“You can only cover about 65% of the cybersecurity workforce demand with the existing workforce today. So we need to do something to address that gap. We need to either build that workforce or re-skill existing individuals that are looking to get into new fields. That’s the approach that we’re taking. So the need is there. We know that cyber risk is there. We know that adversaries are constantly re-skilling and skilling up as well. And we need to build a protective workforce around that.” – John Ellis

In this episode of Hack the Plant, we feature John Ellis, who heads up the Industrial Cyber Alliances at Siemens Energy.  We discuss a new, industry-lead apprenticeship program he runs which focuses on critical infrastructure protection called CIISAp (short for: Cybersecurity & Industrial Infrastructure Security Apprenticeship Program).

ICS village is one of the partners of this program, which is tackling the gap between shortage of skilled employees and the workforce

How is the cohort designed? How can we encourage collaboration tech companies, service companies, academia, and government to train the cyber workforce of the future?

Join us to learn more.

(Subscribe to Hack the Plant on Spotify or Apple, by RSS feed or search for it wherever you listen to podcasts.)

TRANSCRIPT

Joshua Corman: 

Our dependence on connected technology is growing faster than our ability to secure it, especially in areas affecting public safety and human life.

Bryson Bort: 

I’m Bryson Bort. And this is Hack the Plant. Electricity, finance, transportation, our water supply. We take these critical infrastructure systems for granted, but they’re all becoming increasingly dependent on the internet to function. Every day I ask and look for answers to the questions. Does our connectivity leave us more vulnerable to attacks by our enemies? I’m a senior fellow at the R street Institute and the co-founder of the nonprofit ICS Village, educating people on critical infrastructure security with hands-on examples, not just nerd stuff. I founded GRIMM in 2013, a consultancy that works the front lines of these problems every day for clients all over the world.

[SPEAKER]: 

It’s playing out in Israel right now where hackers have been going after Israeli water systems. Again, not to steal information from them, to change the setting on the chemicals in Israeli water.

Bryson Bort: 

Each month, I’m going to walk you through my world of hackers, insiders, and government working on the front lines of cybersecurity and public safety to protect the systems you rely upon every day.

[SPEAKER]: 

If you think that the small town water authorities and the mom-and-pop-sized companies have better cybersecurity in the US than the Israelis do, I have really really bad news for you.

Bryson Bort: 

An attack on our critical infrastructure, the degradation to the point that they can no longer support us means that we go back to the stone age literally overnight.

[SPEAKER]: 

If we think the government’s going to solve it for us, we’re wrong. We have to help them.

Bryson Bort: 

This is not a podcast for the faint of heart. If you want to meet those protecting the world and what problems keep them up at night, then this is the podcast for you.

I’m Bryson Bort and this is Hack the Plant.

For today’s episode, I’m joined by John Ellis, who heads up Industrial Cyber Alliances at Siemens Energy.

We’re here today to talk about a new, industry-lead apprenticeship program focusing on critical infrastructure protection called CIISAp (short for: Cybersecurity & Industrial Infrastructure Security Apprenticeship Program).  ICS village is one of the partners of this program.

Tom VanNorman, my CoFounder with the ICS Village: “High profile Industrial Control System security issues have grabbed headlines and sparked change throughout all industries. This apprenticeship program will provide our non-profit with another avenue to train and introduce people to Industrial Control Systems that are used within Critical Infrastructure and help close the gap on the shortage of skilled employees.”

This program puts employer and workforce needs at the forefront of the academic program design.

John Ellis:

There was a really great SANS survey that came out recently that said that 56% of industrial or OT asset owners are actually not able to complete industrial cyber projects because of a lack of human resources within the organization. And when we look at, for instance, the NIST’s CyberSeek website to see where there’re open roles and you do the math, you find that pretty quickly there’s, what is it? Something like 65% or something like that of the demand out there. You can only cover about 65% of the cybersecurity workforce demand with the existing workforce today.

