Building an Organization to

Support OT Cyber Security

Part 3: OT Security Team Skills: Reasons and Requirements
Table of Contents
Summary.......................................................................................................................................................... 3
Leveraging and Adapting Skills in a Converged Environment............................................................................. 4
Soft Skills.........................................................................................................................................................................4
Technical Skills.................................................................................................................................................................4
Considerations for a Role In a Converged OT/IT Environment.......................................................................................5
Skills Acquisition.............................................................................................................................................. 8
About the Operational Technology Cyber Security Alliance (OTCSA)................................................................. 8
Acknowledgements.......................................................................................................................................... 9
Use of information........................................................................................................................................... 9

2
Summary
OT operators are witnessing a convergence of legacy operational technology (OT) with either new or legacy
information technology (IT). This convergence is done to fulfill multiple business needs and has had the
unfortunate effect of exposing OT systems to cyber security threats that traditionally only affected IT systems.
With both systems integrated, they now equally share the risk of an incident.

As a result, cyber security roles traditionally reserved for IT are now required for hybrid IT/OT systems, networks,
and architectures. The same attacks that affect IT systems can now easily transfer to OT systems via shared
physical infrastructure (e.g. interconnected networks) and logical protocols (e.g. internet protocol or IP).

This whitepaper guides stakeholders and OT operators to understand how carrying soft skills and technical skills
into an IT/OT environment can achieve cyber security goals and develop a reliable framework.

3
Leveraging and Adapting Skills in a
Converged Environment
The logical response to the increased attack surface area IT/OT convergence is to leverage existing IT cyber
security skills in the converged environment. But this porting of IT cyber security skills to OT cyber security will
not be a strict one-to-one mapping. OT has distinct characteristics (e.g. physical safety), infrastructure (e.g.
SCADA), and protocols (e.g. Modbus) that will require cyber security practitioners to understand how these OT
potential vulnerabilities can be exploited in a hybrid IT/OT ecosystem.

The OTCSA has reviewed the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce
Framework – published by the U.S. National Institute of Standards and Technology (NIST) as SP800-181 –
and identified where OT specialisms should be considered for application of the framework in a converged
environment. These observations should be easily adaptable to alternative skills frameworks if your
organization doesn’t follow NICE1.

SOFT SKILLS
Although technical skills often dominate a cyber security skills discussion, the OTCSA believes soft skills are
equally as important in a converged environment. NICE includes soft skills and defines them, in part, as the
ability to communicate with all levels of management. Within a converged environment, soft skills are essential
for effective communication between security and engineering teams.

NICE states that soft skill fundamentals incorporate interpersonal skills, approachability, and effective listening
skills. For this guideline, it can be assumed that this category of soft skill is a requirement at every level
discussed due to the extensive teamwork required for an effective cyber security program.

TECHNICAL SKILLS
The NICE framework divides cyber security skills into seven categories which each consist of several specialty
areas. These specialty areas are further subdivided into work roles and are identified by unique Work Role IDs.

