SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS

Transcription

1 1 SECURE POWER SYSTEMS PROFESSIONALS (SPSP) PROJECT PHASE 3, FINAL REPORT: RECRUITING, SELECTING, AND DEVELOPING SECURE POWER SYSTEMS PROFESSIONALS

2 Synopsis SPSP Project Overview Phase I Summary Phase II Summary Phase III Overview and Deliverables Guides Job Profiles Behavioral Interview Guidelines Individual and Team Performance Guidelines Phase III Final Report SPSP Summary, Broader Impacts, Next Steps 2

3 UNCLASSIFIED Secure Power Systems Professional (SPSP) DOE Workforce study Purpose: Identify key job skills, education and certification(s) needed for hiring or retraining Power Systems Cybersecurity (SPSP) practitioners. Challenge: Lay the ground work for an SPSP certification. Technical Approach: Through SME interview and industry survey, develop a comprehensive set of job competencies needed for SPSPs to do their job effectively. Major Deliverables: Reports for Phase 1: Job Performance Model Phase 2: Gap/Overlap Analysis Phase 3: Workforce Development SPSP Recruitment Guide SPSP Career Development Guide UNCLASSIFIED U.S. Department of Energy has taken the initiative to establish a Power Systems Cybersecurity workforce project to identify and measure the identified job skills for the purpose of developing a certification. This work has partnered with DHS and others. Performers: PNNL Partners: NBISE, VivoWorks, PsyberAnalytix, Industry experts

4 Focusing on SPSP Talent Pillars of Secure Power Systems Key activities in developing and maintaining effective secure power systems environments Technology Bridging IT and OT Analyze Acquire Capabilities Integrate People as Assets Identify Organize Communicate Cybersecurity Capability Concepts Process Knowledge and Skills Evaluate Analyze Gaps Prioritize and Plan Implement 5 5 SPSP Project Overview

5 6 Interdisciplinary Nature of Secure Power System Professionals Hybrid Skill Set Diverse Work Environment 6 SPSP Project Overview

6 Talent Management Life Cycle 7 Elements of the SPSP Workforce Planning process as aligned with the Pillars of Strategic Human Resource Management (SHRM) Workforce Planning Budgeting Justifying and Budgeting Recruiting Recruiting Career Growth Developing Hiring Promoting Training & Developing Retaining Retaining Workforce Planning Retaining Training & Developing Hiring Promoting Justifying & Budgeting Recruiting Career Growth 7 SPSP Project Overview

7 Project Phasing 8 SPSP Project Overview

8 Project Overview and Outcomes 9 SPSP Project Overview

9 10 Phase I Phase I produced an exploratory job performance model (JPM) based on a factor analysis of responses to a Job Analysis Questionnaire (JAQ), culminating in the Smart Grid Cybersecurity Job Analysis Report. January August 2012

10 Phase I Performance Modeling Methodology Job and Task Definition 1. Content definition 2. Role definition 3. Mission definition 4. Task definition Job Audit Questionnaires 1. Assign tasks to goals 2. Rate importance of task by skill and role 3. Rate frequency of task execution Approval Event 1. Approve mission definition 2. Approve task definition 11

11 12 Phase I: Job Roles Iterative Definitions Using Performance Modeling Methodology 109 Vignettes 44 Job Roles 108 Goals 82 Responsibilities Job Performance Model: Methodology Job Performance Model: Job Roles 516 Job Tasks 12 SPSP Phase I Overview

12 Phase I: Resulting Job Roles 109 Vignettes Secure Power Incident Responder 44 Job Roles 108 Goals 82 Responsibilities Job Performance Model Methodology Secure Power Intrusion Analyst Secure Power Security Operator 516 Job Tasks Secure Power Systems Engineer 13 SPSP Phase I Overview

13 14 Phase II The second phase mapped key workforce frameworks to the major job responsibilities defined in Phase I. August June 2013

