Who will save our cities, plants and water from cyber attack?
Finding the fighters who will guard our infrastructure from malicious hackers.
Could donuts save the U.S. electric grid? The sugary pastries are one step in cybersecurity professional Chris Sistrunk’s plan to lure people into helping save the machines that move our world—smart cities, factories, energy plants and more—from cyber attack.
“The world is dependent upon ICS [industrial control systems] and critical infrastructure,” Sistrunk said. “If the critical infrastructure is not secured and defended, attackers will have an advantage.”
Sistrunk, who works for Mandiant, a FireEye company, estimates the number of ICS security professionals worldwide at just 1,000—not enough to keep attackers from doing serious damage.
“We may not know the true cost of an ICS attack until after it happens,” he said.
The donuts are not for the new recruits. Instead, Sistrunk encourages people currently working in IT [information technology] security—189,000, according to a LinkedIn study, he said—to use treats to ply crucial knowledge from the people currently working on critical infrastructure, so they can learn how to defend the systems.
“Engineers and operators love donuts and food in general,” Sistrunk said. “If you really want to get good, bring kolache [fruit pastries] or chicken biscuits.”
Already under attack
The “donut attack,” as some jokingly call Sistrunk’s strategy, could be your entry into the world of critical infrastructure. But hackers—both black hat and white hat—are already there.
Reports show that hackers have been able to change the chemical levels in your drinking water, let loose thousands of gallons of sewage into a park and hotel, derail trams in Poland, injuring 12 people, damage a blast furnace at a steel mill in Germany, mess with air conditioning in homes and buildings, cause problems at nuclear power plants, target machines in factories, change traffic lights to cause massive backups and more.
One of the most recent cases is the cyber attack on power companies in Ukraine in December, shutting off electricity to more than 200,000 customers for hours.
Systems and equipment that were once only the domain of engineers and operators are now computer-connected, some ripe for the plucking by criminals and spies.
Where are the cyber troops?
There will be a need for 6 million cybersecurity workers worldwide by 2019, predicted Symantec CEO Michael Brown in Forbes last year, but a quarter of those jobs—1.5 million positions—will go unfilled.
In the U.S., more than 200,000 cybersecurity openings are waiting for someone to fill the job, according to Stanford’s Peninsula Press. There may be as many as 10,000 unfilled cybersecurity openings for the federal government. People are applying for those positions, but many are falling short, the “State of Cybersecurity: Implications for 2015” study found, with as few as 25% of applicants qualified to do the job.
There is a shortage of “cyber ninjas” in general, but industrial control system defenders are even harder to find.
One problem—the work isn’t easy.
“It’s hard enough to get green—as in inexperienced—folks interested in IT or ICS engineering,” said Travis Smith with Tripwire. “Both fields are extremely complex and require years of training to become even a novice.”
“Once one becomes a master of their domain, there has been little incentive for a professional on either side of the fence to start back from the beginning to learn each other’s world. This is why you have seen a small amount of ICS security professionals,” he said.
Attacks bring change
The attacks show the vulnerability of our systems, but may also lead to an increase in the number of cyber defenders.
“With the high profile ICS attacks, such as the Ukrainian attack in late 2015, you are beginning to see more people getting interested,” said Smith.
“Unfortunately, it takes events such as these to get people interested in the complex problems not only facing our industries, but also our everyday lives,” he said.
The next wave
The next protector of our smart cities and factories may be sitting at a desk in a high school classroom.
Can teens be distracted from Snapchat and Instagram long enough to learn to save the world?
Yes, says Marc Blackmer, who developed a cybersecurity event called 1NTERRUPT for high school kids that focuses on critical infrastructure security.
“My belief is that the more they are exposed to the ICS world, they will be more interested in ICS cybersecurity than ‘standard’ cybersecurity,” said Blackmer. “ICS have a tangible, physical effect, so they represent more than just text on a monitor.”
1INTERRUPT’s “treasure hunt” took place on a fake industrial network, complete with “traffic lights”—real spotlights in red, yellow and green—and a “water treatment facility” made from two jars and a small pump. Bad guys hacked the system and shut down the water treatment facility, and the kids had to become cyber detectives and turn it back on.
“When young people can see a physical result from something they do in the cyber world, it’s very exciting,” said Blackmer.
“They are armed with the basic skills and tools to complete their mission, but they are mainly required to rely on their deductive reasoning skills and their ability to think creatively,” he said. “By way of doing this, they become exposed to the ICS concepts that will serve them later as they build their skills, and hopefully join us in the field.”
Not enough students?
Those teens may go on to study cybersecurity in college.
But schools with cybersecurity programs only turn out about 10,000 graduates per year, said Wayne Machuca, who teaches at the Oregon Center for Cyber Security at Mt. Hood Community College in Gresham, Ore.
And those graduates may not be what companies are looking for, he said.
“I believe that the industry as a whole seeks security professionals with advanced credentials such as a Bachelor’s degree or better coupled with several years of direct experience. Or an experienced engineer with security training,” Machuca said. “And honestly, I agree—if there were any available.”
“What we are seeing happening right now, and across all industries, including private, small and medium-sized businesses, plus government, as well as critical infrastructure, is that there is a demand for security professionals such that academia can in no way keep up,” he said.
“This means that positions are not being filled and the organizations remain vulnerable,” he added.
Bridge the gap?
Companies and agencies may not be able to pay the salaries needed for the cybersecurity workers they want. And even if they did, would there be enough experienced cybersecurity workers to fill the role.
“There are not enough people with a ‘BS and 5’ [Bachelor of Science degree and five years’ experience] who are willing to work for sub-$100k,” said Machuca. “And if you did happen to find one, you probably don’t want them working for you in the first place!”
“However, the AAS [Associate of Applied Science, a two-year degree] candidate with cybersecurity training would fill that spot without problem, AND be willing to do whatever it takes to grow into the position,” he said.
More than kolache
Sistrunk is trying to show current cybersecurity professionals how to break into ICS cybersecurity, and not just with donuts and fruit pastries.
He gave a talk at the 2016 RSA security conference in March, encouraging people currently in the ICS world to add another layer to their worldview. Engineers, technicians and operators who understand ICS need to become familiar with security, he said, and IT security professionals who understand computers need to learn about ICS.
He joked that an ICS pinup calendar could drum up more interest, adding, “I think ICS is becoming more ‘sexy,’ but we have a way to go.”
But at the heart of the matter is a serious concern—who will protect the machines that bring you water, generate your power, keep your car moving, and run your life behind the scenes?
“I don’t think that 0.05% [percentage of cybersecurity professionals who work on ICS] is enough to protect critical infrastructure,” said Sistrunk. “Security breaches are inevitable. It’s a matter of ‘when,’ not ‘if.’”