There will be nine million global public and private sector cybersecurity jobs by 2019, but only 4.5 million qualified to do them
By now, it should be clear to anyone paying attention that the energy industry needs serious cybersecurity. High profile hacks in the news have brought the issue to the fore, but it just makes logical sense: our energy grids are critical infrastructure and increasingly digitally connected, making them cyber vulnerable. Utilities, therefore, need cybersecurity.
The problem is, there simply aren’t enough people with the right skills in the industry to keep our grids secure. This isn’t just a skills gap, rather four compounding skills gaps that we need to address. Together, they add up to more of a chasm than a gap. What to do?
Gap one: not enough cybersecurity skills in energy
Electricity underpins nearly every aspect of modern life. That takes a lot of infrastructure and a big industry. By extension, that means a large cybersecurity requirement – one that will only get larger as the grid is digitised.
The problem is, there are frighteningly few cybersecurity experts with the right skills in the energy industry. This is for a number of reasons.
First, working in the industry requires a dual cybersecurity skill set: you have to understand both IT (information technology) and OT (operational technology). That means you need to understand not only the communications technology but also the engineering equipment that produces and transmits the energy, as well as how these interact. That’s a niche skillset which not many people have.
Utilities also need to elevate and integrate cyber security’s position in the business. Cybersecurity is a business-level risk and a core strategic function – it needs to be present throughout the organisation, not isolated as a siloed function. Over the past few years, utilities have taken tangible steps to make this happen and it’s paying dividends. However, there’s still distance to go: increased investment and greater internal recognition may well attract more talent.
The energy sector is also viewed by many as a very conservative, traditional industry. Contrast that with the glamour of the techie start-up scene or the giants like Facebook or Google. If you’re a young cybersecurity expert with big ambitions, where do you apply?
Taken together, these factors begin to show why the energy industry might lose out on some talent. However, that wouldn’t be as much of an issue if there was a bigger pool of cybersecurity talent out there.
Gap two: not enough cybersecurity skills in total
The fact is that cybersecurity skills are at a premium. The International Information System Security Certification Consortium, (ISC) predicts there will be nine million global public and private sector cybersecurity jobs by 2019, but only 4.5 million qualified to do them.
That’s half. Half the people we need in the cybersecurity sector.
Partly, this will be down to the fact that it takes smart, talented people to keep us safe from cyber threats and hackers (because they are often smart, talented people themselves). Not just anyone can pick up a keyboard and become an expert.
But that can’t be the whole story. In fact, to fix this skills gap, we need to go one step back again to…
Gap three: not enough technically educated people
Across Europe and elsewhere, much has been made of the shortfall in the technically educated workforce. Not enough of our young people are opting for education and career paths in the science, technology, engineering, and maths (STEM) fields.
This is important because those are the baseline skills and modes of thinking that are essential to success in the highly technical cyber-security field. Success varies across Europe, but every country is waking up and realising we need a greater technically educated workforce across the board. For example, the European Commission estimates there will be 500,000 unfilled ICT vacancies in Europe by 2020.
Gap four: not enough cyber awareness
So, we don’t have enough cybersecurity experts in energy, which is difficult to fix because there aren’t enough cybersecurity experts to go around. That’s tricky to solve because we don’t have enough technically trained people to go into cybersecurity. The problem cascades from one level to another.
But, in the energy industry, these are compounded by a different skills gap: the one of cyber awareness. This is an organisational challenge to inculcate basic cybersecurity proficiency and awareness into employees and practices.
Cybersecurity can never be the sole responsibility of one person or department. Human error is still strongly linked to vulnerabilities and, more often than not, this is because non-security employees haven’t been trained to keep the utility secure.
Basic examples can include things like good password practice, or not leaving USB pen drives lying around (it happens). More advanced training could include how to spot phishing attacks and avoid them, or best practice around using home IT equipment on the company’s networks.
No amount of cybersecurity star talent will be enough if these open doors aren’t closed across the organisation.
Plugging the gaps
The scale of the problem shows this won’t be fixed overnight. But there’s room for hope in the longer-term. Today’s workers in their thirties and early forties may or may not have had access to computers growing up. By contrast, recent graduates will have grown up online with a far more intimate understanding of IT and security. Tomorrow’s workforce goes even further – almost learning to navigate a tablet before they can walk!
But we can’t wait. So what can we do now?
