Workforce Development for ICS Security

Agenda:

Item 1

Item 2

etc...

1

• Cross cutting challenge shared by asset owner & supplier

• Spans professional training to simple awareness • No identified pipeline to recruit from and invest in

- Few educational programs in cyber or engineering

• ICS security & modernization efforts require:

- Integration of cyber security and engineering

Specific Challenges

Agenda:

Item 1

Item 2

etc...

2

• Definition of cyber functional roles

- Competency maps (task execution level)

• Identification of ICS engineering touch points • Integration of skills through mission oriented teams

- Common/effective language

- Operations consideration of cyber into procedures

- Design & planning considering cyber

- Maximize constructive overlap

- Avoid competitive overlap

• Aging power infrastructure

• Difficulty scaling the cybersecurity workforce

• Retire crucial engineering & operations knowledge • Including workforce measures into models

• Identified as a risk to reliability

Challenge facing the North American Power Grid: Vast and Ever Growing Cyber-Attack Surface

Electric Sector Challenges • Smart Grid ̶ emerging technologies

• Security Ops ̶ poorly defined

• Skills and operational job roles ̶ poorly defined • Education and training ̶ does not conform to

OT/Smart Grid applications • Methods for assessing OT competency ̶

inadequate

• Limited experience applying cybersecurity practices to OT systems

Foundational support for Grid modernization

• Purpose: Develop a competency model

• Contributes to Department of Energy’s efforts to develop a competency model • Explores assessment methods • Identifies unique skill sets • Provides foundation for ongoing efforts to transform and develop the workforce

• Who: Operational security teams

• How: Assessment of skills

• Verify: A measurement model for:

- Knowledge - Skills - Abilities

DOE Mandate: A Competency Model for Smart Grid Cybersecurity Specialists

SGC Panel Workflow

Subject Matter Expert Panel and Advisory Group (Phase I)

Panel Officers Chair – Justin Searle UtiliSec Vice Chair - Scott King Sempra Energy

Advisory Group John Allen – IEIA Forum Joel Garmon – Former FPL Dr. Emannuel Hooper – Global Info Intel & Harvard Univ. Bill Hunteman – Former DoE Jamey Sample - PG&E

Panel Members • Lee Aber - OPower

• Sandeep Agrawal - Neilsoft Limited

• Bora Akyol - PNNL

• Andres Andreu - NeuroFuzz, LLC

• Balusamy Arumugam - Infosys

• Chris Blask - AlienVault

• Andy Bochman - IBM

• Jason Christopher - FERC

• Art Conklin - University of Houston

• Benjamin Damm - Silver Springs Network

• Anthony David Scott - Accenture

• Steve Dougherty - IBM Global Technology Services

• Ido Dubrawsky - Itron

• Michael Echols - Salt River Project

• Dr. Barbara Endicott-Popovsky - University of Washington

• Cliff Eyre - PNNL

• Maria Hayden - Pentagon

• Charles Reilly – Southern California Edison

• Craig Rosen - PG&E

• Scott Saunders - SMUD

• Chris Sawall - Ameren

• Paul Skare - PNNL

• Clay Storey - Avista

• Dan Thanos - GE Digital Energy

• Kevin Tydings - SAIC

• Don Weber - InGuardians

• Mike Wenstrom - Mike Wenstrom Development Partners

• Nic Ziccardi - Network & Security Technologies

Panel Member Representation

Smart Grid Consultant

Government

Electric Utilities

ResearchOrganizations

Electricity IndustryVendors

Smart Grid Cyber Security Specialist Certification

6. Ongoing Performance

Support & Simulation

1. Job Definition

and Competency

Analysis

2. Aptitude Assessment

3. Instructional & Simulation

Design

4. Proficiency

and Performance

Assessment

5. Professional Developmen

t Plans

Challenge: Approach:

Phase I Results: Work:

Background: The Process:

NBISE facilitates SMEs in a three-step process:

- Phase 1: Job Definition

- Phase 2: Critical Incident Analysis

- Phase 3: Assessment Item Development

This suite of capabilities includes:

