Securing an ICS differs from securing a corporate IT-environment. Finding talented people with the right skillset to create a security concept and implement it for an ICS will become very difficult with a rapidly increasing demand for this kind of professionals.
What kind of people and skills are we talking about and why are they such a rare species?
Everyone who works in the IT-security industry knows how difficult it is to find and retain skilled professionals. This is due to the specialized knowledge required to secure today's IT-environment and - thanks to all the media and C-level attention lately - the increasing demand for IT-security professionals. Here we are talking about traditional corporate IT-security: Concepts, challenges and problems well known for the last ~25 years. If you think these people are hard to find, imagine the following:
You want to secure an environment where you ...
- Mainly deal with legacy systems
- Are not allowed to patch (at all?) regularly
- Do not necessarily communicate via TCP/IP
- Talk to operators who don't understand what you are saying (engineers vs. IT-staff)
- Can't use traditional vulnerability scanners - even a single ICMP-package may bring down a system or a network
- Have system life-cycles of 20+ years
- Face many other kinds of challenges which your corporate IT (security) life has not prepared you for
Coming back to the graphic above we are basically looking for someone who knows IT-systems, knows the inner workings of security (defense-in-depth, other concepts, methodologies, products ...) and has an understanding of the ICS world. We are looking for a subset (ICS-professional) of a subset (security professional) of a set (IT-professional) in times where all industries in every country are trying to secure their critical infrastructure (read = ICS-environments). We're looking for the tiny red star in the intersection of all three skill-circles.
Trying to cut corners does not help here. We all heard occasional stories of infosec professionals who tried applying their traditional corporate IT methodologies in the ICS world. An example is a Penetration Test against ICS-infrastructure which brought down half of a company's production network because no thought was given to ICS specific challenges (slowing down the tools, conducting architecture reviews beforehand ...). I can't stress enough how important the ICS knowledge is. This boils down to the ability to understand the needs, language and challenges ICS engineers face daily. Engineers want to get things done. They want things to run (availability, availability!) and they don't like interferences. Understanding this mindset is key to securing ICS environments.
What can be done about this?
Let your people talk to each other! How do you handle ICS-security in your company? Is there a cross-functional role being responsible for the IT-security in your ICS-environment? Does your IT-security staff know the characteristics and special features of your ICS-environment (e.g. the bullet-points above)? Did your security guys ever talk to some of your ICS-engineers? I've seen companies where none of this has happened. You don't need to immediately look for an expensive ICS-cybersecurity consultant - getting your already skilled staff to talk to each other will be a first step in the right direction. Adding professional training on top of this might be another great idea. Fortunately the market for ICS-specific IT-security training is growing quickly.