14 Phase II: Mapping Overview Job Roles Incident Response Specialist Intrusion Analyst 71 Job Responsibilities Mapping Exercises Phase II Certifications NICE Security Operations Specialist 11 Job Responsibility Areas ES-C2M2 Secure Power Systems Professional Training & Education Phase I 15 SPSP Phase II Overview

15 Target Workforce Program Emphasis 16 Colored cells = major area of emphasis Blank = not a major area of emphasis D = differing opinions about degree of emphasis 16 SPSP Phase II Overview

16 Job Role Coverage by Certification 17 Job Role CEH CISM CISSP GCIA GCIH SOC Cyber Secure Power Eng. 0.0% 11.1% 33.3% 0.0% 0.0% 0.0% Incident Response 0.0% 40.0% 20.0% 0.0% 90.0% 0.0% Intrusion Analysis 10.0% 30.0% 20.0% 10.0% 70.0% 0.0% Security Operations 0.0% 50.0% 37.5% 0.0% 18.8% 0.0% Multiple credentials are required for a comprehensive view of SPSP workforce competency. 17 SPSP Phase II Overview

17 Phase II: Summary Analysis 18 Competency Frameworks Certification and Credentialing Phase II Analysis Education and Training 18 SPSP Phase II Overview

18 19 Phase III This phase defined role-based behavioral assessment criteria that will be essential in the development of tools used in the selection of personnel for specific roles and provided quick guides for staff recruitment and development. June 2013 August 2014

19 Phase III Deliverables Immediately Useable by Industry 4 Job Profiles Recruiting/Development Guides Job Profile Tables Major Responsibilities 1 2 Cybersecurity Workforce Framework Tasks (NICE) Electricity Subsector-Capability Maturity Model (ES-C2M2) Certifications Individual/Team Guidelines 3 Behavioral Interview Guidelines 4 20 SPSP Phase III Overview

20 Guide Development Methodology Based on results of Phases I and II, and validated through three carefully designed reviews to yield feedback from diverse perspectives. Survey of Industry Advisory Panel of SMEs Survey of power industry Onsite deep dive interviews about use and effectiveness with stakeholders at a power entity Outcome: Recruitment of SPSPs Career Development of SPSPs Development Methodology 21 SPSP Phase III Overview

21 Recruitment Guide for HR, Recruiters, and Hiring Managers 22 Project overview describing four SPSP job roles: Power System Incident Response Power System Intrusion Analysis Power System Security Operations Secure Power Systems Professionals Lists qualifications, preferred skills, and desirable professional attributes of the ideal SPSP candidate 22 SPSP Phase III Overview

22 Guide for Developing SPSP Overview of emerging modern power systems Job functions of the SPSP Description of how to develop SPSPs How and where SPSP skills are acquired SPSP-centric certifications and education programs Overview of the SPSP project SPSP Phase III Overview

23 4 Job Profiles Creating Job Profiles Four Job Roles Four Job Profiles Phase I 4 Job Roles Tasks Responsibilities Responsibility Areas Major Responsibilities Cybersecurity Workforce Framework Tasks (NICE) Phase II Competency Frameworks NICE & ES-C2M2 Workforce Development Certifications & Courses Electricity Subsector-Capability Maturity Model (ES-C2M2) Certifications 24 SPSP Phase III Overview

24 Job Profile Excerpt: Major Responsibilities Secure Power Systems Engineer Major Responsibilities Assess and manage power systems risk. Identify and mitigate power systems vulnerabilities. Implement power systems security monitoring. Log power systems security incidents. 25 SPSP Phase III Overview

25 Job Profile Excerpt: NICE Tasks Secure Power Systems Engineer Cybersecurity Workforce Framework Tasks NICE Tasks Major Responsibility: Identify and mitigate power systems vulnerabilities. Assist in the construction of signatures that can be implemented on Computer Network Defense network tools in response to new or observed threats within the enterprise (Task ID: 427). Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources (Task ID: 433). Collect and analyze intrusion artifacts (e.g., source code, malware, and trojans) and use discovered data to enable mitigation of potential Computer Network Defense incidents within the enterprise (Task ID: 438). Conduct authorized penetration testing of enterprise network assets (Task ID 448). Seven more NICE Tasks for this Major Responsibility are found in the report. 26 SPSP Phase III Overview

