Sean Plankey, principal deputy assistant secretary for Cybersecurity, Energy, Security, and Emergency Response (CESER) at the Department of Energy (DoE), today outlined solutions to cybersecurity skills gaps in the industrial controls sector as security for that sector continues to change from older “manual-mode” methods to more modern technologies.
Speaking at the RSA Public Sector Day event at this week’s RSA Conference in San Francisco, Plankey explained his focus on leading security research and development activities for DoE national laboratories. Those efforts, he said, aim to answer “how do we invest” for better security solutions, “then try to transfer those promising R&D products to the private sector” for further development.
He said the field of industrial controls security is in something of a generational flux given the historical reliance of the sector on manual controls for systems, and the ongoing drive to upgrade those to modern-day tech standards.
“That old manual-mode technology has changed” in many industries that formerly relied on them, he said. Increasingly, he asked, “can you really go to manual mode” security in energy facilities, adding, “the answer is no.”
“There is no manual mode … those controls don’t exist anymore,” Plankey said.
In the case of younger security employees, “we aren’t even learning the old interfaces” for security controls, and at the same time, “the older generation is not learning the new technology,” he said. “This is a human capital management issue … We have to figure out a way to close that skills gap.”
“It’s not up to the schools” alone to close that gap, he said. Rather, he indicated that innovative programming by the Federal government can help address the problem.
One way that DoE is doing that is by holding “Cyber Force” events at universities located near DoE national labs in which students – assisted by experts from the labs and the private sector – attempt to defend energy and water facilities under hypothetical cyber attacks. Grading the students on their performance in the exercises helps to identify promising candidates for hire into government cybersecurity positions.
“We need to talk to you – the private sector – to see how you can hire from that pipeline” as well, he said, adding, “We are going to be doing something with that this year.”
Another example is a program for “consequence-driven” cybersecurity engineering training run by the DoE’s Idaho National Laboratory that focuses training on how nation-state attackers view targets they want to exploit, and in particular how they pay attention to exploiting “the supply chain of people” that defend targets.
“That, for me as an intelligence official, is a game-changer,” he said. He said that program is on budget to train more than 2,000 people across the U.S. this year.