• Vignette driven elicitation

• Collaboration tools

• Performance measurement

• Task characterization

• Role identification

• 109 Initial cybersecurity “Vignettes” (attack/protect

events)

• 13 Master Vignettes were condensed from initial

vignettes

• 82 Job Responsibilities were defined and analyzed

• 44 Job Roles were identified; 3 selected for task

analysis

• 147 Activities were defined

• 108 Job Goals were defined and classified

• 516 Job Tasks were defined and analyzed

• 9,374 JAQ task evaluations to date

The North American electric grid is challenge by a vast

and ever-growing cyber-attack surface. This challenge is

complicated by aging power infrastructure and the lack of

a viable cybersecurity workforce. To begin addressing

these challenges, US DOE awarded a project to PNNL in

partnership with the NBISE to develop a set of guidelines

to enhance the development of the smart grid cyber

security workforce and provide a foundation for future

certifications. This is the first comprehensive analysis of

Smart Grid cybersecurity tasks.

What is a Vignette?

A collection of: • a critical incident title or description • when the incident occurs (frequency and/or action

sequence) • what happens during the incident (problem or situation) • who is involved (entities or roles) • where the incident might happen, now or in the future

(systems or setting)

Further definition of a vignette might include: • why it is important (severity or priority of response) • how the critical incident is addressed (method or tools that

might be used)

Elicitation Tools and Methods

Example JAQ survey questions

SGC JAQ Survey Initiative

Sample SGC Critical-Differentiation Matrix

11

Task Criticality

Task D

iffe

rentiation

Quadrant 4: Differentiating

9627: Implement vulnerability mitigations in

accordance with the plan to include patches or

additional security controls.

9625: Assess the risk ratings of the vulnerability

based on the technical information and how the

technology is deployed and the importance of the

systems.

9129: Review known intrusion Tactics,

Techniques, and Procedures and observables to

assist in profiling log events and capture event

information that may relate to known signatures.

Quadrant 2: Esoteric

9421: Verify Network Time Protocol server is

using Universal Time Code format to avoid time

zone issues.

9397: Develop a schedule for testing elements of

the incident response plan and organizations

involved in the process.

9307: Collect issues to identify trends with

particular vendors or manufacturers.

Quadrant 3: Fundamental

9878: Minimize spread of the incident by

ensuring contaminated systems cannot

communicate to systems outside of the network

boundary.

9117: Identify and filter-out false positives; if

determined to be an incident, assign to incident

handler.

9701: Monitor all systems that were suspected or

confirmed as being compromised during an

intrusion/incident.

Quadrant 1: Inhibiting

9858: Review best practices and standards

documentation to determine appropriate

configuration settings.

9848: Develop a process by which staff must

acknowledge they have read and understand all

applicable policies and procedures.

9141: Analyze market options for Security Event

and Information Management tools.

Key Findings & Implications

Smart Grid field is an emerging field and the processes and procedures are yet to be defined and documented. It is clear that due to the lack of smart grid specific tools, cybersecurity practitioners are in the process of applying traditional practices into the Smart Grid environment.

Vignettes are an essential tool for competency modeling.

Smart Grid cybersecurity education and training should focus on methods and behaviors.

Emphasized the value of simulation-based practice to develop skill.

Need for better understanding of the interrelationship of job roles in team performance during incident response.

12

Incident

Response

Specialist

Intrusion

Analyst

Security

Operations

Specialist

71 Job

Responsibilities

Developed in SGC Phase I

11 Job

Responsibility Areas

Certifications NICE Training &

Education ES-C2M2

Mapping Exercises*

Mapping Exercise*

*Mapping exercises will help provide understanding of how certifications, NICE framework, ES-

C2M2 framework, and training & education program topics align with the job responsibilities

identified in SGC Phase I.

Phase II effort

ICS Security Workforce Resources

Agenda:

Item 1

Item 2

etc...

14

• ICS JWG – Workforce Development WG

• DOE project for the electricity sector

• Training not targeted by audience (clumped by domain)

• Little alignment with job performance (info domains) • Virtual no overlap for available certification domains

• Coordination is important