BUILDING

AN INDUSTRIAL
CYBERSECURITY
WORKFORCE
A Manager’s Guide
INDUSTRIAL CYBERSECURITY AWAKENING
As smart devices and networks push deeper into power grids, oil refineries, and water treatment plants, we
must consciously prepare professionals to securely design, build, operate and maintain such infrastructures so
that they are prepared to protect and defend them.

This document, “A Manager’s Guide” is the first in a series of guidebooks dedicated to the important topic of
developing an industrial cybersecurity workforce. Other publications will include “A Human Resources Guide”
for Human Resource (HR) personnel seeking to ensure the effectiveness of industrial cybersecurity personnel,
and “A Career Development Guide” for individuals seeking to develop industrial cybersecurity competencies.

This guide will aid managers in answering four pivotal questions:

1. Are you ready to build an industrial cybersecurity team?
2. How do you structure your industrial cybersecurity team?
3. What does you industrial cybersecurity team need to know?
4. What does your industrial cybersecurity team need to do?

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 2

ARE YOU READY TO BUILD AN INDUSTRIAL
CYBERSECURITY TEAM?
Many managers fail to fully appreciate the intense cultural, managerial, and educational differences between
information technology (IT) systems and operational technology (OT) systems, which we call the IT-OT gap.

IT systems consist of desktops, laptops, web servers, communications networks, email, storage and backup
systems used to help humans make better decisions.

OT systems consist of programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA),
control logic, sensors and actuators that provide reliable electricity, consistent transportation, and safe
drinking water. Operational technology systems are the collection of technologies used to control and monitor
industrial operations used in electric power, oil & natural gas, water & wastewater, and manufacturing sectors.
These systems include:
• Industrial control systems (ICS)
• Supervisory control and data acquisition (SCADA)
• Programmable logic controllers (PLCs)
• Industrial control communications protocols, control logic, sensors and actuators.

Figure: Information Technology (IT) Versus Operation Technology (OT)

The table below shows some of the differing characteristics between information technology and operational
technology.

Information Technology Operational Technology

Being controlled Data Physics

Measurement Bits and bytes Temperature, pressure, flow
Lifecycle System lifecycle Facility lifecycle
Consequences Competitive disadvantage Product damage
Embarrassment Loss of life
Financial loss Environmental release
Desired system characteristics Confidentiality Safety
Integrity Reliability
Availability Functionality
Educational background Computer Science On the job
Information Systems Career & Technical Education
Cybersecurity Electrical Engineering
Reporting chain ISO Shift Supervisor
CISO Plant Manager
CIO COO
Managerial accounting Cost center Profit center

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 3

Corporate boards, executives and officers are awakening to the challenges securing the operational
technology (OT) systems that run their factories, support local economies, and undergird modern societies.

Failure to appreciate the IT-OT gap can hamper effective and sustainable approaches to industrial
cybersecurity. The Industrial Cybersecurity Awakening Model describes the stages many organizations pass
through as their OT security efforts mature. The materials in this guide helps shift management mentality
towards Stage 5.

Industrial Cybersecurity Awakening Model

STAGE 1 STAGE 2 STAGE 3 STAGE 4 STAGE 5

Industrial Industrial
External Allocated Appropriate
cybersecurity cybersecurity
Management consultants budget technology
program team
mentality
“Get someone “Here’s some “Technology “Let’s do “Let’s build
in here before money to will help IT this right by a team to
that happens go make us security staff following the make this
again.” secure.” cover OT too.” guidance.” sustainable.”

6 months 1 year 2 years 3 years 4 years

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 4

WHAT DOES YOUR INDUSTRIAL CYBERSECURITY TEAM
NEED TO KNOW?
A group of 14 industrial cybersecurity subject matter experts representing 88 years of industrial experience,
32 years of cybersecurity experience, and 31 years of industrial cybersecurity experience convened by Idaho
National Laboratory (INL) and Idaho State University (ISU) identified six industrial cybersecurity knowledge
domains and associated content not normally covered in cybersecurity training and education.

Industrial and Cybersecurity Knowledge Domains

Industrial Knowledge Cybersecurity Knowledge

• Industrial operations • Data

[ ] [ ]
• Instrumentation and control • Software
• Equipment
• Communications + • Component
• Connection
• Safety • System
• Regulation • Human, organizational
and societal

Industrial knowledge domain content:

Industrial operations and processes: industry sectors, professional roles and responsibilities in industrial
environments, engineering diagrams, process types, plant lifecycle.

Instrumentation and control: sensing elements, control devices, programmable control devices, control
paradigms, programming methods, process variables, data acquisition, supervisory control, alarms,
engineering laptops/workstations, data historians.

Equipment under control: motors/generators, pumps, valves, relays, generators, transformers, breakers,
variable frequency drives.

Industrial communications: reference architectures, industrial communications protocols, fieldbuses.

Safety: electrical safety, personal protective equipment, safety/hazards assessment, safety instrumented
systems, lock-out tag-out, safe work procedures, common failure modes for equipment under control.

Regulation and guidance: presidential/executive orders, NIST SP 800-82 R2, IEC 62443, NERC CIP.

