SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS

(1)

S

ECURE

P

OWER

S

YSTEMS

P

ROFESSIONALS

(SPSP)

P

ROJECT

P

HASE

3, F

INAL

R

EPORT

:

R

ECRUITING

, S

ELECTING

,

AND

D

EVELOPING

S

ECURE

P

OWER

S

YSTEMS

P

ROFESSIONALS

(2)

Synopsis

SPSP Project Overview Phase I Summary

Phase II Summary

Phase III Overview and Deliverables • Guides

• Job Profiles

• Behavioral Interview Guidelines

• Individual and Team Performance Guidelines • Phase III Final Report

SPSP Summary, Broader Impacts, Next Steps

(3)

UNCLASSIFIED

Secure Power Systems Professional (SPSP)

DOE Workforce study

Purpose:

Identify key job skills,

education and certification(s) needed for

hiring or retraining Power Systems

Cybersecurity (SPSP) practitioners.

Challenge:

Lay the ground work for an

SPSP certification.

Technical Approach:

Through SME

interview and industry survey, develop a

comprehensive set of job competencies

needed for SPSPs to do their job

effectively.

Major Deliverables: Reports for

Phase 1: Job Performance Model Phase 2: Gap/Overlap Analysis Phase 3: Workforce Development

SPSP Recruitment Guide

SPSP Career Development Guide

 Performers: PNNL

 Partners: NBISE, VivoWorks,

PsyberAnalytix, Industry experts

U.S. Department of Energy has taken the initiative to establish a Power Systems Cybersecurity workforce project to identify and measure the identified job skills for the purpose of developing a certification. This work has partnered with DHS and others.

(4)

5

Focusing on SPSP Talent

Pillars of Secure Power Systems

Key activities in developing and maintaining effective secure power systems environments 5 People as Assets • Identify • Organize • Communicate Process Knowledge and Skills • Evaluate • Analyze Gaps • Prioritize and Plan • Implement Technology Bridging IT and OT • Analyze • Acquire Capabilities • Integrate Cybersecurity Capability Concepts SPSP Project Overview

(5)

6

Interdisciplinary Nature of

Secure Power System Professionals

Hybrid Skill Set Diverse Work Environment

6

(6)

7

Talent Management Life Cycle

7 Workforce Planning Justifying & Budgeting Recruiting Career Growth Hiring Promoting Training & Developing Retaining SPSP Project Overview

Elements of the SPSP Workforce Planning process as aligned with the Pillars of

Strategic Human Resource Management (SHRM)

► Budgeting

• Justifying and Budgeting

► Recruiting

• Recruiting Career Growth

► Developing

• Hiring Promoting

• Training & Developing

► Retaining

• Retaining

(7)

8

Project Phasing

(8)

9

Project Overview and Outcomes

(9)

Phase I

Phase I produced an exploratory job

performance model (JPM) based on a

factor analysis of responses to a Job

Analysis Questionnaire (JAQ),

culminating in the Smart Grid

Cybersecurity Job Analysis Report.

January 2011 - August 2012

(10)

11

Phase I Performance Modeling

Methodology

Approval Event

1. Approve mission definition 2. Approve task definition

Job and Task Definition 1. Content definition 2. Role definition 3. Mission definition 4. Task definition Job Audit Questionnaires

1. Assign tasks to goals 2. Rate importance of task

by skill and role

3. Rate frequency of task execution

(11)

12

Phase I: Job Roles

Iterative Definitions Using Performance

Modeling Methodology

SPSP Phase I Overview Job Performance Model: Methodology 109 Vignettes 44 Job Roles 108 Goals 82 Responsibilities 516 Job Tasks Job Performance Model: Job Roles

(12)

13

Phase I: Resulting Job Roles

SPSP Phase I Overview Job Performance Model Methodology 109 Vignettes 44 Job Roles 108 Goals 82 Responsibilities 516 Job Tasks

Secure Power Incident Responder

Secure Power Intrusion Analyst

Secure Power Security Operator

Secure Power Systems Engineer

(13)

