A new certification designed to advance industrial cyber security will launch in November. The cross-discipline certification focuses on the foundational knowledge that professionals responsible for securing critical infrastructure assets should know.
I live in Houston, the fourth largest city in the United States. On the southeastern outskirts of metropolitan Houston are the vast industrial complexes of some of the world’s largest petrochemical plants. When viewed at night, these brightly lit complexes look like massive cities unto themselves — and in a way, that’s what they are.
After 9/11, there was great concern about the physical security of these plants. Could they be vulnerable to terrorism attacks from air, land or sea? While physical security is always a concern, I’m sure an equal worry today is cyber security. Could a state-sponsored terrorist group send commands to the industrial control systems in those plants to disable or otherwise disrupt normal operations? In the wake of the success of the STUXNET worm that was used to attack industrial systems in 2010, the answer to my latter question is a definitive yes.
It is that concern that brought an industry consortium together to address the need for improved cyber security for industrial systems. The result is a new certification from the Global Information Assurance Certification (GIAC). The Global Industrial Cyber Security Professional Certification (GICSP) focuses on the foundational knowledge that professionals securing critical infrastructure assets should know. The exam for the certification is in beta test and is expected to be live by the end of November 2013.
The genesis came from members of industry who approached GIAC and the SANS Institute for help in putting together a certification. GIAC started by building the consortium that included players from utilities and from the oil and gas industry, among others. Also participating are vendors in the industrial control space: Siemens, ABB, Emerson, Schneider Electric and others. This team of collaborators was instrumental in defining the foundational knowledge and competencies that a certification candidate must possess.
What makes industrial cyber security unique is it requires a blended set of experience and competencies. In order to secure a control system, a myriad of stakeholders and many different people are involved in the process. It includes engineers who actually operate the plant, process control engineers who manage and configure the control system, and SCADA support people and cyber security professionals who have specialty expertise. The members of this diverse team must be able to integrate and blend together for the good of the whole.
So one of the key objectives of this certification is to provide a strong foundation and bridge so engineers and cyber security professionals can work together, blending their competencies to be able to secure a control system. The audience for this certification includes process control engineers, field engineers and cyber security professionals that will have the ability to affect or improve the security of a control system.
In support of the certification, the SANS Institute has a five-day training course called ICS410 ICS/SCADA Security Essentials. The course is really meant to provide the foundational landscape of the security essentials for control systems. It has been designed for a broad audience. Cyber security professionals who have never worked with control systems get a strong appreciation for what they are and how they differ from IT systems. An engineer is able to sit in the class and understand what the security challenges are, how to think about cyber security and what cyber security means to them as an engineer.
The course has been designed to serve both of these audiences because there is a lot of value in having an environment where both engineers and cyber security people sit down and learn together and conduct labs together. This is part of the breakthrough function of the GICSP certification — that team members learn how to interface with each other and understand what each party brings to the table to secure these systems.
Specifically, the training course includes much of the prerequisite knowledge that someone needs in order to understand what the security challenges of an industrial environment are:
- What the different types of control systems are
- The different types of technologies and how they are applied in different industries
- What the architectures look like
- Where the attack surfaces are
- Where they are vulnerable based on these different architectures
- The strategies to try to defend the systems
- How to deal with the myriad security challenges coming from applications that are unique to control systems and the operating systems that are not unique that they rely upon
- The industrial protocols used for networking and communicating to the devices in the field
- How to deal with firmware driven devices like controllers
On one of the last days, the instructor covers the resources available to help perform the security functions and how to do incident response for control systems.
As is common with certifications, training is optional but strongly recommended.
It’s important to note that the Global Industrial Cyber Security Professional Certification is built to be a vendor-neutral, protocol agnostic global certification. In time, GIAC intends to submit the certification to ANSI and get it approved under the ANSI ISO/IEC 17024 standard.
GIAC expects strong demand for this certification based on the fact that industry players asked to have it developed. There is a clear need to increase the cross-discipline knowledge and communication capabilities among industrial control security teams. This is one case where it really does take a cohesive team to protect industrial plants and critical infrastructure such as utilities, transportation, pipelines and other facilities.
Linda Musthaler is a Principal Analyst with Essential Solutions Corp. which researches the practical value of information technology and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.