Written byDan Verton
It’s no secret that the nation suffers from a critical shortage of skilled cybersecurity professionals. From the Defense Department to the Fortune 500, the demand for educated and experienced cybersecurity pros has never been greater.
But the demand and the shortfall may be larger than anybody ever imagined if you consider the size and scope of the nation’s critical infrastructure. There are more than 300,000 manufacturing plants in the U.S., 50,000 water utilities, thousands of electric utilities, 200 natural gas utilities controlling 2.4 million miles of distribution pipes, 28,000 food processing plants, 100 urban rail systems and 140,000 miles of freight rail tracks — and that’s just a small portion of the nation’s critical infrastructure.
All of these infrastructure sectors are powered by computers and networks known as industrial control systems, which require unique skills and knowledge to keep secure. But training and educating enough cybersecurity professionals to protect such a massive network of systems may prove impossible.
The size and scale of the nation’s critical infrastructure requires “hundreds of thousands” of people to manage, operate and secure, said Chris Blask, chairman of the Industrial Control System Information Sharing and Analysis Center, during a webcast June 25 that explored the ability of the U.S. education system to produce enough cybersecurity workers to protect the nation.
“We have to have enough people who understand these issues. Just having enough people to do the work is potentially an unsolvable problem,” Blask said.
The nation remains virtually incapacitated by a shortage of highly-qualified graduates with degrees in science, technology, engineering and mathematics and a large percentage of high school students who are not prepared for college-level STEM programs.
In 2013, only 44 percent of high school graduates were deemed ready for college-level math, according to the National Math and Science Initiative. In addition, NMSI studies show 38 percent of U.S. college students who study a STEM discipline do not graduate with a STEM degree.
But those statistics tell only part of the story. When it comes to critical infrastructure and securing industrial control systems, the workforce challenges get worse.
“We have a gap of understanding,” Blask said. “We still have this operational technologies versus informational technologies gap. There are those who know mechanical engineering and physical engineering and we have those who know IT. The former tend to be later in their careers and the latter tend to be earlier in their careers.”
Part of the answer to the problem can be found in machine-to-machine information sharing that can cut down on the number of cybersecurity professionals needed. The ICS ISAC this week deployed a server for this purpose under a program code-named Project Avalanche. It is the 26th such server deployed around the world to date.
“You can think of it as an Apache Web server for information sharing,” Blask said. “We will see thousands, tens of thousands, even millions of these over the next…seven years,” he said.
But Blask acknowledged that while such automation will improve operational knowledge sharing, qualified people are still needed to act on the information.
Educators point to a growing number of college and university programs as evidence that the education system is responding to the need, but they acknowledge that the jury is still out on if the gap can be closed.
“We’ve raised the bar. We have those things [necessary to provide education and training],” Art Conklin, associate professor at the College of Technology at the University of Houston, said. “Now it’s a matter of throughput, the number of students and students coming ready to learn.”
But when it comes to scaling the education pipeline to the workforce challenges of critical infrastructure protection, more focused training is needed, Conklin said. There are 186 colleges currently participating in the Centers of Excellence program run by the NSA and Department of Homeland Security.
“I think we have enough schools,” Conklin said. “The question is what areas are they going to specialize in, and do we have enough [students studying] industrial control systems?”
Greg White, associate professor of computer science at the University of Texas at San Antonio, agreed the education system as a whole has responded to the need. Today “you see a boatload” of academic programs and centers of excellence for cybersecurity education, White said, adding that there are more than 150 two- and four-year colleges with cybersecurity programs.
“In terms of raising the bar, that’s a good sign. That’s a significant sign that we are taking security a little bit more seriously,” White said. “At the same time, however, when you try to figure out what should be in a cybersecurity program, there isn’t necessarily a good consensus.”
Infrastructure security and industrial control systems security “is not as ingrained into our security curriculum as maybe it ought to be,” he said.
But when it comes to college graduates, there’s still a question of numbers and quality.
“We don’t really have a good feel for what the numbers are,” White said. “How many security specialists do we need in one area versus this other area? It’s a big problem. And at some level, everybody needs to be involved.”
Students, however, vote with their feet, Conklin said. “My program is the size that it is because that’s how many students sign up for it. And there’s not a lot of stellar candidates,” Conklin said.
Surprisingly, cybersecurity is not yet a field people view as one they just have to get into, he said. And that raises an interesting and provocative question in Conklin’s mind: “Are we getting the best and the brightest?” Follow @DanielVerton