26 Job Profile Excerpt: ES-C2M2 Secure Power Systems Engineer ES-C2M2 Objectives to Determine Maturity Level Major Responsibility: Identify and mitigate power systems vulnerabilities. Identify and respond to threats. (4.3.4 Threat and Vulnerability Management) Reduce cybersecurity vulnerabilities. (4.3.4 Threat and Vulnerability Management) 27 SPSP Phase III Overview

27 Job Profile Excerpt: Certifications Secure Power Systems Engineer Certifications Major Responsibility: Identify and mitigate power systems vulnerabilities. Attack Techniques Discovery: CEH, GCIH, GPEN, GCIH, GWAP, Security + Penetration Testing: CEH, GPEN, GWAPT Industrial Control Cybersecurity: GICSP 28 SPSP Phase III Overview

28 Individual/Team Guidelines Goal: Analyze log files for signs of an attack or compromise. Responsibility: Ensure that incident response and recovery procedures are tested regularly. 29 SPSP Phase III Overview Appendix F

29 Behavioral Interview Guidelines Structure gap analyses of critical and fundamental employee knowledge skills and abilities. Support individual and team development plans. Help human resources understand the quality/ capabilities of employees & candidates. Immediately useable by hiring manager for skill selection. 30 SPSP Phase III Overview Appendix E

30 SPSP Summary, Implications, and Broader Impact 31

31 Key Accomplishment: SPSP products promote the defensibility of Fair Employment Practices through rigor and process: Process follows standards established by the United States Equal Opportunity Employment Commission (EEOC) and the American National Standards Institute (ANSI). Research indicates following these guidelines improves the legal defensibility of human resource practices. 32 SPSP Project Summary 32

32 SPSP Project Impacts and Outreach Influenced the new GICSP certification offered by SANS, the Global Industrial Cybersecurity Professional Project presented at National Defense University workshop Influenced assessment and assessment-driven learning approach adopted by DISA Mapping methodology used to analyze alignment of NICE Framework KSAs to CAE knowledge units Used by the National Cyber League to examine game balance 33 SPSP Project Summary

33 SME Panel & Advisory Group Members Panel Officers Chair - Tim Conway, SANS, NiSource (Phases 2, 3) Vice Chair - Karl Perman, NATF (Phase 2) Chair - Justin Searle, UtiliSec (Phase 1) Vice Chair - Scott King, Sempra Energy (Phase 1) Panel Member Representation Smart Grid Consultant (29%) Government (3%) Electric Utilities (32%) Research Organizations (11%) Electricity Industry Vendors (25%) 34

34 SPSP Panel is made up of: SPSP Project Summary

35 SPSP Next Steps 36 Gain Awareness Drive Programmatic Change Educate Leadership Assess Workforce

36 Recommendations for Next Steps Validate Selection Instrument Develop Self-Efficacy Instrument Create and Deploy Query Engine and Customized Reporting Design and Deploy Learning Platform Design Convert behavioral guidelines into a selection instrument and interview questions by Job Role Pilot Administer assessment to whole staff of 3 5 utilities Deploy Develop the Virtual Assessment Center 37 Enhance and Maintain Collect and analyze data to evaluate Virtual Assessment Center

37 SPSP Products Immediately Useable by Industry Job Profiles Secure Power Incident Responder Secure Power Intrusion Analyst Secure Power Security Operator Secure Power Systems Engineer Guides Behavioral Interview Guidelines Individual/ Team Guidelines Final report and SPSP products can be found at:

38 Points of Contact Tim Conway, SPSP Panel Chair Lori Ross O Neil, SPSP Project Manager lro@pnnl.gov