ebook img

Alignment and Gaps in Workforce Development Programs for Phase 2 of the PDF

182 Pages·2013·5.19 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Alignment and Gaps in Workforce Development Programs for Phase 2 of the

PNNL- 22653 Prepared for the U.S. Department of Energy under Contract DE-AC05-76RL01830 Developing Secure Power Systems Professional Competence: Alignment and Gaps in Workforce Development Programs for Phase 2 of the Secure Power Systems Professional project LR O’Neil TJ Vanderhorst, Jr MJ Assante J Januszewski, III DH Tobey R Leo TJ Conway K Perman August 2013 PNNL- 22653 Developing Secure Power Systems Professional Competence: Alignment and Gaps in Workforce Development Programs for Phase 2 of the Secure Power Systems Professional project LR O’Neil TJ Vanderhorst, Jr MJ Assante J Januszewski, III DH Tobey R Leo TJ Conway K Perman Contributors: SGC Panel Members August 2013 Prepared by: Pacific Northwest National Laboratory and NBISE Secure Power Systems Professional Project Team A summary version of this report titled: Developing Secure Power Systems Professional Competence: Alignment and Gaps in Workforce Development Programs—Summary Report for Phase 2 of the Secure Power Systems Professional project August 2013, document clearance number PNNL- 22641 is available from [email protected] or www.nbise.org Summary The U.S. Department of Energy has recognized that the electric power industry needs workforce development resources that can aid in the accelerating need for Secure Power Systems Professionals, while at the same time identifying capabilities and competencies to protect and enable the modernized grid currently being built. In the spring of 2011 a project was initiated by Pacific Northwest National Laboratory with the National Board of Information Security Examiners for the U.S. Department of Energy to identify those capabilities and competencies along with assessing the need and qualifications for a certification program for Secure Power Systems Professionals. The first phase of this three-phase project was to identify operational security functions for day-to-day power systems operations (but not development, engineering, and architecture), and power system environments. The project examined the technical, problem-solving, social and analytical skills identified by stakeholders as used by existing power systems cybersecurity staff in the daily execution of their responsibilities resulting in a comprehensive Job Performance Model (JPM) for Smart Grid (O’Neil et al. 2012). The second phase of the project applied the JPM to ascertain the alignment and gaps among existing workforce development programs. The JPM from Phase 1 included 82 job responsibilities; 71 of these responsibilities were assigned by the Smart Grid Cybersecurity Subject Matter Expert panel to 11 job responsibility areas. These responsibility areas became the basis for studying the gaps and overlaps between four cybersecurity workforce development programs: 1. the National Initiative for Cybersecurity Education National Cybersecurity Workforce Framework (NICE 2012); 2. the Energy Systems Cybersecurity Capability Maturity Model (DOE 2013a); 3. power systems cybersecurity education courses; and 4. cybersecurity certifications (Figure S.1). The Subject Matter Expert panel’s findings were validated through a public survey: both the panel’s findings and the survey identified responsibility areas lacking sufficient coverage in the currently available workforce programs. iii Figure S.1. Mapping Job Responsibilities and Workforce Development Resources The analysis of certifications yielded nine vendor-neutral certifications that panel members indicated were valuable for determining job competence (Figure S.2). The results indicate that no single certification exists for a Secure Power Systems Professional. A combination of certifications has value in determining a base level of competence or for enhancing an existing employee’s knowledge base. For example, someone with a North American Electric Reliability Corporation System Operator Certification could expand their cybersecurity knowledge and verify it by obtaining a cybersecurity centric certification such as one listed in Figure S.2. Rather than trying to force existing certifications to meet the needs of the modern power grid, it is the recommendation of the panel to develop a Secure Power Systems specific certification. Certification Organization Certified Information Systems Security Professional (CISSP) (ISC)2 System Operator Certification (SOC) NERC Certified Ethical Hacker (CEH) EC-Council Certified information Security Auditor (CISA) ISACA Certified Information Security Manager (CISM) ISACA Certified in Risk and Information Systems Control (CRISC) ISACA Certified Incident Handler (GCIH) GIAC Certified Intrusion Analyst (GCIA) GIAC Penetration Tester (GPEN) GIAC Web Application Penetration Tester (GWAPT) GIAC Figure S.2. Valuable Vendor-Neutral Certifications The results also identified that there were very few educational offerings with a focus on cybersecurity for power systems. We did find special courses and seminars, usually within Computer Science or Electronics departments or offered by organizations such as SANS1 or ISA (Internal Security 1 http://www.sans.org/ iv Associates), but not any courses related to cybersecurity in power engineering programs as part of a college or vocational program to graduate work-ready employees. Cybersecurity of power systems education needs to be available to college students now so that they are ready to defend and protect the modern power grid when they graduate and enter the workforce. There are several useful conclusions that can be implemented by stakeholders immediately: 1. Entities can use the job roles identified as having a “I believe these results confirm a common belief strong alignment with applicable certifications to within [power and utility] entities that; traditional adjust job postings or staff development programs to IT roles are fairly well defined with credentials align with identified job roles. and available credentials, while Operations 2. For the areas where strong alignment with an Technology roles do not have a well-defined alignment to existing [cybersecurity] programs.” existing certification does not exist, entities can first - Tim Conway, Panel Chair adjust job descriptions and career paths to remove credential requirements that do not align with job-identified roles. 3. Organizations can begin developing or working with partners to utilize existing or develop new training programs that best fill the identified gaps. It is recommended that work continue to validate the predictive accuracy of the JPM developed in Phase I of this project and to apply the validated model to accredit workforce programs based on job role(s), responsibility areas and expertise levels at which they are targeted. We also recommend the development of self-assessment tools to help organizations determine whether they have a holistic approach to workforce development and if they don’t, how to implement one. Panel members have indicated that a certification would be well received and a smart community investment. The continued implementation of digital technology into every aspect of power systems helps us reach the goal of a fully integrated power system without boundaries—from end to end, generation to distribution. It is incumbent on power system stakeholders to lead the effort to redefine critical power system job functions and expand those job functions to develop a workforce that can tackle the cybersecurity challenges of the country’s new edgeless power system. v Acronyms and Abbreviations CATF Cyber Attack Task Force CEH Certified Ethical Hacker CISSP Certified Information Systems Security Professional CISM Certified Information Security Manager CSIS Center for Strategic and International Studies EC-Council International Council of Electronic Commerce Consultants ES-C2M2 Energy Systems Cybersecurity Capability Maturity Model GIAC Global Information Assurance Certification GCIA GIAC Certified Intrusion Analyst ICS industrial control systems (ISC)2 International Information Systems Security Certification Consortium, Inc. IT information technology JPM Job Performance Model NBISE National Board of Information Security Examiners NERC North American Electric Reliability Corporation NICE National Initiative for Cybersecurity Education OT operational technology PNNL Pacific Northwest National Laboratory RaCS Review and Comment System SCADA supervisory control and data acquisition SGC Smart Grid Cybersecurity SME subject matter expert SOC System Operator Certification TTP tactics, techniques, and procedures vii

Description:
Certified in Risk and Information Systems Control (CRISC). ISACA .. perform cybersecurity functions and to assess the need to develop a set of guidelines for a certification program for .. of agreement for activities involving the assignment of items within a single category, e.g., certification do
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.