An undeniable shortage in qualified industrial control system cybersecurity professionals — individuals trained to defend the nation’s energy infrastructure from hackers — should cause the Department of Energy serious concern, Sen. Bill Cassidy, R-La., told Assistant Energy Secretary Patricia Hoffman during a Senate Energy and Natural Resources subcommittee hearing.
“The number of ICS professionals is severely limited, maybe 500 to 1000 worldwide, and we need tens of thousands. And that begs the question: what are we doing to address the shortage, which is exponential. What are we doing to address this critical shortfall,” Cassidy — referencing a conversation with personnel from the non-profit, Louisiana-based research institute, the Cyber Innovation Center — said.
Reg Harnish, the CEO of New York-based cybersecurity consultancy GreyCastle Security, wrote in an email ‘finding cybersecurity experts is difficult no matter what industry you’re in, partly because it is an ultra-competitive market and partly because there are so few of them. [But] for those entities trying to defend industrial control systems it is even more difficult.’
Arkansas Electric Cooperative Corporation CEO Duane Highley, who also testified to the committee on Tuesday, responded to Cassidy by admitting the U.S. is experiencing a deficit.
“Certainly, the demand for these technically skilled folk causes us a lot of the time to go outside the country to get those people … We just don’t produce enough in house to make it happen,” said Highley.
“I think it’s something to watch but we don’t believe it is insurmountable,” he concluded.
Hoffman countered Cassidy, explaining that the DOE is already working with both University of Arkansas and University of Illinois to develop engineering curriculums that combine energy infrastructure engineering and cybersecurity studies, so that the next class of security specialists can assist the energy sector.
She also pointed to several threat intelligence information sharing partnerships between private sector competitors and the federal government, which are concurrently used to prepare existing, in-house security teams to stop hackers from disrupting, for example, the electrical grid.
“It seems as though you’re not doing that much on manpower or womenpower training though,” Cassidy said to Hoffman, “And I say that because even if you have two universities with engineering programs — and even if they are big engineering programs — it is still relatively small.”
He added, “if I am being told we have between 500 to 1000 people and we need tens of thousands, it seems like … just, doesn’t anyone else see a problem of manpower here?”
A recent Kaspersky Lab’s report highlights the immature state of security surrounding ICS — with nearly 60,000 systems in the U.S. accessible online through Shodan, a custom, online search engine that catalogs internet-connected systems. A total of 189 security vulnerabilities were reported by ICS product vendors in 2015, according to the report, which is up slightly from one year prior. And available exploits were found for more than 20 of the reported software bugs.
In an email, a department spokesperson responded to Cassidy’s criticism: the ‘DOE, in partnership with the Department of Homeland Security, and the energy sector, supports university collaborations that engage 16 universities [in total] with the primary focus on research and development.’
‘Both undergraduate and graduate students participate in research to develop innovative cybersecurity technologies that will transition to the energy sector to reduce the risk of energy disruption resulting from a cyber incident,’ the spokesperson said.
Other known cybersecurity programs created by the DOE include a public depository for basic cybersecurity information and educational resources called the Cybersecurity Awareness & Training Warehouse and Cybersecurity Awareness & Training program designed to train department employees.