So we need to do something to address that gap. We need to either build that workforce or re-skill existing individuals that are looking to get into new fields. That’s the approach that we’re taking. So the need is there. We know that cyber risk is there. We know that adversaries are constantly re-skilling and skilling up as well. And we need to build a protective workforce around that.

Bryson Bort:

Join us as we discuss the design of the cohort, and how to better leverage collaboration among tech companies, service companies, academia, and government to train the cyber workforce of the future.

Bryson Bort:

If you could start off with an introduction, please?

John Ellis:

Okay. So my name’s John Ellis. I work at Siemens Energy and I head up our Industrial Cyber Alliances. So working between technology companies, service companies, academic partners, and really, trying to build the relationships that our company needs to be successful.

Bryson Bort:

So, John, you recently just led a big announcement for the Cybersecurity & Industrial Infrastructure Security Apprenticeship Program, CIISAp. Which, first question, is that supposed to be a playoff of CISA?

John Ellis:

Oh, of course. Right? It’s definitely a play off of CISA and very intentionally. We’re working in the same space and find a lot of shared topics there

Bryson Bort:

So what is it?

John Ellis:

What this program is about is we’re trying to solve one of the really big issues right now in critical infrastructure protection. And that is, where do you find the resources to be able to really care after these resources, these assets out there? So how we formulated this is we thought really, a lot of the programs that exist today are either led by academia. They’re led by government. Where’s that industry voice? So we wanted to have an industry-led apprenticeship program that really brought together the skills that are needed directly in the workforce, but also tie that back to make sure that we’re creating academic programs that match employer needs such as Siemens Energy, and really putting that together into a cohesive program.

So, one of the things that we found when we’re thinking through this program is that a lot of individuals out there that know about OT or industrial cybersecurity, they typically have to take a really organic approach to it. Maybe they started off as a controls engineer, technician, and then moved into the cybersecurity space organically, from like a workplace project or something like that. If we found that typically it takes about 10 to 12 years to develop the skillset needed to understand both the physical process and the cyber piece of it and we wanted to find ways to really bring that number down and get a work-ready workforce focused on industrial cyber in a shorter amount of time. And Siemens Energy has a lot of experience building apprenticeship programs, worker student programs, internships. I myself have actually been in two of those programs. And we lean to that tool. We reach for that tool to help address this issue.

Bryson Bort:

What is the value of the industry voice? You mentioned that there are government programs out there, there are academic programs that are out there. So who cares if it’s industry driving one?

John Ellis:

Yeah, that’s a really great question. So I think where industry has a place in capturing that voice is that we’re working directly with the asset owners in many cases. We hear their needs. We know what types of solutions they’re looking for, services. And we as a company are often in need of similar services and skillsets and those types of things. So we are essentially the demand side of this education pipeline, and we feel that that’s a really great place to start when thinking about what the structure of academic programs look like, and even the structure of workforce development programs.

Bryson Bort:

You mentioned the multiple elements and probably more fundamentally the length of time it requires to become, I don’t know, I would say, expert but functionally competent in this area. Why is it that it’s so challenging here compared to traditional modes of the workforce in cybersecurity?

John Ellis:

Yeah, that’s a really great question. So one, I think is there are a lot of cybersecurity programs available today in academia. So there are a lot of cybersecurity programs, boot camps, things like that that one can go to to learn about cybersecurity. What we’ve found is that many of them end up on the IT side, right? Looking after apps, cell phones, laptops, that type of thing. There are far fewer programs. At our last count, less than 10 programs in the United States right now that actually teach about cybersecurity for industrial infrastructure. So really looking at PLCs and HMIs and all these industrial assets, these control systems that sit within our critical infrastructure. There are very few programs that train about how to protect them.

And then, to go on top of that, I think there’s a really important aspect about the viewpoint here. So in order to, or at least our position on what it takes to be a really great industrial cybersecurity defender, you need to have an understanding of the underlying physical process. So that’s either power generation, water filtration, manufacturing, any of those types of those sectors. You need to have an understanding of the physical process as well as the cyber side. And it’s just really tough to find learning opportunities where an individual can get both of those experiences, because you’re going to need to have physical access to these types of systems somewhere.

