Introduction:
The industrial automation industry itself (manufacturers) and its clients is a substantial component in any nation, securing the infrastructure is an underserved category of cyber-security i.e. electronic security. The purpose of this report is to determine what the professional requirements are to succeed in this field. I intend to determine what salient professional knowledge is fundamental to this hybrid form of cyber security.
Since the 1980’s industrial automation in industries have only slowly evolved due to disparate protocols, stand-alone industrial machinery and a general sense of insulation from malicious cyber-attacks. Only in the past several years has such concerns reached the public through the distribution of the Stuxnet and Duqu malware. Due to the obscure nature of this area the human resources to secure industrial infrastructure is inadequate in comparison to general IT cyber-security awareness. The manufacturing industry is a slow moving body in technological terms. Companies make large investments in infrastructure and these investments take several years to amortize. Therefore, once the equipment is paid for other business areas require funding and working equipment is taken for granted. This model was functional before machinery was included in the factory network. Things have changed and ignoring legacy equipment and network configurations is no longer a safe plan for running a business. My organizational proposal is as follows: first an introduction to Information Technology (IT) and the necessity for securing data, second an introduction to Industrial Control Systems (ICS), third the combining of IT and ICS into a variation of conventional IT considerations, finally the future prospects for security personnel in this hybrid technology.
Up until roughly 2010, ICS and IT were two disparate technologies. Since then various interests in federal, state governments as well as private enterprise have recognized that the individual ICS and IT sandboxes must be either bridged, or better yet combined.As cyber warfare and industrial espionage cases threaten businesses proprietary information, product quality, and cutting edge research gains will be lost.The loss of income and product integrity by industry is prompting action. Capable individuals that can think and work in the context of ICS security will find employment and demand a better than average compensation. Some individuals will become the Red Adair of security firefighting.
Methods
My initial approach is to better familiarize myself with this topic and research relevant information. After compiling the material I intend to determine the following:
- What is the required knowledge of Industrial Control Systems (ICS) and Information Technology (IT)
- Determine the different skills that separate ICS from IT
- Do current industries need this skill set?
- ICS security trends that indicate the direction of the ICS security industry
Since this field is reasonably obscure to most readers, including myself, I will attempt to gather primary information from one individual who is an IT administrator at the BoeingCo. The bulk of my research will be secondary information from books, publications, industry periodical and whatever resources that I might find through CWU library searches. I have a kindle book, from Joseph Weiss, and hope to gain access to “Cybersecurity for Industrial Control Systems” by Tyson Macauly and “Robust Control System Networks” by Ralph Langner through library sources. Since the industrial electronic security is in the early stages there is relatively little information in book form. Other resources will include websites and white papers from automation solutions providers such as Rockwell Automation, Siemens, and General Electric. I have also found some reference material found on Ted talks at ted.com, aside from some of the follows on twitter.
My progress so far is an outline of an idea, selecting some of the web sources, looking into ordering some books through libraries, and compiling terms for searches. Chapter 7 is a good source for searching secondary sources. The following site http://mashable.com/2011/11/24/google-search-infographic/ has some suggestions on structuring a search. I am also searching for books on Amazon and checking reviews for different perspectives on my topic.
Qualifications
My qualifications include earning an Associate degree in Electronics and installing numerous sites with networked manufacturing equipment in the printing industry. In 2012, I earned an Associate degree in Network Technology and I am scheduled to graduate with a BAS in Information Technology Administration and Management at the end of winter quarter 2014. I have certificates in Desktop support and digital forensics. My current position as an electronics technician at the Boeing Co. provides for extensive experience with Fanuc and Siemens Process Logic Control (PLC) as well as Rockwell Automation technologies. I have practical experience integrating equipment into existing networks as well as configuring networks from the ground up. I have also attended several classes through the Boeing Co. for Security+, Certified Ethical Hacking (CEH) and Certified Information Systems Security Professional (CISSP). I became interested in digital forensics and security at Edmonds Community College, and, once I heard about the Stuxnet virus impact at a nuclear facility in Iran.
Statement of Benefits
The cost in this analysis and proposal is individual time, education and accumulated experience in the fields of energy, manufacturing, IT, ICS, field devices, etc. There is no formulaic outline of hitting the checkboxes but rather an amalgam of knowledge and experience in relative fields. Since the focus of this analysis is to determine personnel needs and what industry might be looking for in ICS cyber security. The costs of educating a workforce will be borne by the student/worker and employer to create a salient professional background.
I am certain that ICS and cyber security has a long future ahead as long as we have power, water, gas and manufacturing industries and hackers, rogue organizations and hostile foreign/domestic national interests. This is a service area that has been left unexploited and I hope to determine if it is due to complexity, or lack of popular interest. My aim is to share with a non-technical audience the considerations and importance of this technology in simplified layperson terms. My personal ambition is to learn more about the technology and to inform myself about the subject.
Figure-1 Project Schedule English310 Fall 2014
Conclusion
I hope to determine the professional knowledge base required for an IT engineer/technician supporting a portion of the network systems prevalent throughout industry. Industrial infrastructure is a considerable component in networks, of significant financial consequence to stakeholders and extends to our accustomed sources of power, water, consumable as well as industrial goods. My objective is to determine whether this area provides a viable career path for others and me. My status is completing the initial compilation of secondary resource material as a starting point. I am composing an email for the potential interviewee. I am also formulating a short 8 – 10 point questionnaire for the interviewee, which I will email prior to the interview.
Bibliography
David Kennedy, J. O., Kearns, D., & Aharoni, M. (2011). Metasploit The Penetration Tester's Guide. San Francisco: No Starch Press, Inc.
Metasploit is a general hacking resource text. The intended audiences are "White hat hackers" and professional penetration testers. Companies worldwide hire either internal testers or contract with outside vendors. The text compiles into one text many of the cyber security issues and exploitations. The authors provide a good process of approaching hacking and testing systems for penetration vulnerabilities.
Ronald L. Kruz, P. P. (2013). Industrial Automation and Control System Security Principles. Research Triangle Park, NC: International Society of Automation (ISA).
Stenerson, J. (2009). Programming ControlLogix(R) . Clifton Park, NY: Delmar Cengage Learning.
Stewart, J. M., Chapple, M., & Gibson, D. (2012). CISSP Certified Information Systems Security Professional Study Guide 6th Ed. Indianapolis: John Wiley & Sons, Inc.
Weiss, J. (2010). Protecting Industrial Control Systems from Electronic Threats . New York, NY: Protectin Momentum Press.
Joseph Weiss (JW) is referred to by Elinor Mills as a “Crusader for critical infrastructure security” , and has been vocal about the concerns that critical infrastructure security as well as industrial infrastructure electronic security. JW provides background information for readers new to this topic, describes Industrial Control Systems (ICS), covers the synthesis of IT and ICS and proposes a convergence of the two (so far) disparate disciplines. His book also looks at the status of professionals in this area of interest. The remainder of the text touches on tests of systems and lessons learned and looks at unintentional as well as intentional incidents and associated case histories.
Whitepapers. (2014, October 7). Retrieved from http://www.controlglobal.com/: http://www.controlglobal.com/whitepapers/
Control Global is a process automation centric website that provides a wide resource of industrial automation information. Aside from accessing information on this subject, I have to assume that various ICS related companies such as Rockwell Automation, Fanuc, Honeywell, Siemens and many more sponsor the site. Notwithstanding supplier advertising on this site, the site provides whitepapers on the subject and I will need to vet for consistency or pro/anti vendor slanting of white paper content.