1
https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center

4
The following table contains a list of the NICE Work Roles where the OTCSA has identified important additional
considerations for the role to be suitable in a converged OT/IT environment.
CONSIDERATIONS FOR A ROLE IN A CONVERGED OT/IT
NICE Reference Existing NICE Description
Cyber Policy and Develops and maintains cyber
Strategy Planner security plans, strategy, and policy to
support and align with organizational
(OV-SPP-002)
cyber security initiatives and
regulatory compliance.
Information Systems Responsible for the cyber security of
Security Manager (ISSM) a program, organization, system, or
enclave.
(OV-MGT-001)
Cyber Instructor Develops and conducts training or
education of personnel within the
(OV-TEA-002)
cyber IT/OT domain.
OT Considerations
Required to align strategic business goals
with a realistic cyber security policy to
mitigate risk to an acceptable level. Must
be able to accurately map OT unique
compliance requirements (eg IEC 62443
series) with relevant cyber security
capabilities.
A secure IT/OT environment must be
created from available security controls
without impacting business requirements.
Responsible management oversight to
integrate these requirements is fundamental
to achieving this goal. The ISSM must
understand architectural security limitations,
data flows unique to OT environments,
familiarity with OT systems, and common
control system configurations.
Workforce cyber security and awareness
training is the core enabler to sound
cyber security practices. IT/OT systems
are designed to allow user interaction at
some level, thereby enabling the user as a
threat vector. Informed, educated users are
more likely to prevent incidents, recognize
potential threats or actual incidents, and
report accordingly. Given the diversity
of core OT equipment, users should be
made aware of unique attack surface areas
and threats specific to their OT operating
environment.
5
NICE Reference Existing NICE Description
Network Operations Plans, implements, and operates
Specialist network services or systems to
include hardware and virtual
(OM-NET-001)
environments.
System Administrator Responsible for setting up and
maintaining a system or specific
(OM-ADM-001)
components of a system. This
includes installing, configuring, and
updating hardware or software.
Also establishing and managing
user accounts, conducting backup
and recovery tasks, implementing
operational and technical
security controls, and adhering
to organizational policies and
procedures.
Systems Security Analyst Responsible for the analysis and
development of the integration,
(OM-ANA-001)
testing, operations, and
maintenance of systems security.
Cyber Defense Analyst Uses data collected from a variety of
cyber defense tools (e.g. IDS alerts,
(PR-CDA-001)
firewalls, network traffic logs) to
analyze events that occur within
their environments for mitigating
threats.
OT Considerations
Proper maintenance and operation of
network infrastructure is a fundamental
of cyber security. Misconfigurations of
networks significantly increase the attack
surface area of vulnerable systems. Network
operators must understand the unique
network properties specific to OT connected
devices. Network operators must also
understand the IT/OT interfaces to ensure
proper configuration and operation.
Proper implementation, assessment, and
enhancement of existing security controls,
particularly in support of Identity and
Access Management (IAM), will prevent
unauthorized access to OT systems. The
integration of IT IAM with OT IAM should be
fully understood.
Active comprehensive integration, testing,
operation, and maintenance of cyber
security systems will enhance event
prevention and detection. Prevention and
detections tools unique to OT systems must
be fully understood by the Systems Security
Analyst to be effective.
Detecting malicious activity and thoroughly
understanding the nature of the exploit
is a key enabler to stop further damage
to OT systems. This analytical ability will
also enable threat hunting. Unique OT
protocols and devices that utilize specialized
infrastructure must be understood to
accurately recognize and analyze malicious
activity.
6
NICE Reference Existing NICE Description
Vulnerability Performs assessments of systems
Assessment Analyst and networks within the network
environment or enclave and
(PR-VAM-001)
identifies where those systems/
networks deviate from (acceptable
configurations, enclave policy,
or local policy). Measure the
effectiveness of defense-in-
depth architecture against known
vulnerabilities.
Cyber Defense Incident Investigates, analyzes, and responds
Responder to cyber incidents within the
network environment or enclave.
(PR-CIR-001)
Cyber Defense Forensics Analyzes digital evidence and
Analyst investigates computer security
incidents to derive useful
(IN-FOR-002)
information in support of system/
network vulnerability mitigation.
Cyber Operational Develops detailed plans for the
Planner support of the applicable range
of cyber operations through
collaboration with other planners,
operators, and analysts. Participates
in targeting selection, validation,
synchronization, and enables
integration during the execution of
cyber actions.
OT Considerations
Identifying systemic security issues based
on devices and protocols native to the OT
environment may help detect active exploits
or prevent incidents. Vulnerability and
penetration testing tools and techniques
specific to the OT environment will be
required to develop a complete assessment.
Accurate analysis and associated response
to a cyber security incident will help mitigate
the negative effects of business operations.
Response techniques applicable to the
specific OT environment must be developed
to be effective.
A deep analysis of the root cause of a cyber
security incident will enable immediate
disruption of ongoing incidents while
informing the design and implementation
of future preventative tools and techniques.
Special consideration should be given to the
inherent lack of robustness in network and
device logging and monitoring capabilities in
OT environments.
An effective cyber security incident recovery
plan (e.g. business continuity plan) requires
the ability to understand complex threats,
incidents, and effective recovery techniques.
Significant ability to conduct cross-domain
coordination with diverse groups such as
technical operations, legal, and corporate
communications are required. The planner
must have a firm understanding of OT
operational requirements and recovery
capabilities.
7
Skills Acquisition
Due to high demand and relatively scarce resources, securing the necessary cyber security to fill IT and OT
security roles is challenging2. This issue is particularly relevant, given the added complexity of unique IT/OT
hybrid environments.

To fill these critical roles, in-house development of necessary talent may be the most effective solution. The
development of talent should be accomplished via a systematic approach with clearly defined paths to achieve
the required skills and competencies.

Both OT and IT technical talent are potential candidate pools for conversion to cyber security.

Conclusion
Throughout this whitepaper, we have discussed the history of IT and OT, and four key governance steps to
implement your converged IT/OT vision. The OTCSA addresses cyber security concerns and aims to provide OT
operators and suppliers with resources and guidance to enable the OT digital workforce in a fast-evolving world.
This whitepaper is a component of a three-part series with additional information into building an organization
to support your OT cyber security and requirements of your security skills framework.

About the Operational Technology

Cyber Security Alliance (OTCSA)
The Operational Technology Cyber Security Alliance (OTCSA) is a group of global industry-leading organizations
focused on providing operational technology (OT) operators with resources and guidance to mitigate their
cyber risk in an evolving world. Founded in 2019, OTCSA is the first group of its kind to architect a technical
and organizational framework, the who, what, and how for safe and secure OT. Membership is open to all OT
operators and IT/OT solution providers. Current members include Fortinet, ABB, Splunk, NCC Group, Qualys,
Microsoft, WESCO, Forescout, Wärtsilä, CyberOwl, SCADAfence, Blackberry Cylance, CheckPoint, and Mocana.

To learn more about the OTCSA or to become a member, visit https://otcsalliance.org.

2
https://niccs.us-cert.gov/sites/default/files/documents/pdf/cybersecurity%20talent%20identification%20and%20assessment.pdf?trackDocs=cybersecurity talent
identification and assessment.pdf

8
Acknowledgements
The following people served as contributors in the preparation of this document:

Name Affiliation
Antoine D’Haussy Fortinet

Bart de Wijs ABB

Chris Duffey Splunk

Damon Small NCC Group

Dharmesh Ghelani Qualys

Gunter Ollmann Microsoft

Jason Wolff WESCO

Luca Barba Forescout

Michelle Balderson Fortinet

Päivi Brunou Wärtsilä

Russell Kempley CyberOwl

Tom Thirer SCADAfence

Use of information
Copyright 2020 Operational Technology Cyber Security Alliance (OTCSA)

Redistribution and use of this document AS IS, without modification, is permitted provided that the following conditions
are met:

1. Redistributions of this work of authorship must retain the above copyright notice, this license and conditions, including
the disclaimer listed below.

2. The name(s) of the copyright holder, the Operational Technology Cyber Security Alliance (OTCSA), or any of its members
or contributors may not be used to endorse or promote any products or other offerings, without specific prior written
permission.

THIS DOCUMENT IS PROVIDED BY THE OTCSA, COPYRIGHT HOLDER(S) AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OTCSA, COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE OF THIS DOCUMENTATION, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.