There are frighteningly few cyber security experts with the right skills in the electricity industry, warns Michael John. While there is room for hope in the longer-term, he outlines what can be done now to plug the gaps.
Michael John is Director at The European Network for Cyber Security (ENCS), a non-profit organisation.
By now, it should be clear to anyone paying attention that the energy industry needs serious cyber security. High profile hacks in the news have brought the issue to the fore, but it just makes logical sense: our energy grids are critical infrastructure and increasingly digitally connected, making them cyber vulnerable. Utilities therefore need cyber security.
The problem is, there simply aren’t enough people with the right skills in the industry to keep our grids secure. This isn’t just a skills gap, rather four compounding skills gaps that we need to address. Together, they add up to more of a chasm than a gap. What to do?
Gap one: not enough cyber security skills in energy
Electricity underpins nearly every aspect of modern life. That takes a lot of infrastructure and a big industry. By extension, that means a large cyber security requirement – one that will only get larger as the grid is digitised.
The problem is, there are frighteningly few cyber security experts with the right skills in the energy industry. This is for a number of reasons.
First, working in the industry requires a dual cyber security skill set: you have to understand both IT (information technology) and OT (operational technology). That means you need to understand not only the communications technology, but also the engineering equipment that produces and transmits the energy, as well as how these interact. That’s a niche skillset which not many people have.
Utilities also need to elevate and integrate cyber security’s position in the business. Cyber security is a business-level risk and a core strategic function – it needs to be present throughout the organisation, not isolated as a siloed function. Over the past few years, utilities have taken tangible steps to make this happen and it’s paying dividends. However, there’s still distance to go: increased investment and greater internal recognition may well attract more talent.
The energy sector is also viewed by many as a very conservative, traditional industry. Contrast that with the glamour of the techie start-up scene or the giants like Facebook or Google. If you’re a young cyber security expert with big ambitions, where do you apply?
Taken together, these factors begin to show why the energy industry might lose out on some talent. However, that wouldn’t be as much of an issue if there was a bigger pool of cyber security talent out there.
Gap two: not enough cyber security skills in total
The fact is that cyber security skills are at a premium. The International Information System Security Certification Consortium, (ISC)2 predicts there will be nine million global public and private sector cyber security jobs by 2019, but only 4.5 million qualified to do them.
That’s half. Half the people we need in the cyber security sector.
Partly, this will be down to the fact that it takes smart, talented people to keep us safe from cyber threats and hackers (because they are often smart, talented people themselves). Not just anyone can pick up a keyboard and become an expert.
But that can’t be the whole story. In fact, to fix this skills gap, we need to go one step back again to…
Gap three: not enough technically educated people
Across Europe and elsewhere, much has been made of the shortfall in the technically educated workforce. Not enough of our young people are opting for education and career paths in the science, technology, engineering and maths (STEM) fields.
This is important because those are the baseline skills and modes of thinking that are essential to success in the highly technical cyber-security field. Success varies across Europe, but every country is waking up and realising we need a greater technically educated workforce across the board. For example, the European Commission estimates there will be 500,000 unfilled ICT vacancies in Europe by 2020.
Gap four: not enough cyber awareness
So, we don’t have enough cyber security experts in energy, which is difficult to fix because there aren’t enough cyber security experts to go around. That’s tricky to solve because we don’t have enough technically trained people to go into cyber security. The problem cascades from one level to another.
But, in the energy industry, these are compounded by a different skills gap: the one of cyber awareness. This is an organisational challenge to inculcate basic cyber security proficiency and awareness into employees and practices.
Cyber security can never be the sole responsibility of one person or department. Human error is still strongly linked to vulnerabilities and, more often than not, this is because non-security employees haven’t been trained to keep the utility secure.
Basic examples can include things like good password practice, or not leaving USB pen drives lying around (it happens). More advanced training could include how to spot phishing attacks and avoid them, or best practice around using home IT equipment on the company’s networks.
No amount of cyber security star talent will be enough if these open doors aren’t closed across the organisation.
Plugging the gaps
The scale of the problem shows this won’t be fixed overnight. But there’s room for hope in the longer-term. Today’s workers in their thirties and early forties may or may not have had access to computers growing up. By contrast, recent graduates will have grown up online with a far more intimate understanding of IT and security. Tomorrow’s workforce goes even further – almost learning to navigate a tablet before they can walk!
But we can’t wait. So what can we do now?
First, we all need to do more to fix energy’s image problem. Not only is the picture of a stuffy old industry unhelpful, it’s untrue. Energy is undergoing an amazing revolution, transitioning to a cleaner and smarter grid. The mixture of IT and OT problems to solve should be catnip to a technological mind if we can only show how exciting it can be – and you can have far more impact keeping the lights on than keeping social media accounts safe.
We also need to work more closely with schools and universities to tempt young people onto the right career path – both for energy and cyber security more generally. At ENCS, we work closely with universities, running training days and internship programmes, but we need to be doing this right across the industry. Furthermore, we need to be inspiring young people earlier, going beyond the universities and into schools, increasing the uptake of STEM subjects in further education.
And we can’t forget that final skills-gap – the one of awareness and basic capability across the organisation. The good news is these aren’t necessarily complex skills and can be taught to staff already in their roles. The bad news is that it takes a level of investment that not many utilities have been able to make so far.
There are no magic bullets. This will all require time and resources – possibly in significant amounts. However, a tipping point is imminent where inaction is far costlier than action – both in terms of the balance sheet, and its effect on Europe’s citizens. We are talking about critical infrastructure after all.