How to become an ICS/OT Cyber Security Engineer : The Trinity of ICS/OT Cyber Security

As an ICS/OT Cybersecurity Engineer with 20+ years of experience in Industrial environments, process instrumentation, and control systems in industries such as Refineries, Petrochemicals, Power Plants, and Oil and Gas offshore platforms, I've come to realise that the unique challenges posed by ICS/OT cybersecurity require more than just a degree in IT or Control Systems.

I will explain why more than these degrees are needed and why a multidisciplinary approach is essential for success in this field.

ICS/OT environments are vastly different from traditional IT systems. They involve complex networks of interconnected devices, including programmable logic controllers (PLCs), sensors, actuators, and Human-Machine Interfaces (HMIs).?

These systems control critical infrastructure such as power plants, manufacturing facilities, energy offshore platforms, and transportation networks.?

As such, they have unique characteristics and challenges, such as Real-Time requirements, Legacy Systems, Physical Safety, and Complex Networks.

ICS/OT systems operate in real-time, requiring immediate response to control commands. Any delay or disruption can have severe consequences, including safety hazards and financial losses.

Many ICS/OT environments still rely on legacy systems that must be designed with cybersecurity in mind.?

These systems often lack basic security features, making them vulnerable to attacks.

In ICS/OT, cybersecurity breaches can lead to physical harm or damage to equipment. Ensuring the safety and reliability of these systems is paramount.

ICS/OT networks are highly specialised and often involve a mix of proprietary protocols and communication standards. Understanding these networks requires specific expertise.

Why IT Degrees Fall Short

An IT degree typically focuses on information systems, software development, and network administration in corporate environments. While this knowledge is valuable, it does not fully address the unique challenges of ICS/OT cybersecurity.?

Some of the reasons are a Lack of Industrial Context, a Different Threat Landscape, an Inadequate Protocol Landscape, and Inadequate Protocol Knowledge.

IT curricula often must cover the intricacies of industrial processes and control systems, leaving graduates needing the necessary operational context.

IT systems primarily face threats like data breaches and malware, while ICS/OT systems must also contend with threats that can disrupt physical processes and cause safety hazards.

ICS/OT networks use specialised protocols (e.g., Modbus, DNP3, Profinet, OPC UA) not typically covered in IT programs, leaving graduates unprepared to secure these environments.

Why Control Systems Degrees Aren't Enough

A Control Systems degree provides valuable insights into the design and operation of industrial systems. However, a strong focus on cybersecurity is often needed. Some of the reasons are that Cybersecurity isn’t a Core Focus, Limited Exposure to Cyber Threats, and Integration Challenges.

Control Systems programs concentrate on system design, automation, and process optimisation, with limited emphasis on cybersecurity measures and threat mitigation.

Graduates may not be familiar with the tactics, techniques, and procedures (TTPs) used by cyber adversaries targeting ICS/OT systems.

Control Systems engineers may need to gain the knowledge to integrate cybersecurity effectively into existing systems, mainly when working with legacy infrastructure.

The Problem with Certifications

Certifications have long been touted to validate one's skills and knowledge in a particular field. However, in ICS/OT cybersecurity, they often need to deliver meaningful expertise and are more focused on profit than substance.

Many certifications are developed and marketed by organisations primarily focusing on revenue generation rather than genuine education.?

As a result, the quality of the certification may reflect something other than the needs of the industry.

Certifications like Cisco's are popular but often concentrate on specific technologies.

In reality, industrial networks may utilise equipment from various vendors such as Hirschmann, Siemens, or Rockwell Automation.?

Focusing solely on one brand's ecosystem can limit an engineer's ability to manage diverse networks effectively.

Certifications frequently emphasise theoretical knowledge over practical, hands-on experience.?

In the dynamic field of ICS/OT cybersecurity, the ability to apply knowledge in real-world scenarios is crucial.

Many certifications adopt a broad-brush approach, failing to account for different industrial environments' unique characteristics and challenges.?

This can lead to a superficial understanding that only translates to effective security strategies.

How Important Is a Multidisciplinary Approach

To excel in ICS/OT cybersecurity, professionals must bridge the gap between IT and control systems.?

This requires a multidisciplinary approach that combines knowledge of industrial processes, control systems engineering, and cybersecurity principles. Here's why this approach is essential:

A multidisciplinary background provides a holistic understanding of the operational and security aspects of ICS/OT environments, enabling professionals to design robust security measures without compromising operational efficiency.

Professionals with diverse expertise can better assess risks and implement effective security strategies considering cyber and physical threats.

Adapting to new technologies and evolving threat landscapes is crucial in ICS/OT cybersecurity. A multidisciplinary approach fosters adaptability and innovation.

Effective cybersecurity requires collaboration between IT, control systems, and cybersecurity teams.?

Professionals who understand all these domains can facilitate communication and cooperation among stakeholders.

Building a Strong Foundation

To succeed in ICS/OT cybersecurity, professionals must continually expand their knowledge and skills.?

Strong industrial network knowledge since network security is the first and most crucial step from the feed to the FAT.

Through conferences, webinars, and industry publications, stay updated on the latest trends, technologies, and threats in ICS/OT cybersecurity.

You will gain practical experience by working with ICS/OT systems, participating in cybersecurity exercises, and collaborating with cross-functional teams.

Connect with professionals in the field to exchange knowledge and insights. Join industry groups, attend conferences, and participate in online forums.

Consider advanced and specialised training programs that focus on the skills you need to learn to work on the trinity of? ICS/OT cybersecurity.

Conclusion

In ICS/OT cybersecurity, more than an IT or Control Systems degree is required. The unique challenges posed by these environments require a multidisciplinary approach that combines expertise in industrial processes, control systems engineering, and cybersecurity.

While certifications are often viewed as a way to validate skills, they can sometimes be more about profit than proficiency.

To truly excel, professionals must focus on continuous learning, practical experience, and a holistic understanding of the complexities of ICS/OT environments.

Without this comprehensive knowledge and experience, one risks being perceived as just a "PC geek," lacking the depth and breadth required for effective cybersecurity in the industrial realm.