And fortunately, we’re in that space. We’re an OEM. We work with a lot of our partners to develop new solutions and services that are very specific to this market. And then, we’re also a cybersecurity provider. But in this podcast, I also want to really note that we’re not alone in this initiative. We knew from the start that we wanted to build an ecosystem and that this was more of an industry-wide lift all boats type of play. And that’s why we started with an ecosystem, but wanted to start from the position of an industry-led ecosystem.

Bryson Bort:

So why now for the program?

John Ellis:

Yeah, that’s a really great question. Looking at some of the surveys that have been going around recently I think really points to the problem why we need a program like this now. And there was a really great SANS survey that came out recently that said that 56% of industrial or OT asset owners are actually not able to complete industrial cyber projects because of a lack of human resources within the organization. And when we look at, for instance, the NIST’s CyberSeek website to see where there’re open roles and you do the math, you find that pretty quickly there’s, what is it? Something like 65% or something like that of the demand out there. You can only cover about 65% of the cybersecurity workforce demand with the existing workforce today.

So we need to do something to address that gap. We need to either build that workforce or re-skill existing individuals that are looking to get into new fields. That’s the approach that we’re taking. So the need is there. We know that cyber risk is there. We know that adversaries are constantly re-skilling and skilling up as well. And we need to build a protective workforce around that.

Bryson Bort:

What are the expectations for the program and when does it start?

John Ellis:

The expectation is that we’re going to aim for the academic year of 22-23. So starting in the late fall of 2022. That’s when we’re looking to start this. In terms of the expectations, we’re really looking for three different groups of people or maybe more that will be part of this program.

In the first group, it’s for only those individuals that don’t have cybersecurity experience or industrial controls experience. So these are someone that’s just entering the workforce or perhaps is changing industries entirely and seize an opportunity for themselves. And another group that we’re looking at and really want to serve with a program like this are those that have industrial controls experience but no cyber experience.

So, thinking about those that have industrial controls technician experience, maybe they’ve worked on types of technology that are transitioning out right now in the energy transition, or even looking at another group that has the cybersecurity experience but no industrial controls experience. So thinking cyber operators, those in IT cyber that are looking to upskill or reskill into the industrial space. So those are the populations that we’re trying to help with this program or really to reach with this program.

And the structure of it, the way that we’re looking at this is we think that you really need to have more of a rotational experience. So experiential learning is at the core of this, and we want participants, apprentices in this program to get hands-on experience with real assets out in the field, touching these control systems, knowing how to set them up, knowing how to configure them, knowing how to service them, all that hands-on physical equipment side of this.

And then on the other side of that, we want to be able to provide the back office, software-driven, threat-hunting working off of a playbook, those types of experiences as well. So we’re combining this program into four rotations that’ll also include a two year part-time degree that’s earned along the way. And then also building in opportunities to gain industry-recognized certifications, licenses, but importantly, community is part of this.

Bryson Bort:

How are you looking at community with this program?

John Ellis:

I’m glad you asked. So we were pretty fortunate when we started thinking about this program. We actually partnered up with Johns Hopkins Carey Business School and they have a design thinking class. And we put the question towards that class, how should we be rethinking the design of apprenticeship programs in 2021 is when we asked the question. And what we heard back was that we needed to be more flexible in the approach, being able to reach individuals that have family at home, looking beyond the traditional apprenticeship model. So that’s one of the things that we built into this. So how we built that in is looking at remote options, flexibility and learning, and really pairing that up with company policies as well that allow for some flexibility. So that was really one of the central things.

The other thing that we learned from surveys and just going out there and asking questions, meeting real apprentices that exist today and saying, what works for you, what doesn’t. What we also heard is that joining up with a buddy was really important to a lot of people. So they want to be able to, just like the military, join with a friend or joining a cohort. And then you get that community experience. You can learn from each other, as well as just taking the classes. And in cyber security, I think there’s really an important space for that type of community approach because when everyone’s working from similar playbooks, you can respond to distributed events, which pop up in the industrial sector a little bit more commonly.

