This post is authored by Peggie Koon, president of ISA 2014.
In my column in last month’s issue of ISA Insights, I mentioned five game-changing themes ISA leaders adopted as high-level directional strategic goals for the Society. Those goals originated from a discussion of trends impacting ISA’s future. In many cases ISA staff and volunteers who are subject matter experts (SME's) in these areas are already engaged in efforts to achieve these goals. In the months to come, future articles will focus on the game-changing themes or trends on the list that are already taking shape at ISA. Here’s the list of 10 trends leaders identified that will have a significant impact on the future of ISA.
Although cybersecurity is not at the top of the list above, it’s a trend that is "top of mind” for many ISA leaders, staff, and volunteer SME's. And it is particularly important to me personally, not just because it’s a hot topic and because of its importance to our national security, but because I just happen to live near Fort Gordon, Georgia, which has just been named the new home of Army Cyber Command or (ARCYBER) – “the lead for Army missions, actions, and functions related to cyberspace, serving as the single point of contact for reporting and assessing Army cyberspace incidents, event and operations and for synchronizing and integrating Army responses.”
This week I had the privilege of hearing Lt. General Edward C. Cardon, Commanding General US Army Cyber Command, speak to community and business leaders to explain what this relocation will mean to us as individuals – to our roads and infrastructure, our communities, our school system (which must respond by increasing the emphasis on STEM), our labor and workforce development efforts (so we can provide the tools and training to help civilians in our community take advantage of the new cyber jobs that will come with the relocation), and more.
General Cardon said Fort Gordon’s growth will not only include ARCYBER but also the Cyber Missions Unit, the Cyber Center for Excellence, NSA Georgia, and the Signal Command. General Cardon also said 30 percent of the cyber workforce will be civilian. This means that cyber organizations (both government and private industry) must be able to hire and recruit the right workforce. He also talked about the “other” side of cyber – the phenomenal global growth of Internet, mobile, cloud, and wireless and the impact new, fast-growing, smaller disruptive technologies like WhatsApp and Glimmerglass are having on our world. General Cardon challenged our community to take advantage of our brand and to create an environment – to become that place where cyber professionals and companies want to be. I left the meeting acutely aware of the opportunities ARCYBER will bring to our community. And community and business leaders affirmed their commitment to embrace and take advantage of the opportunity.
General Cardon said when he was given the assignment his first response was that there were many others in Army intelligence who could lead the effort. But his Commander said he was bringing him in to “operationalize” cyber – to organize and execute the initiative in time and space. His speech was not so much about cyber but about the cyber opportunity for our community and what we must do to take advantage of it.
As I reflect on his speech, I can immediately draw parallels to the opportunity cyber presents ISA if we, too, are able to “operationalize” our efforts to respond. For ISA, cyber brings opportunities for growth in support of control system cybersecurity, workforce development, and STEM.
One of the high-level goals ISA leaders identified for 2014 and beyond is being the global authority for industrial control system cybersecurity. When we talk about cyber threats, the natural tendency for all of us – including our government – has been to think of identity theft and other cyber attacks affecting traditional information technology (IT) systems – and not cyber threats to operational technology (OT) systems affecting our nation’s critical infrastructure (e.g. systems that control the operations of our manufacturing plants, chemical plants, water/utilities, power, etc.). But over the past year ISA has worked diligently to raise awareness of the control system challenge of cyber in OT. Thanks to the Automation Federation and the tireless efforts and commitment of Mike Marlowe, Leo Staples, Eric Cosman, Steve Huffman, Steve Mustard, Johan Nye, Pat Gouhin, and numerous other members of ISA staff, volunteer leaders, and SME's, the Society has taken a leadership role as it relates to OT cybersecurity, specifically for industrial control systems – not just in the US but around the world.
Steve Mustard, a cybersecurity SME and member of ISA, wrote a very informative article entitled, “The NIST Cybersecurity Framework: Improving critical infrastructure protection.” Steve is engaged with the White House and NIST (National Institute of Standards & Technology) to help raise industry awareness of the need to adopt the framework for our nation’s critical infrastructure. In his article, Steve cites that President Obama, in his Executive Order, defines critical infrastructure as: “Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
For a complete list of ISA’s cybersecurity products and services as well as details on President Obama’s Executive Order, ISA’s engagement with NIST, and upcoming cybersecurity events and meetings, information on FIRST, and more, go to www.isa.org.
ISA99/IEC 62443 is a recognized standard for the NIST cybersecurity framework for critical infrastructure protection against cybersecurity threats. However, in his article, Steve shares that “despite the availability of standards, it is clear that many organizations are not applying them to the degree required.” The article clearly explains the state of cybersecurity, the cybersecurity framework development process, and what organizations should be doing. According to Steve, next steps include: “At the completion of the workshop phase of development, the Automation Federation and its member organizations will work with the White House and NIST on a series of tabletop exercises and seminars across the country to brief industry sectors about the importance of adopting the NIST Cybersecurity Framework. In addition, the Automation Federation’s cybersecurity subject-matter experts will continue to be engaged in the cybersecurity framework development process.”
ISA and the Automation Federation are integrally involved in this effort. Is ISA positioned to fully take advantage of the cybersecurity opportunity? What are ISA’s next steps? Are we “operationalized” enough to change the current standard or to develop new standards as cybersecurity threats evolve?
An important component of the Automation Federation’s cybersecurity initiative is the building of a trained workforce in automation and control. The Automation Federation is reaching out to community colleges through its partnership with the American Association of Community Colleges to create the US Automation Community College Consortium and to develop new automation curriculum.
ISA has also developed a new certificate program, the ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate, “to help professionals involved in information technology and control systems security improve their understanding of ISA99/IEC 62443 principles and acquire a command of industrial cybersecurity terminology.” ISA is already engaged with Cleveland Community College to develop industrial operations and cybersecurity training programs in support of these workforce readiness initiatives. Can this be replicated at other technical institutions in the US around the globe? Is ISA “operationalized” to change the current training programs as cybersecurity threats and opportunities evolve?
Another high-level goal identified for 2014 and beyond is cradle-to-grave advocacy of automation as a career. This goal includes increasing engagement in STEM initiatives. An increased emphasis on STEM is critical to our nation’s ability to embrace the cyber opportunity – not just to respond to cybersecurity threats but to continually take advantage of the phenomenal growth of opportunities in cyber so that our workforce of the future – the students of today – are able to live and thrive in a cyber-enabled world. ISA is already engaged with the Automation Federation in FIRST® (For Inspiration and Recognition of Science and Technology). But what else might we do?
So what does this mean for ISA, for YOU, and for me? These trends confirm that ISA has several tremendous opportunities for our future – cybersecurity is just one of them. You and I can help ISA “operationalize” cybersecurity – to organize the time and efforts of staff and volunteers and to determine ways to optimally utilize our resources – people, products, and services – so we can take advantage of the opportunity. We must also be willing to change so we are agile and we can innovate as the cybersecurity landscape evolves and changes.
Finally, we must exude the “magic” that General Cardon said he finds in every successful organization. These organizations have people who want to contribute, who want to come to work, who have a positive attitude, and who are able to pump energy into the organization.
Because of all of YOU, ISA already has the “magic”! The ISA brand is already recognized around the globe. Our challenge then is to take advantage of our brand and to create an environment – so that ISA becomes the place where cybersecurity professionals and companies want to be.
So what are we waiting for? Let’s DO this!
About the Author
A version of this article also has been published in ISA Insights.