In my last post I introduced Malcolm Gladwell’s Capitalization of Talent concept and concluded that the capitalization rate of SCADA security talent in the control system community rate is low. Here are some reasons why in no particular order:
- Security 101 is dull – All too many control systems are at the point where they need to get security patching, user management, anti-virus updates, firewall rulesets, hardened configurations, … under control. This is important, but not exciting work. A lot of the ‘excitement’ in the first couple of years with a new client is more related to the personal and personnel issues of getting understanding, buy-in and huge initial improvement in the security posture rather than any cool technical work. [Also seeing the process being controlled can be very cool] It is in years 3+ when the challenging and fun technical work gets started. We would have a tough time keeping our technical talent if we didn’t have longer term clients far along the security curve and research projects to go along with the assessment work.
- Security talent is not valued – Many of the skills that would make one talented in cyber security also can be applied to other control system endeavors. People will tend to focus on what is rewarded. There are exceptions with passionate people, but they are a happy exception.
- Little sense of community, peers, training – There are now a number of SCADA security 101 events, guideline documents, webcasts, etc. But the talent we need is going to become quickly past this and bored with it. It is still necessary because the majority has not grasped and implemented 101 level security. However I’m still surprised at how little advanced work is out in the public after ten years in the SCADA security world. It is why we started our SCADA Security Scientific Symposium [S4]. If you are potential talent in an asset owner or vendor, you are going to have to be a trailblazer because there are not the groups discussing advanced topics that you can learn from and work with . . . yet.
I will say that there are huge opportunities for interesting and important security work in control systems. We have a surplus of interesting and practical research work we want to do as a consulting and research practice. If I was working for an owner/operator I’d really be focusing on highly customized anomaly detection, forensics, and more granular and stronger authentication.