First, we all need to do more to fix energy’s image problem. Not only is the picture of a stuffy old industry unhelpful, it’s untrue. Energy is undergoing an amazing revolution, transitioning to a cleaner and smarter grid. The mixture of IT and OT problems to solve should be catnip to a technological mind if we can only show how exciting it can be – and you can have far more impact keeping the lights on than keeping social media accounts safe.
We also need to work more closely with schools and universities to tempt young people onto the right career path – both for energy and cyber security more generally. At ENCS, we work closely with universities, running training days and internship programmes, but we need to be doing this right across the industry. Furthermore, we need to be inspiring young people earlier, going beyond the universities and into schools, increasing the uptake of STEM subjects in further education.
And we can’t forget that final skills-gap – the one of awareness and basic capability across the organisation. The good news is these aren’t necessarily complex skills and can be taught to staff already in their roles. The bad news is that it takes a level of investment that not many utilities have been able to make so far.
There are no magic bullets. This will all require time and resources – possibly in significant amounts. However, a tipping point is imminent where inaction is far costlier than action – both in terms of the balance sheet, and its effect on Europe’s citizens. We are talking about critical infrastructure after all.
Michael John is the Director of Consulting Services at the European Network for Cyber Security (ENCS). With his work at ENCS, Michael is fully committed to enhancing the utilities’ security and privacy landscape. Michael is leading several projects for ENCS in the domain of Smart Metering, Electric Vehicle, and Distribution Automation security.
Prior to this role at ENCS, Michael worked at Elster, a leading Smart Meter manufacturer, where he was responsible for ensuring Elster’s Smart Metering applications are secure by design and fully compliant with the latest EU standards.
If you enjoyed this, you may wish to view the following:
Students will have hands-on training with real-world software and hardware to design and manage self-healing power grids
In praise of Lego
The great thing about FIRST Lego League is that it engages girls
Smart students and smart thinking
A cloud-connected sensor system that can warn homeowners of a gas leak was among the smart solutions prototyped
|www.smartcitiesworld.net||JSESSIONID||To keep track of user sessions on the site and identify your user session.|
|www.smartcitiesworld.net||AFFINO_x||If we are hosting your sites this option is ticked. Each user profile has a number replacing x|
|www.smartcitiesworld.net||RVP||As a guest user we store the last 10 products you viewed|
|accounts_tab_active||Store the state of the Affino accounts tab (open or closed)|
|contacts_tab_active||Store the state of the Affino contacts tab (open or closed)|
|Affino_Control||Stores the layout of the Affino control panel (left or right)|
|Affino_BrowserMode||Set your browser to iPad and you'll be able to see what that user sees|
|LiveEditSwitch||Affino functionality remembers your settings if live edit switch is on/off|
|Affino_ControlWideScreen||Affino functionality remembers your settings if you selected this option|
|NewID||Cross domain check|
|Affino_CartID||Holds the users shopping cart ID|
|smartcitiesworld.net||km_ai||Is used on affino.com but is not in standard Affino. If your site uses Kissmetrics you'll need to include these.|
|www.smartcitiesworld.net||PRECACHE||Serve a cached version of the website to users to improve the performance of the site|
|facebook.com||__utma, __utmb, __utmc, __utmv, __utmz||These are used for facebook integration. Some Affino sites use single sign on (SSO). This service provides users with the option to sign in using their Facebook login. If they chose to do so Facebook cookies are set.
Further information on Facebook's Data Use policy is available at www.facebook.com/about/privacy
|player.vimeo.com||c_user, datr, act, locale, lu, p, presence, s, xs||When users view a web page on your site with an embedded Vimeo video, Vimeo creates these cookies|
|www.linkedin.com||X-LI-IDC||These are used for LinkedIn integration. Some Affino sites use single sign on (SSO). This service provides users with the option sign in using their LinkedIn login. If they chose to do so LinkedIn cookies are set.|
|linkedin.com||__qca, __utma, __utmb, __utmc, __utmv, __utmz, _lipt, bcookie, lang, lw|
|doubleclick.net||id||This is a Google tracking cookie for advertising purposes|
|soundcloud.com||__utma||Soundcloud can be used to share music and audio files. They use google analytics to capture visitor information|
|youtube.com||PREF||When you view a web page on your site with an embedded YouTube video, YouTube creates these cookies|
|imrworldwide.com||IMRID||These are cookies from an internet media and market research company Red Sheriff|
|quantserve.com||mc||This is an advertising cookie from Qantcast|
|scorecardresearch.com||UID||These are market research cookies|