Report: training, education needed to address industrial cybersecurity threat

Industries across the United States, as well as power plants and other critical infrastructure, face a burgeoning security risk as more and more IP-enabled devices and features are incorporated into their operations.

The emerging Internet of Industrial Things (IIoT) has proven attractive because of cost savings and gains in efficiency, but the trend also means that organizations need to factor in cybersecurity concerns in areas that may – in the past – have been off the radar for their IT and cybersecurity teams. The distinction between internet technology (IT) and operational technology (OT) is becoming blurred and organizations need to respond to this convergence, according to a major industry report released last year.

The report, commissioned by Parsons Corporation, suggests that engineers, technicians, and managers responsible for operational technology (OT) will need to collaborate more effectively with their counterparts in IT and cybersecurity – and build up their own skill sets through training.

In the past, cybersecurity personnel often focused on threats to IT rather than OT, viewing the latter as a closed system without a connection to the outside world – or exposure to hackers. The IIoT changes all that, however.

Today, “millions of connected industrial control systems (ICS), whether an older computer managing a smart HVAC system, or a state-of-the-art wireless meter helping control water flow in a nuclear plant, are the new target for cyber hackers,” Parsons notes in its report.

That means cybersecurity and IT experts need to work together with engineers to secure all the equipment and devices at a facility. But that’s not always happening, the report warns – indeed, the two sets of professionals aren’t always pedaling in the same direction. Findings from the survey “point to an alarming lack of collaboration between engineers, the OT environment experts, and IT experts who typically lead the cybersecurity function.”

“Coupled with dramatic increases in the number of connected devices being added to the OT environment, cybersecurity resilience is weakened by both process and technology hurdles,” Parsons found.

Indeed, 78% of operational technology personnel surveyed by the firm said they were not highly involved in cybersecurity planning for industrial control systems.

How should the problem best be addressed? Parsons offers a number of recommendations, including baking cybersecurity into the design and review process for new and upgraded OT systems, instead of relying on bolt-on solutions, as has often been the case in the past.

The report also stresses the need for training. Engineers who work with OT may be reluctant to take on cybersecurity issues – or collaborate with the IT team in addressing them – because they may not have skills in this area, or may view it as outside their professional scope. Through training and education, they can gain or strengthen their cybersecurity expertise.

“Critical infrastructure organizations must invest in training and education to increase the cybersecurity capabilities of OT engineers and professionals. Training will increase the effectiveness of OT/IT collaboration and help guarantee that OT gets a seat at the table with regard to cybersecurity planning and resource allocation,” the report found.

Are you an engineer or technology professional seeking to add cybersecurity to your skill set? Capitol Technology University now offers online, graduate-level degrees in critical infrastructure, with curriculum that incorporates cybersecurity as one of the major components. The online master’s program, for instance, includes courses in computer forensics and incident handling, malicious software, perimeter protection, and vulnerability mitigation. For more information, contact gradmit@captechu.edu or phone 1-800-950-1992.