Phase II

The second phase mapped key

workforce frameworks to the major

job responsibilities defined in Phase

I. August 2012

-

June 2013

(14)

15

Phase II: Mapping Overview

SPSP Phase II Overview Job Roles Incident Response Specialist Intrusion Analyst Security Operations Specialist Secure Power Systems Professional 71 Job Responsibilities

11 Job Responsibility Areas

Phase I Mapping Exercises

Phase II

Certifications NICE ES-C2M2 Training & Education

(15)

16

Colored cells = major area of emphasis Blank = not a major area of emphasis

D = differing opinions about degree of emphasis

Target Workforce Program

Emphasis

16

(16)

17

Job Role CEH CISM CISSP GCIA GCIH SOC

Cyber Secure Power Eng. 0.0% 11.1% 33.3% 0.0% 0.0% 0.0% Incident Response 0.0% 40.0% 20.0% 0.0% 90.0% 0.0% Intrusion Analysis 10.0% 30.0% 20.0% 10.0% 70.0% 0.0% Security Operations 0.0% 50.0% 37.5% 0.0% 18.8% 0.0%

Job Role Coverage by Certification

Multiple credentials are required for a

comprehensive view of SPSP workforce competency.

17

(17)

18

Phase II: Summary Analysis

18

Phase II

Analysis

Competency Frameworks Certification and Credentialing Education and Training SPSP Phase II Overview

(18)

Phase III

This phase defined role-based

behavioral assessment criteria

that will be essential in the

development of tools used in the

selection of personnel for specific

roles and provided quick guides

for staff recruitment and

development.

June 2013 – August 2014

(19)

20

1 ₂

3

Job Profile Tables

Behavioral Interview

Guidelines

Individual/Team

Guidelines

4

Recruiting/Development

Guides

Phase III Deliverables

Immediately Useable by Industry

SPSP Phase III Overview

4 J

ob P

rofil

es Major Responsibilities

Cybersecurity Workforce Framework Tasks (NICE)

Electricity Subsector-Capability Maturity Model (ES-C2M2)

Certifications

Behavioral Interview

Guidelines

(20)

21

Guide Development Methodology

Survey of Industry Advisory Panel of SMEs

Survey of power industry

Onsite “deep dive” interviews about use and effectiveness with

stakeholders at a power entity Outcome:

Recruitment of SPSPs

Career Development of SPSPs

Development Methodology

Based on results of Phases I and II, and validated through three carefully designed reviews to yield feedback from diverse

(21)

22

Project overview describing

four SPSP job roles:

•

Power System Incident Response

•

Power System Intrusion Analysis

•

Power System Security Operations

•

Secure Power Systems Professionals

Lists qualifications, preferred

skills, and desirable

professional attributes of the

ideal SPSP candidate

Recruitment Guide for HR,

Recruiters, and Hiring Managers

22

(22)

23

Guide for Developing SPSP

Overview of emerging modern

power systems

Job functions of the SPSP

Description of how to develop

SPSPs

How and where SPSP skills are

acquired

SPSP-centric certifications and

education programs

Overview of the SPSP project

23

(23)

24

Four Job Roles Four Job Profiles

• 4 Job Roles • Tasks • Responsibilities • Responsibility Areas

Phase

I

• Competency Frameworks • NICE & ES-C2M2

• Workforce Development • Certifications & Courses

Phase

II

4 Job Profile

s

Major Responsibilities

Cybersecurity Workforce Framework Tasks (NICE)

Electricity Subsector-Capability Maturity Model (ES-C2M2)

Certifications

(24)

25

Job Profile Excerpt:

Major Responsibilities

Secure Power Systems Engineer

Major Responsibilities

Assess and manage power systems risk.

Identify and mitigate power systems vulnerabilities.

Implement power systems security monitoring.

Log power systems security incidents.

(25)

26

Major Responsibility: Identify and mitigate power systems vulnerabilities.

