 Hey, this is John Ellis from Siemens Energy. Today we're here to talk to you about how to attract, develop, and retain an industrial cybersecurity workforce, and we're excited to present for ICS Village at DEF CON 29. I'm Julia Atkinson, and I'm an Industrial Cyber Alliances Program Manager over at Siemens Energy, and excited to talk to you all today. So let's talk about the demand for ICS and OT cybersecurity experts in the field. And right now we're focusing on the energy space in particular. So demand for cybersecurity professionals is exploding, especially in the OT or operating technology specialty. In a recent study by ICS Square, the organization behind the CISSP, researchers found that there were 3.12 million open cybersecurity roles globally in 2020. In the same study, the organization found that 64 percent of companies report significant or slight shortages of skilled cyber labor, while 56 percent of companies report extremely or moderately at risk due to the cyber workforce shortage. As it stands, about 90 percent of national ICS cybersecurity workforce needs went unmet in 2020, according to CyberSeq.org. So what's driving demand for OT cybersecurity expertise? And why aren't more individuals moving to OT? First, the obvious answer. There were few OT cyber experts to begin with. OT cyber experts have traditionally come up through the ranks. These individuals typically have a mix of field experience and on-the-job training that has been difficult to replicate in academic settings. The lack of academic options across all geographies has also limited the growth of specialists in this field. At our last count, there were only five colleges that provided classes, not degrees, but just classes, even in ICS security. From a market perspective, there are several other drivers of increased demand and lagging supply of skilled staff, including increased regulation, including the probable use of compliance-driven cybersecurity investments in the coming years, workforce changes, including retirements, new market entrants, including deeper OT cyber focus from large consulting companies, and of course a growing number of connected devices in the OT network. In the next slide, we will discuss the typical skills found in the successful OT cyber defenders and look at the ecosystem needed to support the development of the next generation of cyber defenders. So let's take a look at this through an ecosystem and skills based view. Traditionally, OT cybersecurity experts have had a mix of industrial knowledge relevant to the physical systems they're defending and cybersecurity knowledge, especially of the OT networks they're responsible to protect. Individuals with this experience have also typically gained on-the-job experience and received mentorship from the resident experts within their organizations. Some have also gained outside academic training or attended boot camps focused on industrial cybersecurity topics and instant response. In order to truly scale up the ability for the industry and governments to respond to cyber threats, a new approach is needed, one that brings structure to training pathways and accelerates the development of a new group of industrial cyber defenders. The gradual development of expertise over a decade is simply too long to develop and sustain a stable OT cybersecurity talent and workforce pipeline for the industry. Instead, the successful approach would include the development of a program that considers the needs of various stakeholders invested in industrial cybersecurity. To better understand the complex mix of needs in this ecosystem, let's take a look at the image on the right. There are a few key groups including diverse talent, academia, government, and industry. First off, let's talk about the talent themselves. So a diverse talent pool really needs to join, have a program that they can join with friends, something that they can join as a cohort. It's more funded to join something with your friends and it becomes more of a team sport. Also, individuals that go into these programs, they want job-relevant education. They don't want to take classes that they don't need, and they want to be able to use what they learn. They also want post-training placement, so they're looking for a job after the rotation program or after their education in this type of program. And finally, no one wants a boring job. So we're looking, companies that are hiring apprentices or working through this type of model will need to develop programs that really fulfill the needs of an exciting role, mentorship, and allowing individuals to learn on the job. For academia, many colleges and universities are looking for assurance that academic programs they develop are going to be in demand and that that demand will be sustained. To produce graduates that are attractive to employers and also they would like to make sure that they avoid expensive investment and difficult internal politics. But they'd also like to develop academic partners also want to develop close relationships with the employers that they're working with. From the industry view, it's all about low turnover, having employees with relevant and cross-trained skills for organizational resilience, and employees with a mix of technical and communication skills. So soft skills are absolutely relevant even in these OT cyber defender roles. Additionally, industry is looking for a diverse talent to be able to fill these roles and actively respond to the threats from cyber attackers. And finally, employers want individuals that want to grow with the organization. From the government view, there are a couple factors that need to be taking into account as well. Governments are looking for a competitive workforce, they want secure infrastructure, and they want to develop a high-skill, high-pay tax base while growing the economy. In the next slide, we'll talk about a framework based on the apprenticeship model that considers the ecosystem needs while also developing a structured and accelerated