Common weaknesses: indefensible architectures, unauthenticated protocols, unpatched and outdated

hardware/firmware/software, lack of training and awareness among ICS-related personnel, transient devices,
third-party access.

Defensive technologies and approaches: firewalls, data diodes, independent sensing and backhaul, ICS
network monitoring, cyber-informed engineering, cyber process hazards assessment, cyber-physical fail-safes,
awareness and training for ICS-related personnel.

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 5

HOW DO YOU STRUCTURE AN INDUSTRIAL
CYBERSECURITY TEAM?
Managers seeking to build an industrial cybersecurity team may rely on human resource development
models (as exampled below) to plan to meet organizational needs. This guide was developed to adhere to the
following role-based workforce development structure. It presents the key role, position description, and tasks.

KEY ROLE

The job role should be the primary

component to organizing your
POSITION
TASKS
DESCRIPTION workforce.

RESPONSIBILITY

SUBTASKS

KNOWLEDGE SKILLS ATTITUDES BEHAVIORS

KEY ROLES OF THE TEAM

ENGINEER
Design safe and secure
industrial systems.

ANALYST
Synthesize threat and
vulnerability information.

MANAGER
Direct and oversee
industrial cybersecurity
TECHNICIAN
program.
Assure security RESEARCHER
and safety of ICS Identify new
operations. vulnerabilities to
achieve kinetic
consequences.

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 6

WHAT DOES YOUR INDUSTRIAL CYBERSECURITY TEAM
NEED TO DO?
MANAGER
An Industrial Cybersecurity manager is responsible to direct and oversee the work of industrial
cybersecurity for all phases of the plant, product and system lifecycles. The manager interfaces
continuously with operations, IT, and cybersecurity personnel.

HIRING GUIDANCE
MANAGER PRIMARY TASKS
Ideal candidate has project management
y Prioritize efforts experience in cybersecurity AND
y Understand requirements per effort engineering.

y Obtain and manage budget One senior manager per strategic business
y Build the team unit.

y Run and improve the program. Intimately familiar with industrial

cybersecurity good practice guidance.

Qualifications and Certifications Comfortable in both corporate offices and

industrial environments.
• Master of Business Administration
• Project Management Compliance and audit experience desired.
• Information systems security
• Licensed Professional Engineer Capable of keeping the big picture in mind
• Industrial cybersecurity. while not afraid of technical details.

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 7

ENGINEER
The Industrial Cybersecurity engineer works within the engineering department to design and
create systems, processes and procedures that maintain the safety, reliability, controllability and
security of industrial systems in the face of intentional and incidental cyber events. Interfaces
with Chief Information Security Officer, plant managers and industrial cybersecurity technicians.

HIRING GUIDANCE
ENGINEER PRIMARY TASKS
Most important role on the industrial
y Direct creation of industrial systems
cybersecurity team and may require
inventory and model for cybersecurity
purposes skilled recruitment.

y Design physical failsafes to counteract Requires 5 or more years of engineering

potential cybersabotage experience in each of industrial automation,
information technology, and cybersecurity.
y Advise development and operation of
security operations center relative to the
Demonstrates expert level familiarity with
industrial environment
industrial safety and cybersecurity events
y Recommend security techniques, including detailed root-cause analysis.
technologies, and approaches for
adoption in industrial environment Deep engineering experience and
expertise and is capable of considering the
y Create cybersecurity inspection and test
procedures for industrial systems mindset of a well-resourced adversary.

y Review industrial system engineering Demonstrates proficiency in systems

plans and documentation for thinking and systems design, including
cybersecurity concerns production of policies, diagrams, drawings,
and specifications.
y Review proposed cybersecurity policies
and procedures related to industrial
environments; and equipment and For Team: One or two per facility or per type
software based on cybersecurity criteria of facility.

y Optimize industrial system designs for

security effectiveness and efficiency.

Qualifications and Certifications

• Master of Science in Electrical, Mechanical,
or Computer Engineering
• Licensed Professional Engineer
• Industrial automation
• Information systems security.

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 8

TECHNICIAN
The Industrial Cybersecurity Technician works among plant operations personnel to assure
safety, reliability, functionality and cybersecurity of industrial control systems during installation,
monitoring, troubleshooting, and restoration of industrial process operations.

HIRING GUIDANCE
TECHNICIAN PRIMARY TASKS
Demonstrates fascination and enthusiasm
y Maintains ICS device asset inventory for
for knowing how things work.
security purposes
y Reviews architecture of ICS networks Demonstrates hands-on experience with
industrial automation equipment.
y Updates ICS software and firmware
during stoppages Demonstrates proficiency in safe work
y Maintains backups of control software procedures.

y Maintains awareness of evolving threat Provides technical experience and builds

environment relationships that provide a fantastic
y Securely implements process control foundation for all the other cybersecurity
equipment. roles.

Possess proficient IT and OT terminology

and cultures to enable communications
across the IT-OT gap.

Understands common security weaknesses

in OT environments.

For Team: At least one per facility.

Qualifications and Certifications

• Associate or Bachelor of Applied Science in
Engineering Technology
• Control Systems Technician
• Industrial cybersecurity
• Basic networking
• Basic security.

