1. Electric Sector Security Workforce Development NESCO Town Hall Denver, 2013 ab@bochmanadvisors.com @andybochman 1

2. Scribe please 2 3. The Whole Workforce 3 4. The Quest Sr. Mgt Sec Policy & Ops Not to be confused with: 4 5. Aim High Many of the most critical security challenges are actively created by business initiatives and leaders who do not consider security So: business leaders should stop making decisions that make security harder Organizational acceptance of security values are greatly enhanced when senior management champions those values and shows willingness to support the appropriate actions, even when painful. See: UHCL - Cybersecurity for Decision Makers 5 6. Perception and a Prize for Utilities Utilities (could) control their cybersecurity destiny By demonstrating more proactive approach to security, in ways regulators can understand, that positive shift in perception would give Congress, the Administration, and other oversight agencies the assurance they need to slow down on new rules Our workforce work can help 6 7. Agenda 3. Candidate Next Steps a b c 1. Current State & Trajectory 2. Desired Future State d e f g h i 7 8. Obligatory Grim Beginning: Losses looming Bad news ... or not. Lets discuss. 8 9. Theres more bad news The people that really understand policy generally do not understand control systems. The IT community, who developcybersecurity solutions, generally dont understand the unique issues association with control systems. And the people that operate the control systems, dont understand security. Other than that, were ne! 9 10. Slade Responds The number of talented individuals is not what is lacking, rather the ability to discern, hire, and retain the available talent is what the workforce is missing. http://www.us-nesco.org/guest-blog/where-is-the-workforce-we-need/ 10 11. Solution has arrived: New Bedtime Reading 11 12. NBISE Sees New World 12 13. Orgs promoting OT cyber WF Development NBISE SANS DoE ISC-ISAC Universities (lets name some) Center of Energy Workforce Development More please 13 14. University Example 14 15. WPIs Industry Education Initiative To reduce risk, ISO-NE and PJM asked WPI to deliver an industry-specic cybersecurity program in 2013 Goal: Improve capabilities to prevent, detect, analyze and effectively respond to cyber 15 16. WPI Program Courses Computer Network Security (including NERC CIPs) Software Security Operational Risk Management Intrusion Detection (for OT) Forensics (for OT) Power Industry Case Studies POC: Mike Ahern mfahern@wpi.edu 16 17. DOE C2M2 and WF The Workforce Management (WORKFORCE) domain comprises ve objectives: 1.Assign Cybersecurity Responsibilities 2. Control the Workforce Lifecycle 3. Develop Cybersecurity Workforce 4. Increase Cybersecurity Awareness 5. Manage WORKFORCE Activities 17 18. C2M2 - What do you think? We can feed: ES and O&G C2M2 2.0 18 19. Free for All: Questions round What are the skills and new skills required to secure the Smart Grid? 19 20. Question Thinking about control room environments, what training programs are needed for Utility security pros? Engineers? IT staff ? 20 21. Question Programs that would encourage young people to pursue careers in electric sector cybersec? PSAs? Can we start with things that already exist? 21 22. Question How about security internships? How formal? A national program? 22 23. Question How about security awareness/behaviors in non security people? What, at a minimum, do you want them to: Know, do, not do? 23 24. Role of Execs & BoDs CEO CRO CIO CISO others ... 24 25. The CEO Whats the optimal mix of CEO skills & experience? 5% 5% 68% 23% CyberSec Tech Business Electric 25 26. The CRO Whats the optimal mix of CRO skills & experience? 10% 10% 40% 40% CyberSec Tech Business Electric 26 27. The CIO Whats the optimal mix of CIO skills & experience? 25% 25% 25% 25% CyberSec Tech Business Electric 27 28. The CSO Whats the optimal mix of CSO skills & experience? 25% 25% 25% 25% IT Sec OT Sec Business Electric 28 29. Others? Whats the optimal mix of CXO/VPX skills & experience? 25% 25% 25% 25% Skill A Skill B Skill C Skill D 29 30. Question SUPPLIER FOCUSED: What knowledge and cybersec skills do engineers need for planning and designing industrial systems and the operational technologies necessary to support them? NBISE/PNNL 30 31. Question INTERPLAY BETWEEN SPECIALISTS: How do engineering job roles and cybersecurity roles engage to maximize constructive overlap and differences to address security for these systems? NBISE/PNNL 31 32. Question ASSESSMENT: How should we design and conduct tests to differentiate between simple understanding of concepts and skilled performance of actions that effectively resolve problems quickly and despite distractions or the stress surrounding an attack? NBISE/PNNL 32 33. Question CERTIFICATIONS:What is the best framework for general cybersecurity certications that integrate both knowledge and experience? And do we need OT-or industry specic certications? NBISE/PNNL 33 34. Question COMMUNITY SUPPORT: How do we best support the certied cybersecurity professional and cyber-informed operations and engineering professionals? Advanced problem-solving tools Communities of practice Canonical knowledge bases Other performance support tools? Prayer and positive thoughts? NBISE/PNNL 34 35. Other Questions (or have you had enough?) 35 36. ThankYou ab@bochmanadvisors.com @andybochman 36