approach to attracting, developing, and retaining an industrial cybersecurity workforce. So putting together the needs of various ecosystem stakeholders, we feel that an apprenticeship model is one of the best ways to develop an industrial cybersecurity workforce of the future. A well-designed program provides opportunity for participants to learn in the classroom as well as from their employers, mentors, and community. When designing this framework, we first looked at the needs for in-class training. What we found is that the ideal program combines a mix of mechanical, electrical, and computer engineering with a heaping dose of cybersecurity topics. The specific makeup program should mirror or provide flexibility to align the learning outcomes to the specific types of systems that the participant is likely to encounter in their day job. Anyone that has undertaken a project like this in the past will know that designing an academic program like this is hard and challenges can arise from getting different departments such as engineering and computer science to talk to each other among other issues. A basic understanding of ICS OT industrial cybersecurity can be delivered as part of a two-year academic program stretched over four years as part of the apprenticeship program. Education is paid for by the employer in this model. Next let's look at the on-the-job training part of the program. Participants in an apprenticeship program enjoy the opportunity to earn a progressive paycheck that grows as they learn through the duration of the program. Typically on-the-job training provided through an apprenticeship program includes access to a mentor and rotations through three to four roles. For industrial cybersecurity in here at Siemens, we recommend the first rotation to include industrial control system installation and upgrade experience followed by back office rotations and analysis, threat intelligence parsing, and threat hunting. Apprenticeship programs should also have defined milestones along the way. This could include the completion of certain training activities, skills trained and practiced, and measured or rotations completed. There's a lot of opportunity to gamify the process as well with challenge coins or anything else. As with many targets, they should be specific, measurable, attainable, and realistic. The time boxing is up to you in your design. Finally, the apprenticeship program should focus on building up a community and culture. Apprentices are employees from the start and should be included in the team, part of team activities, and supported by the group in general while learning and beyond. Community and culture are also important to make sure that apprentices are learning a shared vocabulary working from similar playbooks and ultimately able to work as a team to respond to cyber threats. This includes getting familiarity with the organization's policies, procedures, and guidelines, and being well trained on these ahead of the end of their rotational program. In the next section, we'll cover some of the benefits of apprenticeships and walk through some of the outcomes from similar programs in the past. So why should employers choose an apprenticeship model versus any other workforce development model? Well, research shows that for every dollar invested, no other workforce training method is as impactful as apprenticeship. Applying this model to cybersecurity allows companies to leverage a proven model with decades of success in professions like carpentry. Employers can build a new talent pool by tapping into diverse networks of early career professionals as well as career switchers. And once this talent pool is built, apprentices are also much more likely to stay with the company versus new hires off the street. Apprentices develop a deep understanding of the company through rotation and mentorship, and their retention rate is over 90% one year after graduation. Additionally, according to many case studies, apprentices also have a higher productivity and capacity than new hires. Though creating an entire program from scratch could seem daunting for any company, a consortium apprenticeship model where multiple companies can band together to pool demand would allow for shared costs on things like program design, training equipment, as well as hiring outreach. Overall, the investment is well worth it. Without a stable pipeline of cyber experts to fill the rising number of open cyber positions, companies are not going to be able to grow and to meet rising demand. Speaking of funding, on the next slide, I'll get into some funding opportunities that are available to companies. Many states already have incentives in place to help companies stand up apprenticeship programs. Things like tuition reimbursement may be available for a portion of tuition, as well as various state and federal tax incentives. Additionally, when it comes to justifying the investment internally, statistics show that the return on investment for every $1 spent on an apprentice is nearly $1.46. This is more than any other workforce training program. The internal rate of return versus a direct hire is nearly 8% higher. The initial investment in education and on-the-job training pays off, as I mentioned previously, in retention. So even after three years, not just one, but three years after graduation, nearly 90% of apprentices are still with the hiring company. So what's next if you're looking to put together an apprenticeship program? We can move to the next slide. So we believe that the whole industry benefits from building up the ICS OT cyber talent pipeline. As we know, many of these job positions are just sitting open right now. Therefore, we're opening this program up and looking to share best practices with other ICS and OT cyber companies. If you're interested in learning more, please feel free to contact either John or myself for more information. Looking forward to you continuing the conversation with all of you. Thanks for coming to our session. Thank you.