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 9

ANALYST
The Industrial Cybersecurity Analyst works among enterprise cybersecurity personnel to
contextualize and synthesize threats, vulnerabilities and consequences relevant to industrial
environments to provide strategic, tactical, and operational decision makers with perspective,
options, and recommendations. The analyst works with industrial operations personnel to gain
perspective and vet practicality of possible courses of action.

HIRING GUIDANCE
ANALYST PRIMARY TASKS
Enjoys the professional writing process.
y Stays abreast emerging developments
relevant to industrial cybersecurity
Reads insatiably.
y Dissects analytical requests
Does not shy away from potentially
y Collects information controversial topics.
y Synthesizes information
Presents compelling arguments in written
y Analyzes threats, vulnerabilities and and verbal form.
consequences pertinent to industrial
environments Has developed deep expertise in various
subject areas.
y Produces analytical products
y Proposes new work. Works well with other analytical thinkers,
and appreciates constructive critique.

Never completely satisfied with work

product.

Quickly and accurately describes the

threat environment pertinent to a given
organization.

Qualifications and Certifications

• Bachelor of Science or Arts in various fields
• Coursework in intelligence and analysis
• Cybersecurity certifications
• Military intelligence training
• Data visualization.

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 10

RESEARCHER
The Industrial Cybersecurity Researcher works to increase detailed knowledge about ways an
industrial cyber-physical system may be compromised, and advance novel ways they may be
protected. The researcher employs specific tools and techniques suited to their assignment,
and often works alone, but engages expert-level resources as necessary. Reports must meet
standards for clarity of technical content.

HIRING GUIDANCE
RESEARCHER PRIMARY TASKS
Thrives when working with technology.
y Describes and characterizes systems
y Designs and conducts tests Must be capable of explaining and
defending their findings.
y Discovers vulnerabilities
y Develops adversarial perspective May enjoy technology interaction outside
of work hours.
y Recommends mitigations
Shares findings and techniques with other
y Documents and reports findings.
researchers.

Qualifications and
Certifications
• Bachelor or Master of Science
in computer science
• Technical track presentations
at security conferences
• Publicly referenced
vulnerability disclosures
• Authored security-related
tools.

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 11

INDUSTRIAL CYBERSECURITY WORKFORCE
METHODOLOGY
To create this document, INL collaborated with ISU interviews, and field observations to expand, further
and La Trobe University in a two-phase project. validate, and refine the results.

In Phase I, INL sent 14 subject matter experts to Future deliverables include an Human Resources
Idaho State University’s Simplot Decision Support Guide and a Career Development Guide for Industrial
Center (SDSC) with the objective of creating a Cybersecurity.
framework for developing industrial cybersecurity
training and education standards. The SDSC is an REFERENCES
in-person electronic meeting room designed to
S. McBride, J. Slay “Towards Standards-Based
implement the nominal group technique for decision
Industrial Control Systems Security Education in The
making – the same facility and technique that the
United States” (2020). https://industrialcyberforce.
federal government used repeatedly between 1987
org/wp-content/uploads/2020/07/Towards-
and 2005 to create the first federal cybersecurity Standards-based-ICS-Security-Education-in-the-
training and education standards (NSTISS/CNSS United-States.pdf
Instructions 4011-4016).
S. McBride, J. Slay “Criteria for International
For Phase II, INL identified 10 additional collaborators ICS Security Education Standards” (2020).
(two per role) with significant experience in each https://industrialcyberforce.org/wp-content/
role. The collaborators described tasks each role uploads/2020/07/Criteria-for-International-ICS-
performs relevant to industrial cybersecurity. The task Security-Education-Standards.pdf
statements were then consolidated into the primary
S. McBride, C. Schou, J. Frost, J. Slay “An Initial
task lists provided in this document.
Industrial Cybersecurity Workforce Development
Framework” (2020). https://industrialcyberforce.org/
LIMITATIONS wp-content/uploads/2020/08/An-Initial-Industrial-
Cybersecurity-Workforce-Development-Framework.
In applying the archetype roles and tasks describd
pdf
herein, orgainzations should consider them
notionally prescriptive rather than specifically S. McBride, J. Slay, C. Schou “A Security
prescriptive. Workforce to Bridge the IT-OT Gap” (2020).
https://industrialcyberforce.org/wp-content/
FUTURE WORK uploads/2020/08/A-Security-Workforce-to-Bridge-
the-IT-OT-Gap.pdf.
Identifying the unique knowledge and job roles
required of industrial cybersecurity professionals
represents a significant step towards developing a
capable workforce. The subject collaborators have For more information, visit:
noted that there is an ongoing need to establish INL’s National and Homeland Security’s Training
a repository of knowledge, skills, attitudes, and and Workforce Development Center at https://inl.
behaviors on which diverse groups can rely to create gov/critical-infrastructure-protection-training/
training and education standards, personalized
training plans, intervention methods, and training Idaho State University College of Technology at
https://www.isu.edu/industrialcybersecurity/
content. Their intentions are to use surveys,

Building An Industrial Cybersecurity Workforce: A Manager’s Guide 12