Help Wanted: Why Young Professionals Should Consider a Career in Critical Infrastructure Security 

The COVID-19 pandemic highlighted the necessity of critical infrastructure, with everything from the supply chain to healthcare systems put at risk at different points over the past year-and-a-half.

Alarmingly, there has been a measurable increase in the number of cyber and information security attacks on critical infrastructure over this same period. These attacks are prompting organizations to shore up their defenses, and due to a cybersecurity skills shortage, now is an excellent time for young professionals to consider working in cyber and information security within critical infrastructure sectors.

“Sixty-five percent of organizations report a shortage of cybersecurity staff” and “a lack of skilled/experienced personal is the top job concern among respondents,” according to the 2019 Cybersecurity Workforce Study conducted by ISC².

The sixteen sectors designated as critical under the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are varied, and there is a growing need within each of them for eager young professionals to pursue positions that will also help them future-proof their careers. The following four sectors weathered attacks during the pandemic and could be ideal starting points for future career development.

Financial Services Sector

The Financial Services Sector includes global corporations and entities that do everything from printing currency to digitizing finance. These efforts bring products and lines of business into the purview of cyber adversaries. Malware and ransomware, as with most sectors, are the most pressing threats. Indeed, commercial and state-owned banks, credit unions, insurance companies and global financial technology firms must contend with these threats on a daily basis. While the financial sector can—and should—be seen as a hard target, this doesn’t deter organized crime and nation state attacks from targeting the Financial Services Sector.

Throughout the pandemic, professionals in the Financial Services Sector observed a significant increase in cyber activity focused on targeted intrusion via social engineering and on July 10, 2020, the SEC (U.S. Securities and Exchange Commission) issued a warning about a rise in ransomware attacks on U.S. financial firms. Much of this activity related to the new normal of remote work and COVID-19-related programs, and it provided opportunities for threat actors to use campaigns and scams to conduct fraud, a trend which is ongoing.

Healthcare and Public Health Sector

Working in the healthcare and public health industry is rewarding. People join to help others and to support healthcare professionals who provide medicine and rehabilitate patients. The pandemic continues to put a great amount of pressure on healthcare entities in particular. For healthcare organizations to provide care, their technology infrastructure must be supported.

The healthcare and public health sector has been increasingly targeted by cyber criminals, and the sector remains vulnerable. On 27 September 2020, a massive ransomware attack struck healthcare giant Universal Health Services (UHS), which has hundreds of facilities across the United States and the United Kingdom. Thankfully, UHS was able to respond effectively, following policies and procedures and ensuring no lives were lost—but not every health system is so lucky.

As young professionals begin their careers or consider a transition, looking to critical infrastructure is a prudent choice.

By default, the sector can’t defend itself well against attacks as it still uses many legacy systems, which are not compatible with security protections or can’t be upgraded due to their criticality for an organization such as legacy database systems. Healthcare organizations’ priority is to save lives and often legacy systems stay in place long after it is prudent from a security standpoint.

Due to the rising number of attacks, this sector has a significant need for young professionals with competencies in both new and legacy systems. It’s also very rewarding to use your security competencies to contribute to saving lives.

Energy Sector

The Energy Sector supports all other critical infrastructure sectors, providing energy via oil, gas, and electricity. As in other sectors, cyber threats such as ransomware and malware can spell disaster due to the energy sector’s reliance on connected technologies: networked computer systems manage energy production, distribution, and monitoring.

On 9 May 2021, ransomware attackers successfully breached the corporate network of Colonial Pipeline (a U.S. fuel pipeline operator that supplies nearly half of the U.S. East Coast). In response to ensure the integrity of its operational networks, Colonial Pipeline chose to shut down its operations. This led to panic buying and fuel shortages in the Southeastern United States.

Further, Colonial Pipeline suffered reputational damage and shares of its stock fell. This event also affected aviation transport fare in the region. Finally, this led Colonial Pipeline to pay a ransom worth $5 million in cryptocurrency to the threat actors.

To minimize the effect of cyberattacks in this sector, providers require up-to-date backup systems, strategic investments in cybersecurity controls, intelligence gathering on potential threat actors, industrywide collaboration on sharing of intelligence data, and deployment of trained cybersecurity professionals (an area where most young professionals should consider) to monitor these networks and control centers.

Water and Wastewater Sector

Finally, the Water and Wastewater Sector is another sector where a successful attack could result in direct loss of life. In February 2021, a hacker attempted to increase the amount of sodium hydroxide in the water supply at a water treatment facility near Tampa, Florida. If successful, this attack would have put the lives of everyone in the served municipality at risk. Thankfully, an alert worker intervened to stop the attack.

The Water and Wastewater Sector is likely to be an overlooked sector for young professionals to consider. Specialization in water related utilities could help a young professional become an expert with dual expertise. Young professionals can point to the above attack during their interviews and the need for skilled professionals in this sector—as in the above sectors—without question.

If considering a security career in the Water and Wastewater sector surprised you, it may be worth scanning the CISA list of critical infrastructure sectors to see if any other sectors also come as a surprise. You may already work in a critical sector or may be considering companies that fall within one or more sectors.

Cyber and information security threats to the critical infrastructure sectors discussed above remain serious and common, and every sector of critical infrastructure will need skilled young professionals to help protect from these types of attacks. Each one of the critical infrastructure sectors has a common goal, to provide services which are needed for a functioning society, or the health and safety of the population.

As young professionals begin their careers or consider a transition, looking to critical infrastructure is a prudent choice. Young professionals can have an impact within these important organizations and can help guide them through these increasingly treacherous times. As long as we live in a connected world, pursuing work in the security of critical infrastructure entities will be an excellent career path for young professionals.

Young Professionals who are interested in getting involved can join ASIS’ Young Professional Community, which hosts regular meetings and events. ASIS also maintains a discussion board on their website. Both groups require membership to ASIS.

Erwin van de Weerd, CPO, is the area security manager Benelux for SAP, and vice-chair of the ASIS International Young Professionals Community. Additionally, he is part of the Benelux Chapter as Young Professionals Liaison. Erwin is a Young Professional Ambassador and strives to assist other young professionals with their journey.

Bryan Roberts, CPP, M.ISRM, SAS-AP, SRMP-C, is the lead, security operations and intelligence for Notore Chemicals Industries PLC. He is the current ASIS International Port Harcourt Chapter chair, a member of the ASIS International YP Community Engagement Steering Committee, and former vice-chair of the ASIS International YP Council, Membership Engagement Committee. Bryan was a 2021 Nigeria OSPA finalist in the best In-House Security Manager category, and 2020 Nigeria OSPA finalist in the best Young Professional category.

Justin Laden has a master’s degree in Computer Science specializing in security from Boston University, and a law degree from the University of Texas, Austin. He consults on a variety of security related topics for Wetware Security. Justin is a member of the ASIS International Young Professionals Community and a steering committee member for the content development group.

Neil Parker works at Mastercard Int. leading the Business Security Enablement team supporting operations, network, and employee experience across the globe. His primary objective is to promote and evangelize a risk culture and security awareness for all teams supporting Mastercard's technology. Neil is a current member and chairman of the ASIS international Young Professionals Community.