Adding ‘Industrial’ to Cybersecurity Education

As organizations mature their operational technology (OT) security approach, they tend to move from a focus on technology to a focus on building a program to, finally, building a workforce that can run the program and operate the technology. This natural progression has been described as the “Industrial Cybersecurity Awakening Model” (Figure 1).

It can take four years—and sometimes much longer—to reach Stage 5 of the model where organizations intentionally develop an OT security team. The International Society of Automation Global Cybersecurity Alliance (ISA GCA) supported a three-year research project to create a consensus-based OT security body of knowledge and has released a 125-page document and other resources. “Curricular Guidance: Industrial Cybersecurity Knowledge” describes the stages of the model and helps ensure OT security leaders can work with education and training providers that follow a consensus-based OT security body of knowledge.

• Development of a cybersecurity training program

• Providing cybersecurity procedure and facility training

• Providing cybersecurity training for support personnel

• Validating the cybersecurity training program

• Revising the cybersecurity training over time

• Maintaining employee cybersecurity training records (64443-2-1 Req. 4.3.2.4.1-4.3.2.6.4).

When organizations begin to grapple with these training requirements, they begin to recognize serious impediments, such as:

• Lack of a widely recognized OT security body of knowledge

• Lack of consensus-based OT security work roles

• Lack of validated OT security competencies per work role

• Lack of role-specific OT security training

• No discussion of OT security competencies required of non-security personnel.

The role of workforce development

OT security leaders attempting to tackle this issue find a complex and often foreign world of workforce development literature and guidance.

Plethoric government agencies and professional training providers offer workforce development models. Within these models, definitions of key terms often conflict, and some terms have changed official definitions within the models over just a few years. It can be overwhelming to sort through.

With these challenges in mind, a working group composed of qualified representatives from industry, government and academia embarked on a three-year research project to review existing OT security workforce development guidance, and where lacking, establish a consensus-based foundation.

In 2019, the Idaho National Laboratory (INL) and Idaho State University (ISU) convened 15 qualified industrial cybersecurity professionals in ISU’s Simplot Decision Support Center, where they engaged in the bias-eliminating nominal group technique to identify five archetype industrial cybersecurity job roles, and initial knowledge categories not normally covered in traditional cybersecurity education.

The results of this effort were published in November 2021 as “Building an Industrial Cybersecurity Workforce: A Manager’s Guide” which included job descriptions, key tasks and hiring advice. Recognizing that despite its strengths, this document did not constitute a consensus-based body of knowledge for an emerging cybersecurity specialization, the INL, ISA Global Cybersecurity Alliance (ISAGCA), and ISU decided to validate, critique and expand the document by involving a broader group of qualified experts.

In Spring 2022, the ISACGA administered a survey to professionals with interest or experience in industrial cybersecurity. The survey included up to 363 input items and received inputs from 170 qualified respondents. The survey questions, responses, analysis and decisions are available for public review, examination and additional analysis on the