Whether you’re working in a water treatment plant or running the infrastructure for an energy company, network managers need training in the right skill sets to avoid cyber-attacks. Many options exist for technologists to address the cybersecurity skills gap in the Industrial Internet of Things (IIoT).
“There is no one-size-fits-all guideline for the skills and staff required to effectively and (equally important in the real world) efficiently secure an industrial system,” says John Pescatore, director of emerging security trends at the SANS Institute. “The overall maturity of IT operations and governance is a huge driver.”
Pescatore adds that “sloppy IT administration is the biggest driver behind most security incidents.”
Here are five tips on acquiring the skills needed in an IIoT environment:
1) Attend industry conferences
To gain knowledge in IIoT, attend training sessions in industrial control systems at the annual Black Hat conference, recommends Larry Trowell, director at penetration-testing company NetSPI. (Black Hat is owned by the same parent company as Network Computing.)
“It’s a two-day course and the best training I’ve seen for IIoT networks,” Trowell says. “It gives a basic overview and covers how to do passive analysis and wireless and software configurations.”
Become familiar with the operations technology (OT) mindset and architecture, advises Anand Oswal, senior vice president and general manager of network security at Palo Alto Networks. “The OT mindset is all around uptime, safety, and security, and we need to be familiar with that mindset.”
2) Learn how to communicate across IIoT Systems and teams
Develop an understanding of the protocols that enable IIoT systems to communicate with each other, Oswal suggests. They include the data communications protocol Modbus, automation communication technology Process Field Bus (PROFIBUS), and OPC, an interoperability standard for secure and reliable data exchange in industrial automation. OPC stands for object linking and embedding (OLE) for process control.
Network managers should also learn Message Queuing Telemetry Transport (MQTT), which enables machine-to-machine (M2M) communication. It provides enhanced authentication with two-way identity confirmation.
“IT leaders who oversee OT systems, they don't understand the protocols and the controls within the factory production environments,” says Juliet Okafor, business information cybersecurity officer at cybersecurity firm RevolutionCyber. “It’s critical for IT leaders to get a better understanding of [remote telemetry units (RTUs)] and other kinds of OT-specific communications protocols.”
Meanwhile, an underrated skill set in IIoT entails communication between the IT and OT or IIoT teams, especially since OT teams can be fractured and decentralized, she says.
“Oftentimes they don't speak the same language, and so the ability to communicate across both groups is critical,” Okafor says.
“Over and over again, it becomes an issue of, if you're on one side of the environment, you need to have a cross-functional understanding of what the other side does so that you can properly secure it,” Okafor says.
3) Study risk assessments and compliance
Know how to conduct risk assessments specific to OT and IIoT, Oswal advises. That entails learning how to identify threats and vulnerabilities.
Also, learn about compliance regulations for IIoT, including a framework networking experts at the World Economic Forum developed called the IIoT Safety and Security Protocol. The framework bolsters IIoT services using “active hardening processes that can be validated through proven penetration, configuration, and compliance techniques,” the organization states in a white paper.
In addition, the National Institute of Standards and Technology standard NIST 800-207 discusses the core points around zero trust that are relevant to IIoT. The concept involves using a least-privilege approach to verifying connected IIoT devices.
Also, take a look at the ISA 62443 framework from the International Society of Automation. It spells out the requirements and processes for using and maintaining industrial automation and control systems (IACS).
4) Pursue security certifications relevant to IIoT
Consider training certifications from organizations such as the SANS Institute. Pescatore notes that the institute offers six courses in OT/ICS. They include ICS410: ICS/SCADA Security Essentials and ICS515: ICS Visibility, Detection, and Response.
Meanwhile, the ISA Security Compliance Institute (ISCI) also offers certification programs in industrial automation and control technology, including the Component Security Assurance (CSA) Certification, IOT Component Security Assurance (ICSA), and System Security Assurance (SSA) Certification.
Okafor recommends certifications in Security+ and Networking+. Organizations such as CompTIA offer these programs.
She notes that the Global Information Assurance Certification (GIAC) offers industrial control system certifications.
5) Explore industry associations in IIoT
Pescatore also recommends pursuing training at the 27 formal Information Sharing and Analysis Centers (ISACs) organized around sectors such as water and oil and gas. ISACs are nonprofit organizations that enable the private and public sectors to share information on cyber threats to critical infrastructure.
“They’re great resources for guidelines and learning from more experienced security professionals in your sector,” Pescatore says.
He also suggests joining the Forum of Incident Response Security Teams (FIRST). It has an industrial control systems (ICS) special interest group (SIG). The group explores best practices and the tools needed for incident response and securing critical infrastructure.