The Colonial Pipeline attack exposed an ongoing problem facing the nations critical infrastructure: A gap in the cybersecurity workforce. Future wars will no longer be traditional, and the country needs to be prepared on both the defensive and offensive sides, which starts by addressing this shortage. Our problem statement, then, becomes a lack of cybersecurity resources.

Due to an increase in demand for cybersecurity services, several companies including government organizations and multinational companies that provide cybersecurity consulting and implementation services started hiring candidates, which resulted in a resource crunch and a need to increase budget for hiring. Companies that didnt get the right candidate started contracting services from these consulting companies.

There are many companies and organizations which are running their cybersecurity projects with the help of third-party consulting and service support. It has escalated the economic impact and data security impact on these companies.

Every critical infrastructure industry, whether it is oil & gas, power utility, grid, food processing, manufacturing, etc., have adequate manpower for automation or engineering. They have shift engineers for operation, maintenance engineers for maintenance, and project engineers for ongoing or future projects.

The key is to train and upgrade, but how? They are already working, and cybersecurity is not their domain. ISA/IEC 62443 has provided a solution, and in this standard, there are seven functional requirements:

These seven areas are easy to train. These are technical controls, and our industrial engineers are very good at learning technical skills. If they are good at operating a complex system and monitoring critical parameters minute-by-minute to keep them within safe limits, we should trust them to take care of cybersecurity as well. Often, organizations turn to informational technology (IT) teams for cybersecurity of operational technology (OT). However, there are many benefits to training industrial engineers for OT cybersecurity, including:

A trainer or online course is the first step to providing background knowledge hands-on, which, in my opinion, is the best way to learn anything. First, we need to figure out our environment and then depending on our security requirements, we can curate courses for engineers. We can start with basic technologies, such as:

As a very high-level explanation of solutions, basic controls training can be provided to all industrial engineers that require them, so in case of emergencies they know what is expected of them and what needs to be done. Specialized training can also be provided to engineers so that a resource pool of skilled cybersecurity engineers can be further developed. This process will take some time, but this is a long-term solution. Attrition might be there in the short-term, but these processes and an increased development of a cyber-aware culture will compensate for that.

Continue reading here:

How to Better Train Your Automation Engineers on ISA/IEC 62443 - International Society of Automation