So we’re really trying to build in that community aspect that individuals can learn off of each other and react together. And that supports some of the model that we’re seeing even at the state level now about how to develop fusion centers or joint responses, collective action against cyber attacks, building common playbooks for everyone to work off of. And that was another approach that we came from.

Bryson Bort:

So that brings out the skeptic in me. It sounds good to have somebody sign up with a buddy, but how do you actually, I mean, beyond encourage it, how does that actually come to bear?

John Ellis:

Yes, that’s a really good question. So there are a lot of approaches to building apprenticeship programs and to building workforce programs. The model that quite often is used is to simply train then try to find the jobs. And that’s, in our view, we want to actually start in a little bit different position. So in this type of program, we’re asking that employers help those or really create positions that start roughly at the same time as when the academic training happens.

So this means that individuals are going to be able to start class, start working at the same time. So there’s a little bit of a built in community there already, because you’re hired in as a cohort, you have the same classmates. They might even work at a different company but you’re going to have same classmates, you’re going to have others within your same company that you’re hired as part of, they’re going to be provided with a mentor, as well as part of the apprenticeship concept. And then importantly, I think this is really where the ecosystem part of this comes in.

Right from the beginning, we wanted to not just say, “This is a just industry and just academia.” We wanted to really look at who were leaders in this space. So [Bryson 00:14:21], from our work with ICS Village, we knew that ICS Village was a leading voice in education for industrial controls and has a great community around it. So we looked for those types of partnerships and that type of voice to work with because we want to get that message out and we also want to welcome other companies in to collaborate with us and help develop this workforce for everyone.

Bryson Bort:

Where did the mentors come from?

John Ellis:

Yeah, so we’re very fortunate at Siemens Energy because we’re an OEM. We service this equipment. We also provide cybersecurity solutions and services. So we have a lot of in-house mentors, but we are also looking beyond our own organization to try to find additional mentors. The expectation though for the apprenticeship program, this is more of a requirement of registered apprenticeship programs, is that each apprentice must be partnered with a mentor. So we’re asking companies that do want to step up and join this initiative, that they also start thinking about who their mentors, who their digital champions are, who their cybersecurity leaders are in their organizations to be able to support this type of program.

Bryson Bort:

That’s a really good segue to who are the partners that are currently in the program and how can our listeners support or engage with this?

John Ellis:

Yeah. So I’m really glad you asked that question. So there are two universities that we’re working with. And one, I think many will be familiar with, Idaho State University who works very closely with Idaho National Labs on industrial cybersecurity, and is currently leading the ICSCOP or Community of Practice. That was one of the first partners that we contacted about this. We’re also working with capital technology university, which has a fantastic programs at undergrad, master’s, graduate level, also on critical infrastructure.

And then we’re also working with ICS Village, which I mentioned earlier, the Regional Economic Development for Eastern Idaho or REDI, MISI Academy and SANS Institute.

We’re actively looking for additional academic partners, nonprofits, workforce development organizations and additional employers as well. And the easiest way to reach out is you can email me. It’s just [email protected] and that’s the best way to get started. We’re building up the team now and we’re looking to make some announcements over the next short months and they’re actively looking for employers.

Bryson Bort:

Looking beyond the United States, are there opportunities with our allies or with other international countries?

John Ellis:

Absolutely. So this program right now, we’re starting in the United States and focusing on the 10 CISA regions. That’s the starting point for this, but what we’re really developing here is a framework that we think can be shared and used to help build up a localized workforce that is focused on industrial cybersecurity. And there’s some considerations in there. So we’ve done a lot of work recently to try to figure out what this program will look like, what are the core requirements.

One of the things I would say is that if others are looking to build a similar ecosystem or would like to do it with us, we are looking for academic institutions and we’ve found that there’s ones that have a computer science department, a mechanical engineering department, and an electrical engineering department typically have the right skillset to at least get started in this process and develop a program.