Assist in the construction of signatures that can be implemented on Computer Network Defense network tools in response to new or observed threats within the enterprise (Task ID: 427).

Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources (Task ID: 433).

Collect and analyze intrusion artifacts (e.g., source code, malware, and trojans) and use discovered data to enable mitigation of potential Computer Network Defense incidents within the enterprise (Task ID: 438).

Conduct authorized penetration testing of enterprise network assets (Task ID 448).

…Seven more NICE Tasks for this Major Responsibility are found in the report.

Cybersecurity Workforce Framework Tasks NICE Tasks

Job Profile Excerpt: NICE Tasks

(26)

27

Major Responsibility: Identify and mitigate power systems

vulnerabilities.

Identify and respond to threats.

(4.3.4 Threat and Vulnerability Management)

Reduce cybersecurity vulnerabilities.

(4.3.4 Threat and Vulnerability Management)

ES-C2M2 Objectives to Determine Maturity Level

Job Profile Excerpt: ES-C2M2

(27)

28

Major Responsibility: Identify and mitigate power systems

vulnerabilities.

Attack Techniques – Discovery:

CEH, GCIH, GPEN, GCIH, GWAP, Security + Penetration Testing:

CEH, GPEN, GWAPT

Industrial Control Cybersecurity: GICSP

Certifications

Job Profile Excerpt: Certifications

(28)

29

Individual/Team Guidelines

Goal: Analyze log files for signs of an attack or compromise.

Responsibility: Ensure that incident response and recovery procedures are tested regularly.

(29)

30

Behavioral Interview

Guidelines

Structure gap analyses of critical and fundamental employee knowledge skills and abilities.

Support individual and team development plans.

Help human resources understand the quality/

capabilities of employees & candidates.

SPSP Phase III Overview – Appendix E

(30)

SPSP Summary, Implications,

and Broader Impact

(31)

32

Key Accomplishment:

SPSP products promote the defensibility of Fair

Employment Practices through rigor and process:

Process follows standards established by the United

States Equal Opportunity Employment Commission

(EEOC) and the American National Standards Institute

(ANSI).

Research indicates following these guidelines improves

the legal defensibility of human resource practices.

(32)

33

SPSP Project

Impacts and Outreach

Influenced the new GICSP certification offered by SANS, the Global Industrial Cybersecurity Professional

Project presented at National Defense University workshop Influenced assessment and assessment-driven learning approach adopted by DISA

Mapping methodology used to analyze alignment of NICE Framework KSAs to CAE knowledge units

Used by the National Cyber League to examine game balance

(33)

34

SME Panel & Advisory Group Members

Panel Officers

Chair - Tim Conway, SANS, NiSource (Phases 2, 3)

Vice Chair - Karl Perman, NATF (Phase 2)

Chair - Justin Searle, UtiliSec (Phase 1)

Vice Chair - Scott King, Sempra Energy (Phase 1)

Panel Member Representation

Smart Grid Consultant (29%) Government (3%) Electric Utilities (32%) Research Organizations (11%) Electricity Industry Vendors (25%)

(34)

35

SPSP Panel is made up of:

35

(35)

SPSP Next Steps

36 Assess Workforce Educate Leadership Gain Awareness Drive Programmatic Change

(36)

37

Recommendations for Next Steps

Validate Selection Instrument

Develop Self-Efficacy Instrument

Create and Deploy Query Engine and Customized Reporting

Design and Deploy Learning Platform

Design

Convert behavioral guidelines into a selection instrument and interview questions

by Job Role Pilot Administer assessment to whole staff of 3−5 utilities Deploy

Develop the Virtual Assessment Center

Enhance and Maintain Collect and analyze data to evaluate Virtual Assessment Center

(37)

38

SPSP Products

Immediately Useable by Industry

38

Secure Power Incident Responder Secure Power Intrusion Analyst Secure Power Security Operator Secure Power Systems Engineer

Guides

Behavioral Interview Guidelines

Individual/ Team Guidelines Job Profiles

Final report and SPSP products can be found at:

(38)