Proposed Federal Law Would Boost Security Training for Utilities, Critical Infrastructure Operators

Legislation aims to bolster cyber defenses, but operators should still act now to strengthen security skills

Congress wants to require organizations deemed critical infrastructure to have a cybersecurity awareness training program. And it’s pushing through legislation that would provide such training for free.

More specifically, the Industrial Control Systems Cybersecurity Training Act requires the Cybersecurity and Infrastructure Security Agency – better known as CISA – to provide cybersecurity workers with no-cost training on best practices for securing industrial control systems.

It also calls for CISA to provide both virtual and in-person training, with courses targeted to workers at various skill levels.

These programs would be available to security workers in government entities as well as the private sector.

This new training initiative would supplement a raft of existing training programs already offered by CISA.

The government’s goal here is to ensure security professionals know about emerging threats and how they can most effectively mitigate them – an essential skill in a world where adversarial tactics and techniques are constantly evolving.

Indeed, the bill’s sponsor – U.S. Rep. Eric Swalwell, a California Democrat serving on both the House Select Committee on Intelligence and the House Homeland Security Committee – introduced the bill in May in response to the increasing number of cyberthreats coming out of Russia, saying that the country “must be cognizant of cyberwarfare from state-sponsored actors.”

He noted that this legislation “would help train our information technology professionals in the federal government, national laboratories, and private sector to better defend against damaging foreign attacks.”

Members of both parties agreed: The House on June 21 passed the bill with strong bipartisan support, sending it to the Senate for its approval.

This training initiative has Strive’s vote of confidence, too, as we have long believed that a well-trained, well-informed cybersecurity workforce is essential to protecting both operational technology (OT) and information technology (IT).

And we expect this bill to be enacted into law – as it should be.

Our country needs more training to counter the growing number and sophistication of attacks coming at us here in the United States and at the critical infrastructure sector in particular.

We also recognize that this training could help address some of the challenges that organizations face on the talent front.

First, there’s a lack of cybersecurity professionals in general. A report from the International Information System Security Certification Consortium, or (ISC)², puts the number of unfilled cybersecurity jobs at 377,000 in the United States alone. (It’s about 2.7 million globally.)

The nonprofit Cyberseek puts the number of unfilled U.S. cybersecurity positions even higher, at 714,548 as of mid-August.

At the same time, many of the existing cybersecurity professionals lack some of the essential skills needed to be most effective in their roles – a lack that’s particularly acute in the area of OT cybersecurity, where practitioners must have an understanding of both IT and OT systems as well as the policies, procedures and tools that can protect them.

Consider the findings from The 2022 State of Operational Technology report, which surveyed 3,500 OT security professionals across the globe and found that 69% believe the lack of OT security staff “is diminishing the effectiveness of their organization’s OT security.”

The ICS training act, if passed by the Senate and then signed into law by President Biden, could help alleviate some of those dire findings.

That said, we see no need for critical infrastructure owners and operators to wait for Congress to finalize this act.

Upskilling your existing staff and providing ongoing training to your team is one of the most effective investments you can make – and it’s one you should be making now.

Your security pros already know your environment and have a good handle on the components that present the highest risks and, thus, need the highest levels of protection. So give them the additional skills they need to perform at their best and to their top potential.

As mentioned above, CISA already offers numerous free training programs, including both independent study and instructor-led courses, tailored for critical infrastructure owners and operators. That’s in addition to the training programs offered by multiple other sources, including (ISC)² and SANS as well as colleges and universities.

At the same time critical infrastructure owners and operators should review their cybersecurity awareness training program for their overall workforce to ensure its comprehensive and up-to-date.

It’s worth the effort.

According to the World Economic Forum’s Global Risks Report 2022, 95% of cybersecurity issues can be traced to human error. And the 2022 State of Operational Technology report found that 79% of survey respondents think human error poses the greatest risk for compromise to OT systems.

With figures like that, it’s easy to demonstrate why solid cybersecurity training programs for both security pros and general staff pay off. We see it. The U.S. House of Representatives sees it. And you should know, too, that an investment in security training delivers real returns by decreasing your risk and increasing your security posture.

So, if and when the ICS security training act becomes law, take advantage of the free courses. But don’t feel you should wait for it. Training and up-skilling should be an ongoing activity, and you should be doing it now.

Looking for more information?

Our Cybersecurity & Compliance solutions ensure that your business is protected and secured from cyber threats whenever, wherever. Minimize your risk to cyber attack exposure and regulatory fines without impacting your business operations – Strive can help.

Contact Us