Our electric grid is undergoing a major transformation, with $4.5 billion in Recovery Act funds being used to help catalyze the adoption of smart technologies and systems designed to increase the electric grid’s flexibility, reliability, efficiency, affordability, and resiliency. Grid resilience encompasses an all-hazard approach that involves protecting the energy infrastructure from threats, regardless of whether they are caused by natural disasters, deliberate attack, or are the result of human error.

The Energy Department has a long history of working closely with Federal partners, including the Department of Homeland Security, and private partners on cybersecurity of critical energy infrastructure. Earlier this week, the Department released new versions of the Cybersecurity Capability Maturity Model, which helps organizations assess their own cybersecurity capabilities and identify steps to help strengthen their defenses.

Having a strong, well-trained cybersecurity workforce is critical. I recently talked with Tim Conway, Technical Director at the SANS Institute, which provides information security training and security certification, about how organizations can address the challenges of strengthening their own cybersecurity workforces. 

Q: What has led to the large demand for cybersecurity professionals?
A: The pipeline of people moving into the workforce who have the necessary knowledge, skills, and capabilities to perform the critical cybersecurity jobs, compared with the pipeline of people exiting those positions, is out of balance.  As the number of individuals exiting the workforce is increasing, the need for cybersecurity professionals across multiple sectors is growing.  There is also a growing need for cybersecurity awareness in positions that traditionally focused on engineering or field technical service, but now use a number of digital assets in ways that need to be protected.

Q: What skills and educational backgrounds are valuable in the cybersecurity industry?
A: I had the opportunity to participate in a multi-phase initiative that was led by the Council on Cybersecurity (formerly the National Board of Information Security Examiners) and funded by the Energy Department. This initiative provided analysis to examine critical jobs roles and how they align with existing industry cybersecurity frameworks, certifications, and university degree programs.  This effort identified a number of gaps in available resources and provided a list of short term and long term recommendations for the energy sector to pursue.

After the analysis was performed, a number of universities began developing and expanding their curricula for control systems.  Also, cybersecurity training organizations, like the SANS Institute, have created industrial control system-focused training curriculums and certifications. 

Q: How can organizations identify qualified candidates? 
A: Organizations today focus on education background, work experience, and interview performance which are all essential components in candidate selection. However, the gap that remains is the candidate capability or “fit” issue.  Entities will continue to face challenges in assessing a candidate’s capability, until a method of performing true job performance assessments exists. 

Q: The cybersecurity field encompasses many interdependencies. How can this be addressed as organizations are looking for qualified candidates? 
A: For organizations and hiring managers facing this question today, there is a benefit in building a hybrid team with diverse educational backgrounds, skills, and work experiences such as engineering, operations, information technology, and operations technology, Ensuring that everyone on the team has a foundation level of knowledge in operations, cybersecurity, and the technical roles performed by the team such as vendor-specific certifications is also valuable. 

When looking for candidates, the key is for organizations to manage and leverage a portfolio of diverse backgrounds and skills in a way that complements the greater team they are trying to build. 

To learn more about national efforts to modernize and protect the electric grid, visit the Office of Electricity Delivery and Energy Reliability’s website.

Commitment to Protecting the Critical Energy Infrastructure

The Department’s priority is reflected in its investment in cybersecurity for energy delivery systems and energy reliability modernization, and its close collaboration with Federal, State and local governments, and industry. Examples include:

• Under the National Response Framework, DOE is the lead for Emergency Support Function 12 – Energy.  As such, DOE is developing an effective, timely, and coordinated cyber incident management capability.   
• DOE supports the research and development of numerous advanced technologies uniquely designed to protect the electric grid from cybersecurity threats, some of which are now commercially available and being used in the electric sector.
• DOE partnered with the private sector to develop the Roadmap to Achieve Energy Delivery Systems Cybersecurity which outlines a strategic framework over the next decade to design, install, operate, and maintain a resilient energy delivery system capable of surviving a cyber incident while sustaining critical functions.
• In September, DOE announced awards totaling approximately $30 million for the development of tools and technologies to enhance the cybersecurity of the nation’s energy delivery control systems for electricity, oil, and gas. 
• DOE required all recipients of the $3.4 billion in American Recovery and Reinvestment Act Smart Grid Investment Grant (SGIG) funding to develop cybersecurity plans that explain how they would identify and mitigate risk, and how the processes in place would ensure a sufficient cyber posture. These investments in cybersecurity are expected to continue well beyond the life of the grants.