One of the topics we tackled in a panel at the Asia ICS Cyber Security Conference last week in Singapore was how best to grow the Operations Technology (OT) Security workforce. Early in his conference introduction Dan Ehrenreich showed a diagram similar to above with a small population in the intersection of the IT / IT Security and Operations skill sets.
In a way this is an extension of the classic IT or Operations discussion. If you want to grow an OT and OT Security team, is it more productive to teach IT and IT Security people about Operations and Automation? Or is it more productive to teach people in Operations the required IT and IT security skills?
First, let’s not be absolute. Both approaches can work with the right individuals, and if you are developing an OT / OT Security team of any size you will want a mix of backgrounds. That said, which approach is likely to be more successful?
I faced this challenge for over a decade when I was growing an ICS (or OT) Cybersecurity Consulting Practice. Based on that experience, I’m convinced that there is a much greater chances of success recruiting from one side than the other, and it comes down to the most basic risk equation.
Risk = Consequence x Likelihood
If you need someone to reduce the likelihood of compromise, which is the case for most OT security hires today, then you will have a much greater chance of succeeding if you hire someone with an IT security background. Why?
1. The most important reason is an IT security professional wants to work on securing applications, computers, devices, and networks; wants to work in information security. Many of the best candidates for OT Security from the Operations side studied hard to be engineers or to understand the process that is being controlled and monitored. Yes, they are smart and can learn quickly what is necessary do a great job in OT security, perhaps even better than someone coming from IT security. However most often they didn’t study or desire to do this work.
2. We found we could quickly train an IT security professional to be very useful in securing OT. We could pair them with someone who understood OT and OT security well, a seasoned pro, and the IT security professional could be of use from day one. After a few engagements to learn the culture, the language, the different types of risks, what not to do, not to feign process expertise, and how to communicate effectively with Operations, they were settled into the OT Security intersected set.
3. The skill set required to secure OT is much more IT than Operations. The person from Operations will either have been self taught IT skills, and we saw this in many brilliant engineers who just learned whatever was required to solve problems in the system, or will need to study to gain IT and IT security knowledge. This trend to OT incorporating more of IT continues to grow. For example, installing and maintaining a virtual environment is quickly becoming a must have OT skill.
Now when you look at the oft neglected Consequence side of the risk equation, someone from Operations is typically far superior. It is going to be very expensive, if even possible, to teach an IT security professional the engineering and process knowledge to make judgements about consequence reduction. IT security people can be helpful in asking “what if” questions regarding the loss of integrity or availability of a cyber asset, but the same people that performed the safety and protection studies are the one’s to answer the what if questions.
Looking into the future, the IT / OT debate will fade away. I’d argue it is already over. IT won; it just hasn’t been realized or accepted yet by many organizations. Now that executive management is becoming aware of the cyber risk related to their ICS. They expect their CIO and CISO to manage this risk like they do any other cyber components in the company. There will be specialized IT teams to deal with OT, just like there are specialized teams for ERP, data centers and other high value and specialized cyber assets.
The more interesting intersection will be where the engineers who know consequence reduction meet the IT/OT security professionals who know likelihood reduction to come up with the effective risk mitigation and management.