There’s an important new cyber security certification coming to market at the end of November. I recently talked to Mike Assante of SANS Institute and Scott Cassity of Global Information Assurance Certification (GIAC) to get the details because I think there will be tremendous interest worldwide in this certification and the associated training.
The credential is the Global Industrial Cyber Security Professional Certification (GICSP), and it will be issued by GIAC. It focuses on the foundational knowledge that professionals securing critical infrastructure assets should know. The GICSP has been developed for engineers, control system support and security professionals who work in environments addressed by commonly accepted standards related to control system and automation security, including ISA/IEC 62443 and NERC CIP.
I talked to Mike and Scott about how this certification came about and what it means to the industrial world.
Linda: Why do we need yet another cyber security certification? How is the GICSP different from existing security certifications?
Scott Cassity: We [GIAC] were approached by several people in the industry that were looking for a solution in the industrial control system (ICS) critical infrastructure space. Their needs are distinctly different from typical corporate business needs because industrial controls run different operating systems and use different protocols than what is used in business. Most of the existing security certifications are aimed at working with the business environment.
Linda: Who is the target audience for this certification?
Mike Assante: That’s a good question because what makes industrial cyber security unique is that it requires a blended set of experience and competencies. In order to secure a control system, you are looking at a myriad of stakeholders and many different people who are involved in that task. It includes engineers who actually operate the plant; process control engineers who manage and configure the control system; and SCADA support people and cyber security folks to be able to integrate and blend together. One of the key objectives of this certification is to provide a strong foundation and bridge so that engineers and cyber security professionals can actually work together and blend their competencies to be able to secure a control system. So to answer your question about who this credential is for, it’s for process control engineers, field engineers and cyber security professionals who all have the ability to affect the security of or improve the security of a control system.
Linda: Are industrial control systems fairly standard from one facility to another, say from a petrochemical plant to a pipeline? Are there diverse vendors involved and is this certification vendor neutral?
Scott Cassity: The GICSP certification is vendor neutral but it’s important to understand that control systems share common attributes. What differs is how these systems are applied in different industries and for what purpose. For example, there are control systems that help monitor and control the flow of electricity across the power grid. These are called power SCADA systems. There are other control systems that are focused on very specific and discrete tasks, so there is some variance in the combination of the technologies and the size of the system. You have to recognize that there are some differences. However, we do believe that there is a common body of knowledge that is a foundation for somebody to understand the security of those systems and the challenges those systems have, and to be able to work on the systems.
Linda: What approach have you taken to develop this certification?
Scott Cassity: I think our approach to building this certification has been unique but very beneficial. We built an industry consortium that included some players from utilities, the oil and gas industry, and vendors from the critical infrastructure space like Siemens, ABB, Emerson, Schneider Electric and folks like that. We followed the GIAC process on the development of a new certification. We are in the process of a beta run of the examination during the month of October, and once we go through our standard process, we plan on delivering live exams at the end of November.
Mike Assante: I like to use the word collaboration rather than consortium. What’s really exciting about the collaboration is that it involves users of control systems such as large critical infrastructure providers, and it involves the ICS suppliers – vendors who design industrial control systems for use by the marketplace – and our group includes implementers and integrators that put the technology together for the end-user. You have all of the various stakeholders involved and agreeing that this is a big challenge for all of them and that they want to demonstrate and achieve progress. They all came together for the governance of the collaboration and what we’re trying to achieve. Given the scope of it, all the way down to the subject matter experts – people who’ve worked with these systems for years, people who secure control systems, people who implement control systems – it was really a great community effort and it demonstrates the commitment that the critical infrastructure providers have in trying to secure these important systems.
Linda: Give us some information about the training course.
Mike Assante: SANS has developed a course called ICS410 ICS/SCADA Security Essentials. It is a 5 day course focusing on hands-on technical skills that the students need, so it has a lot of labs. It also has lots of the prerequisite knowledge that you need in order to understand what the security challenges are; what the different types of control systems are; the different types of technologies and how they are applied in different industries; what the architectures look like; where the attack surfaces are; where they are vulnerable based on these different architectures; the strategies to try to defend the systems; how to deal with the myriad security challenges coming from applications that are unique to control systems and the operating systems that are not unique that they rely upon; the industrial protocols used for networking and communicating to the devices in the field; how to deal with firmware driven devices like controllers. On one of the last days we talk about the resources available to help you perform your security functions, like how to do incident response for control systems.
The course is really meant to provide the foundational landscape of all of the security essentials for control systems. It has been designed for a broad audience. Cyber security professionals who have never worked with control systems get a very strong appreciation for what they are and how they differ from IT systems. An engineer is able to sit in that class and understand what the security challenges are and how to think about cyber security and what cyber security means to an engineer. So the course is really designed to have both those two audiences as students. There is a lot of value in having an environment where both engineers and cyber security people can sit down and learn together and conduct labs together. This is part of the breakthrough function. They learn how to interface with each other and understand what each party brings to the table to secure these systems.
Linda: What else is important for security professionals to know about the new Global Industrial Cyber Security Professional Certification?
Scott Cassity: Judging from the level of participation of the industry members of our consortium, I think there will be a big demand for this certification. We’ve had interest from government agencies as well, including the Department of Energy, the Department of Homeland Security, and the European Commission’s Joint Research Center. This is truly a global certification with application all over the world.
Our objective is to submit this certification to ANSI and we hope to get it approved under the ANSI 17024 standard once we get enough history with the exam. Our goal is to submit this in about a year, which is about what it takes to obtain enough data for the submission process. We developed the certification with those standards in mind.
For more information visit http://www.giac.org/certification/global-industrial-cyber-security-professional-gicsp.