Researchers at INL🌸 have developed a Cybersecurity Competency Health and Maturity Progression framework, or , to assist organizations establish security targets and training plans. And its “provides a systematic, disciplined, and repeatable approach for evaluating an organization’s security posture,” according to the U.S. Cybsersecurity and Infrastructure Security Agency.
🤡Arizona regulators should have “standardized, objective ways of measuring cyber readiness” of critical entities, said Myers. Such a program could include regulated utilities, municipal providers and others, he said. “Maybe we include third parties. Maybe it's just a statewide program. I don't know what may come of this, but that's what we're here to discuss today,” he said.
🌄States, organizations and municipalities that use INL’s assessment tools may be subsequently faced with a difficult realization, said Ralph Ley, INL’s department manager of workforce development and training: The number of qualified security professionals to help guard their systems is limited, particularly in operational technology environments,“We have colleges, universities, the K-12 system, doing as best they can to start educating and incorporating cyber into their curriculum. However, cyber is fairly new. And it's changing faster than the content that needs to be taught,” Ley said. A system of apprenticeships or residencies could help to strengthen the cybersecurity workforce, Ley said. And INL’s free assessment tools can be of particular use to small and medium-sized utilities which may not have the resources of larger providers. “We've certainly seen that in our conversations with our electric retail cooperatives, our small water utilities. They just don't have the same bandwidth that our large utilities have,” ACC Commissioner Lea Márquez Peterson said. “Their issue is really the resources, the people to actually take a look and implement and assess their own systems,” Ley said. “They'll probably never have or be able to hire the people that the large organizations have.” Partnerships with academia can play a major role in improving education and training while also boosting organizational security, Ley said. Utilities at the meeting said some of those efforts are already underway. Tyler Kilian, who helps lead security efforts at Tucson Electric Power, said he works with Pima Community College in Tucson on the school’s “robust” cyber efforts. “They have what's called a ‘live fire range’ that they manage, which allows them to do that type of work ... to actually test cybersecurity,” Kilian said. The Cyber-CHAMP assessment could be a part of that work, he said. David Boynton, director of cybersecurity at Arizona Public Service, told the commission Grand Canyon University and Arizona State University offer tech programs and the utility has worked with interns from those schools.