How to Better Train Your Automation Engineers on ISA/IEC 62443

The Colonial Pipeline attack exposed an ongoing problem facing the nation's critical infrastructure: A gap in the cybersecurity workforce. Future wars will no longer be traditional, and the country needs to be prepared on both the defensive and offensive sides, which starts by addressing this shortage. Our problem statement, then, becomes a lack of cybersecurity resources.

How is this Solution Getting Addressed?

Due to an increase in demand for cybersecurity services, several companies including government organizations and multinational companies that provide cybersecurity consulting and implementation services started hiring candidates, which resulted in a resource crunch and a need to increase budget for hiring. Companies that didn't get the right candidate started contracting services from these consulting companies.

There are many companies and organizations which are running their cybersecurity projects with the help of third-party consulting and service support. It has escalated the economic impact and data security impact on these companies.

How Can it be Resolved in a Better Way?

Every critical infrastructure industry, whether it is oil & gas, power utility, grid, food processing, manufacturing, etc., have adequate manpower for automation or engineering. They have shift engineers for operation, maintenance engineers for maintenance, and project engineers for ongoing or future projects.

The key is to train and upgrade, but how? They are already working, and cybersecurity is not their domain. ISA/IEC 62443 has provided a solution, and in this standard, there are seven functional requirements:

1. Identification and authentication
2. Use control
3. System integrity
4. Data confidentiality
5. Restricted data flow
6. Timely response to events
7. Resource availability

These seven areas are easy to train. These are technical controls, and our industrial engineers are very good at learning technical skills. If they are good at operating a complex system and monitoring critical parameters minute-by-minute to keep them within safe limits, we should trust them to take care of cybersecurity as well.

Benefits of Training Industrial Engineers for OT Cybersecurity

Often, organizations turn to informational technology (IT) teams for cybersecurity of operational technology (OT). However, there are many benefits to training industrial engineers for OT cybersecurity, including:

1. Upskilling existing resources
2. Keeping it closer to the production environment
3. Better emergency handling
4. Close cooperation among teams
5. Economic gains in terms of resource hiring

How to Train?

A trainer or online course is the first step to providing background knowledge hands-on, which, in my opinion, is the best way to learn anything. First, we need to figure out our environment and then depending on our security requirements, we can curate courses for engineers. We can start with basic technologies, such as:

1. Patch Management

Patch management is a subset of vulnerability management. We need to learn about solutions that we are using or that need to be implemented in our plant premises like Windows Server Update Services (WSUS) or any third-party application. There are many third-party solutions available for test purposes. Also, if we implement some agent-based solutions, then we will need to understand them from the original equipment manufacturer (OEM).

2. Backup and Restore Management

All supervisory control and data acquisition (SCADA) and distributed control systems (DCS) have built-in functionality for creating and saving backups. However, for cybersecurity, we need to go for a centralized solution with multiple copies at different locations. Therefore, there are commercially available, off-the-shelf solutions in the market which are approved by the majority of DCS/SCADA OEMs.

3. Endpoint Protection

This protection is the last line of defense in a cybersecurity scenario. What type of endpoint protection is authorized by OEM? We will need to investigate this and whether it is maintained well. Does a system have anti-virus, is fully updated, and has scheduled updates? These can be included in the operation logbook.

4. Network Security

Network security is the most feared term when it comes to cybersecurity, but it should not be. You do not need to master all the switches or firewalls to learn network security. You just need to understand the concepts and how they are installed and for what purpose. ISA/IEC 62443 starts with zoning and segmentation, and if you want to achieve a security level you can go with logical segmentation using VLANs; for higher security levels, go with physical segmentation using firewalls.

5. Log Management

Finally, for detection and response, we need log collection, analysis, and incident monitoring. Based on the types of devices, we need to see what type of logs it is generating. Almost all log management solutions have similar architecture; either they will install an agent of endpoints to collect logs, or they can get it via agentless methods.

Conclusion

By following this structured training approach, organizations can leverage their existing engineering workforce to handle OT cybersecurity effectively, reducing costs and improving security posture.