7 Powerful Cybersecurity Skills the Energy Sector Needs Most
While the debate rages on over an infrastructure bill aiming to shore up aging, ailing, and unsecured infrastructure, utility companies are looking for ways to stop the hemorrhaging now. Breaches like the Colonial Pipeline clearly demonstrate how cyberattacks are having widespread and real-world impacts on the industry.
“Even with significant funding, it will be a substantial undertaking to modernize and secure even just the electricity sector, let alone all of the utility sector,” says Tony Cole, CTO at Attivo Networks and a former executive at FireEye, McAfee, and Symantec.
The energy industry, specifically, is also battling on another critical front, says Paul DeCotis, senior director of energy and utilities at consultancy West Monroe.
“With increased threats to energy industry operations and assets, some with potentially very serious consequences, the industry is challenged to find security and privacy professionals and also challenged to retain the people they have as the war for talent continues,” he says.
Whether hiring new cybersecurity staff or upskilling those already on board, specific skills rank high on this industry’s most-wanted list. Those looking to join the fight might want to polish up or acquire some (or all) of these hottest skills on the market.
1. Working Knowledge of the Energy Industry
Securing environments in the energy sector requires a “significantly different skill set” than those used in other industries to secure email servers, file-sharing devices, and browsers, says Brian Romansky, chief innovation officer at Owl Cyber Defense. Industry CISOs are looking for people who possess an understanding of how the operations technology (OT) environments of plants, pipelines, substations, refineries, etc., work, he says. They’re also seeking to hire people with experience in securing digital controls systems, SCADA systems, and digital sensors/monitors and operational systems, such as pumps, valves, and actuators.
The ideal candidate “understands how industrial protocols like Modbus, OPC, DNP3, etc., work, the devices they support, what they need to connect to [and not connect to] – and the associated risks,” Romansky says.
2. Embedded Systems Skills
Ron Brash, director of cybersecurity insights at Verve Industrial, points to a huge and growing skills gap related to properly securing or assessing embedded systems.
“This is truly dangerous because the majority of systems in OT/ICS are embedded – not Windows or commodity equipment such as … routers,” he says. “And yet we keep deploying them knowing compensating controls are getting harder to apply with the advent of 5G, LTE, and IoT/IIoT that bypass traditional controls such as firewalls.”
Attacks on embedded systems in critical infrastructure are common but often kept out of the news. One example is the attack on the Oldsmar, Fla., water supply in which a hacker changed the settings on the system to “briefly increase the amount of sodium hydroxide, also known as lye, by a factor of more than 100,” according to Pinellas county sheriff Bob Gualtieri in a Tampa Bay Times news report.
“A plant operator was monitoring the system at about 8 a.m. Friday and noticed that someone briefly accessed it. He didn’t find this unusual, Gualtieri said, because his supervisor remotely accessed the system regularly,” according to the report.
3. Understanding of Data Flows
CISOs are also looking for cybersecurity professionals who understand the energy sector’s data and data flows, Romansky says. More specifically, they should:
- Understand the data that third parties require to fulfill support agreements, perform analytics, monitor duty cycles, etc., and have knowledge of historian industrial applications like OSIsoft and Aveva.
- Understand the data needs of external data consumers and securely provide the required operational data.
- Have military or government agency cybersecurity experience, as “they are trained in how to defend against nation-state attacks using a variety of technologies, including cross-domain solutions,” Romansky says.
4. Deep Familiarity of Critical Infrastructure Cybersecurity Regulations
Lila Kee, GlobalSign’s general manager for the Americas and a former board member of the North American Energy Standards Board, says a strong familiarity with federal, state, and foreign regulations and federal guidance – such as Presidential Policy Directive 21 and the National Infrastructure Protection Plan (NIPP) Energy Sector-Specific Plan from 2015 – affecting the energy sector is a strong plus given the industry’s many security and compliance requirements.
Another big advantage for security pros is the ability to implement a software bill of materials (SBOM) per President Biden’s Executive Order 14028, which essentially “prevents bad software from being installed, where it can carry out its intended harm,” she says.
Read the full article by Pam Baker on Dark Reading.
Free Active Directory Assessment
Get Visibility Into Privilege And Service Account Exposure
For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.
Try Our Endpoint Detection Net (EDN) for Free
FAST AND EASY
Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.
ADSecure 90-Day Free Trial
GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY
- Hide and deny access to AD objects
- Get alerted on unauthorized queries
- Attack details easily viewable in dashboard
- Your data remains on-premise