While the debate rages on over an infrastructure bill aiming to shore up aging, ailing, and unsecured infrastructure, utility companies are looking for ways to stop the hemorrhaging now. Breaches like the Colonial Pipeline clearly demonstrate how cyberattacks are having widespread and real-world impacts on the industry.
"Even with significant funding, it will be a substantial undertaking to modernize and secure even just the electricity sector, let alone all of the utility sector," says Tony Cole, CTO at Attivo Networks and a former executive at FireEye, McAfee, and Symantec.
The energy industry, specifically, is also battling on another critical front, says Paul DeCotis, senior director of energy and utilities at consultancy West Monroe.
"With increased threats to energy industry operations and assets, some with potentially very serious consequences, the industry is challenged to find security and privacy professionals and also challenged to retain the people they have as the war for talent continues," he says.
Whether hiring new cybersecurity staff or upskilling those already on board, specific skills rank high on this industry's most-wanted list. Those looking to join the fight might want to polish up or acquire some (or all) of these hottest skills on the market.
1. Working Knowledge of the Energy Industry
Securing environments in the energy sector requires a "significantly different skill set" than those used in other industries to secure email servers, file-sharing devices, and browsers, says Brian Romansky, chief innovation officer at Owl Cyber Defense. Industry CISOs are looking for people who possess an understanding of how the operations technology (OT) environments of plants, pipelines, substations, refineries, etc., work, he says. They're also seeking to hire people with experience in securing digital controls systems, SCADA systems, and digital sensors/monitors and operational systems, such as pumps, valves, and actuators.
The ideal candidate "understands how industrial protocols like Modbus, OPC, DNP3, etc., work, the devices they support, what they need to connect to [and not connect to] – and the associated risks," Romansky says.
2. Embedded Systems Skills
Ron Brash, director of cybersecurity insights at Verve Industrial, points to a huge and growing skills gap related to properly securing or assessing embedded systems.
"This is truly dangerous because the majority of systems in OT/ICS are embedded – not Windows or commodity equipment such as … routers," he says. "And yet we keep deploying them knowing compensating controls are getting harder to apply with the advent of 5G, LTE, and IoT/IIoT that bypass traditional controls such as firewalls."
With increasing pressure mounting on teams, observability is key to delivering a positive user experience in the face of ever-expanding software applications.Brought to you by Elasticsearch, Inc.
Attacks on embedded systems in critical infrastructure are common but often kept out of the news. One example is the attack on the Oldsmar, Fla., water supply in which a hacker changed the settings on the system to "briefly increase the amount of sodium hydroxide, also known as lye, by a factor of more than 100," according to Pinellas county sheriff Bob Gualtieri in a Tampa Bay Times news report.
"A plant operator was monitoring the system at about 8 a.m. Friday and noticed that someone briefly accessed it. He didn't find this unusual, Gualtieri said, because his supervisor remotely accessed the system regularly," according to the report.
3. Understanding of Data Flows
CISOs are also looking for cybersecurity professionals who understand the energy sector's data and data flows, Romansky says. More specifically, they should:
- Understand the data that third parties require to fulfill support agreements, perform analytics, monitor duty cycles, etc., and have knowledge of historian industrial applications like OSIsoft and Aveva.
- Understand the data needs of external data consumers and securely provide the required operational data.
- Have military or government agency cybersecurity experience, as "they are trained in how to defend against nation-state attacks using a variety of technologies, including cross-domain solutions," Romansky says.
4. Deep Familiarity of Critical Infrastructure Cybersecurity Regulations
Lila Kee, GlobalSign's general manager for the Americas and a former board member of the North American Energy Standards Board, says a strong familiarity with federal, state, and foreign regulations and federal guidance – such as Presidential Policy Directive 21 and the National Infrastructure Protection Plan (NIPP) Energy Sector-Specific Plan from 2015 – affecting the energy sector is a strong plus given the industry's many security and compliance requirements.
Another big advantage for security pros is the ability to implement a software bill of materials (SBOM) per President Biden’s Executive Order 14028, which essentially "prevents bad software from being installed, where it can carry out its intended harm," she says.
5. The Ability to Work Backward
Security experts expect a marked rise in infrastructure crises and continued disruptions, "whether they are caused by severe weather such as the Texas freeze or a cyberattack like that on the Colonial pipeline," says Dustin Radtke, chief technology officer for OnSolve.
So it's imperative, he says, that security pros in the energy industry are "well-versed in the specific risks posed to their organizations. [By] understanding the most vulnerable areas of the organization or the areas that would be most impacted during a crisis, [security teams can then] work backward to refine the threats they are monitoring and how they are doing so."
This type of "informed, purposeful input allows for more actionable and relevant output" in terms of risk intelligence and crisis management, Radtke adds.
6. Updated Tech Skills
Of course, the industry is also turning to technology, particularly those fueled by artificial intelligence, to fill the staffing gaps. Those technologies, in turn, require security teams to understand how to use them properly.
According to Shawn Wallace, vice president of energy at IronNet Cybersecurity, there is similar demand for tech know-how in deploying behavioral detection technology. Real-time collective defense is another must.
"Collective defense allows security teams across a sector to work together and collaborate in real time," he says. "This speeds up time to detection while making better use of existing resources, thus allowing companies to increase their defensive posture more quickly."
7. Strong Project Management and 'Old Tech' Skills
The energy industry tends to run on antiquated, legacy systems, such as operating systems that are no longer supported by their manufacturers. Security professionals with the skills to secure legacy tech while also championing more secure upgrades are in hot demand.
"Given the amount of legacy hardware and software in use at many of these companies, they must look for security personnel with strong project management and leadership skills with a forward-looking vision to drive new initiatives," says Morten Brøgger, CEO at Wire, a secure messaging platform. "There is no shortage of tools available in the market, but they need strong leaders to make proper use of them."
If you don't have all or even many of the hottest sought-after skills in this sector, fear not. With so much at stake, energy companies may be willing to bring your existing skills up to speed.
Dr. Jo Webber, formerly CEO of cybersecurity company Spirion and of Emerson's Energy Solutions International, a software provider for many of the world's major pipeline operators, notes the seriousness of the new frontline, even as it resembles the old one.
"Once a former Secretary of Energy to the US government asked me if there was a way to detect a person getting close to a pipeline," she says. "We were thinking terrorists with bombs at that time. But the Russian attack on the Colonial Pipeline is the same kind of threat. There are a handful of major pipelines crossing the country and taking gas from Texas to the Northeast. If those major trunk lines go down in the middle of winter, it could be catastrophic."