There’s also some really fantastic publicly available tools to even get entire curricula related to industrial cybersecurity so that we’ve got some really great resources there. And if I were to say what’s in the kit to get started, you need to find a good academic partner, local employers, and then also organizations that can help you connect with potential apprentices. So workforce development organizations, government-led initiatives to improve cyber skillsets, those types of things.

Bryson Bort:

All right. Thinking more broadly, if you could wave a magic air-gapped wand, what is one thing you would change?

John Ellis:

One of the things that I’m really happy to see actually, so somebody already waved this wand and I’ll say a lot of the CISA leadership I’ve been seeing has been waving this wand, looking closer at public-private partnerships to address cybersecurity needs has been really, really great. And I’m liking the sector level approach because it captures the nuance in each of the sectors, but it’s also capturing the industry voice and other interested organizations. I’m happy that somebody waved that wand recently. That would’ve been my ask a year ago perhaps, but I guess I need to come up with another one that’s like fully my own, right?

Bryson Bort:

You can double down on what’s happening. I will certainly note that. There’s been a lot of talk around what you just said but full implementation, I think we’re still ways away from it making everybody happy.

John Ellis:

And I agree. Yeah. I think as we get away from executive orders and get more tactical, that’s going to be a really interesting process. And I think it’s going to be pretty exciting to see that those changes. In terms of this apprenticeship or in terms of these types of programs, one of the biggest gaps that I see that I would like to wave a wand for would be to create funding opportunities for universities to expand their cybersecurity education more into the industrial space because the investment looks a little bit different.

So I want to cybersecurity master’s program at Penn State and it was great. I got my student discount for Nessus and a couple other tools, right. Wireshark and the like, and it was great. And I learned a lot of really important stuff, but I did not get experience with some of the industrial control systems or those more kind of physical assets that need to be touched to learn that industry. So I think that there’s a gap in funding to develop the types of laboratory experiences that we need to develop an industrial cybersecurity workforce.

Bryson Bort:

All right, there you go. And I was just thinking of the metric to how we know that government-private-public partnership is working will be that we will no longer say we need to do information sharing after the next breach.

John Ellis:

Yes.

Bryson Bort:

All right. You’ve waved your magic wand. Now, look into your crystal ball, five-year prediction, one good thing and one bad thing that you think will happen.

John Ellis:

Okay. Five years from now. So actually one thing I’ve been watching pretty closely is topics around software bill of materials. And that is something I think that we’re going to start seeing more nutritional label type of things on our software. That could be one of the good things. Maybe another topic that is interesting to me is a lot of the work that’s been done to secure supply chains and really thinking through that recently. That’s another that I would add on my exciting or good things in five years is just continued progress on secure supply chains.

I do think that in five years, we’re also going to see a little bit better cross sector organization around cybersecurity topics and the type of support that really builds up that public-private partnership aspect of it. Information sharing, right. But also tool sharing and developing playbooks that can work across sectors or central organizations that are really developing that type of concept. That’s something I think we’ll see in the next five years, for sure.

On the downside, maybe a little bit of a generic remark here but I think that at the same time that we are upskilling and building our defense, adversaries are also upskilling and learning just as hard. So I think that this is a continuing process of learning and developing tools and creating the learning opportunities and experiences that are needed to maintain and build a world class cyber defense workforce. It’s an ongoing exercise. And I think that we need to approach it really with an agile eye of continuing to look to what’s next, making sure that we’re using the best technology, making sure that we’re adjusting our process and guidelines on the newest information and really working together as an industry to address some of those needs.

We are looking for employers, I will say, we are looking for employers that are interested in joining and we’re hoping to get a second cohort launched by April. So that’s the deadline that we’re looking to is to really have a second cohort leading employers and industrial cyber across all the industrial sectors reach out. And let’s talk. We’ve got a great framework. We want to work with you. We’ve got ideas to share and we want to hear yours too.

Bryson Bort:

All right. Thank you.

John Ellis:

Thank you.