This article is inspired by a recent article on the Computerworld site for Denmark, where one of the CISO’s for a big energy company lamented the lack of formal skills in the cybersecurity community on the security requirements for Operational Technology (OT) and Industrial Control Systems (ICS). This triggered light research from me on the options out there for relevant trainings and certifications. The importance of security skills within OT/ICS platforms have been detailed in other articles and podcasts here on Cybersecurity Magazine – articles and podcasts I recommend that you read/listen to, if you are interested in OT/ICS security as a career path.
We already know that there are innumerable options for an OT engineer to get up to speed on IT security, but how about the other way around? There are many products out there that promise to help securing OT/ICS infrastructures, but much to my dismay, the training options are far more limited compared to IT security.
Many of the OT/ICS vendors do have security trainings on their own technology platforms, but the more vendor neutral trainings are few and far between. Let’s first look at some of the vendor training options. This list is necessarily not complete, but I have included the biggest OT/ICS vendors out there in the below list:
- Siemens – Basics of cybersecurity in the factory automation
- ABB – Cyber Security Foundation Training
- Schneider Electric – Schneider Electric Cyber Academy
- Rockwell Automation – Cybersecurity Sessions
There are many more OT/ICS vendors out there, so it behooves us make sure that the OT/ICS vendor we are collaborating with has a security program and training in place for the staff managing and securing the infrastructure. If the OT/ICS vendor does not have security offerings for its products, that might be an argument against using this vendor. Does this mean that as cybersecurity specialists, we can just take some of these courses and get up to speed like that? Unfortunately, no. The technologies used in OT/ICS systems are unlike the ones we are used to in the IT world. For example, the communication protocols differ from the ones we are used to and may include:
- Modbus RTU
So, you should expect a steep learning curve if you background is strictly on the IT side of things. Configuring a firewall to look at Profinet, or Modbus traffic is easy with the modern firewall platforms but analyzing and interpreting the data returned from the firewall protecting an OT/ICS network will require deeper knowledge of the protocols and technologies in use.
What about certifications for OT/ICS security? As cyber professionals, we love certifications since formal university educations in cyber has only recently become an option for students. Are there any certifications in OT/ICS security to investigate out there? Luckily, yes! For many years, GIAC has been a trusted certification authority for various cybersecurity areas, such as pen testing, and OT/ICS certifications are also part of the portfolio:
- GICSP – Global Industrial Cyber Security Professional
- GCIP – GIAC Critical Infrastructure Protection
- GRID – GIAC Response and Industrial Defense
Each of the above certifications is aimed at different roles in OT/ICS security. GICSP is the overall security one, while GCIP and GRID are aimed at SOC and response personnel respectively. Fortunately, GIAC is not the only training provider out there in the OT/ICS area of security. ECCouncil, famous for their Certified Ethical Hacker (CEH) certification, has not a formal certification, but a more introduction type of course looking at the challenges around OT/ICS security:
- ICS/SCADA Cybersecurity
Given the reputation of the GIAC certifications, this might be a good course to start out with on your OT/ICS security journey, along with the courses that the various OT/ICS vendors offer specifically on their products.
As mentioned in the beginning of this article, there is a recognized need in the market for competencies on securing and managing the security of OT/ICS infrastructures. This need has been voiced for many years in multiple connections, not least within the EU community, where a study by ENISA, the EU cybersecurity agency, identified the need for certifications in OT/ICS security back in 2014.
Similar research has been done by NIST in the US, as well as many of the international vendor neutral organizations for cybersecurity professionals, like ICS2 and ISACA. The NEED for security skills on OT/ICs is out there, and with the growing number of intelligent components in OT/ICS infrastructures, this is not going to change any time soon. Just imagine that some units have begun to get 5G network access and can communicate via the mobile network.
Smart cities have been a buzzword for many politicians in the past few years, as a way of saving CO2 and ease the burden of transportation around the cities. Can you imagine the potential risk that these smart cities are going to face with connected sensors and controllers all communicating with one another via 5G? The need for OT/ICs security competencies will only increase over the next decade.
Tom Madsen has been active in the cybersecurity industry for more than 20 years. Tom graduated from the University of Aalborg and covered several technical roles in security during his professional career. He is certified as CISSP, CISA, CISM, CGEIT, CRISK, CCSP, CDSPE and CSSLP, and has published the book "The Art of War for Cybersecurity". He is currently writing a book 'Security Architecture - How & Why'.