controls.
9625: Assess the risk ratings of the vulnerability
based on the technical information and how the
technology is deployed and the importance of the
systems.
9129: Review known intrusion Tactics,
Techniques, and Procedures and observables to
assist in profiling log events and capture event
information that may relate to known signatures.
Quadrant 2: Esoteric
9421: Verify Network Time Protocol server is
using Universal Time Code format to avoid time
zone issues.
9397: Develop a schedule for testing elements of
the incident response plan and organizations
involved in the process.
9307: Collect issues to identify trends with
particular vendors or manufacturers.
Quadrant 3: Fundamental
9878: Minimize spread of the incident by
ensuring contaminated systems cannot
communicate to systems outside of the network
boundary.
9117: Identify and filter-out false positives; if
determined to be an incident, assign to incident
handler.
9701: Monitor all systems that were suspected or
confirmed as being compromised during an
intrusion/incident.
Quadrant 1: Inhibiting
9858: Review best practices and standards
documentation to determine appropriate
configuration settings.
9848: Develop a process by which staff must
acknowledge they have read and understand all
applicable policies and procedures.
9141: Analyze market options for Security Event
and Information Management tools.
Key Findings & Implications
Smart Grid field is an emerging field and the processes and procedures are yet to be defined and documented. It is clear that due to the lack of smart grid specific tools, cybersecurity practitioners are in the process of applying traditional practices into the Smart Grid environment.
Vignettes are an essential tool for competency modeling.
Smart Grid cybersecurity education and training should focus on methods and behaviors.
Emphasized the value of simulation-based practice to develop skill.
Need for better understanding of the interrelationship of job roles in team performance during incident response.
12
Incident
Response
Specialist
Intrusion
Analyst
Security
Operations
Specialist
71 Job
Responsibilities
Developed in SGC Phase I
11 Job
Responsibility Areas
Certifications NICE Training &
Education ES-C2M2
Mapping Exercises*
Mapping Exercise*
*Mapping exercises will help provide understanding of how certifications, NICE framework, ES-
C2M2 framework, and training & education program topics align with the job responsibilities
identified in SGC Phase I.
Phase II effort
ICS Security Workforce Resources
Agenda:
Item 1
Item 2
etc...
14
• ICS JWG – Workforce Development WG
• DOE project for the electricity sector
• Training not targeted by audience (clumped by domain)
• Little alignment with job performance (info domains) • Virtual no overlap for available certification domains
• Coordination is important