Hard Truth: Most critical infrastructure providers lack the tools, skills and mindset to deal with cyber attacks and APTs.
Baking in an appreciation for security among organizations' employees is just as important, if not more so, than baking security into IT systems themselves. Unfortunately, critical infrastructure providers face difficult personnel-related challenges when it comes to cybersecurity. A key obstacle is that certification requirements for control systems engineers – providers' front-line troops in cyber-related conflicts – put little or no emphasis on cybersecurity for critical infrastructure.
For example, the certification exam to get a Control Systems Engineer (CSE) license from the International Society of Automation (ISA) devotes less than 10 percent – and possibly closer to just one or two percent – of its content to network security. The test makes no mention at all of cybersecurity for critical infrastructure. Neither do the audit criteria for certification by the Control Systems Integrators Association (CSIA), which do include risk management and configuration management as part of CSIA's project management and supporting activities responsibilities.