One of the more persistent challenges associated with addressing industrial automation systems cybersecurity is the shortage of people with appropriate skills and experience. It is generally accepted that the shortage of cybersecurity talent has led to it becoming one of the fastest growing fields for job opportunities. This challenge is not unique to industrial cybersecurity. The problem is much larger, applying to all aspects of information security.
While important aspects of industrial cybersecurity are unique to the domain, many of the fundamentals are similar or identical to those associated with general-purpose information systems security. Any efforts to address the broader skill shortage will have some positive impact on industrial automation.
The National Institute of Standards and Technology (NIST) announced one such effort on November 2, 2016 at the NICE Conference and Expo in Kansas City. The NICE Cybersecurity Workforce Framework (NCWF) is a tool to help employers more effectively identify, recruit, develop, and maintain cybersecurity talent. It provides a common language to describe cybersecurity work regardless of organizational structures or job titles.
Organizations can use the framework to organize roles and responsibilities through the following components:
- Categories – A high-level grouping of common cybersecurity functions.
- Specialty Areas – Distinct areas of cybersecurity work.
- Work Roles – The most detailed groupings of IT, cybersecurity, or cyber-related work, which include specific knowledge, skills, and abilities required to perform a set of tasks.
- Tasks – Specific work activities that could be assigned to a professional working in one of the NCWF’s Work Roles.
- Knowledge, Skills, and Abilities (KSAs) – Attributes required to perform tasks, generally demonstrated through relevant experience or performance-based education and training.
The first of these components defines seven high-level categories that group the work and workers that share common functions, as shown in this figure:
Each of these categories are in turn made up of more than 30 specialty areas such as “Incident Response” and “Legal Advice and Advocacy.” Some specialty areas map to a single work role and others are contained in more than one work role.
Although this framework does not specifically address industrial systems cybersecurity, it is still a useful tool for those securing these systems. The categories, specialty areas, and roles identified are relevant to effective security, regardless of the scope of application. Consistent definitions in these areas will be helpful in constructing a comprehensive cybersecurity program that addresses all systems in a consistent manner. Common concepts and terms are essential for defining and sharing information in a consistent, and descriptive way. Organizations can use the NCWF as a building block to develop training, development, and staffing programs.
NIST Special Publication 800-181 provides a detailed description of the framework. This draft is now available for public review and comment, with a response deadline of January 6, 2017. Feedback can be sent via email to email@example.com. The authors are particularly interested in suggestions for new tasks and KSAs, to help ensure the final version fully addresses cybersecurity workforce needs.
About ARC Advisory Group (www.arcweb.com): Founded in 1986, ARC Advisory Group is a Boston based leading technology research and advisory firm for industry and infrastructure.
For further information or to provide feedback on this article, please contact firstname.lastname@example.org
About the Author:
Contributing Consultant, ARC Advisory Group
Eric provides advisory and consulting services to ARC analysts and clients in all aspects of operations and project management. Eric has over 35 years of experience in the development, delivery, management, and support of operations information technology solutions in the process industries.