I had an interesting conversation with a colleague yesterday. He called to ask for some advice on ways to advance his career in the industrial controls security space. He held a Certified Information Systems Security Professional (CISSP) certificate and a Masters in Information Security. However, he was frustrated on determining ways to move ahead in ICS security.
As I considered his questions I realized that a person who can advance in the areas of industrial controls security is someone with factory or process plant experience, and understanding of basic controls theory, and a solid understanding of factory/process plant operations and maintenance. These are very fundamental to one understanding the causes and effects of ICS security.
CLASSROOM / ONLINE TRAINING
Besides the “floor” experience, an individual interested in ICS security probably needs some formal training on the key aspects of ICS security you don’t learn when studying for your CISSP. My recommendations include:
ICS-CERT Cyber Security Industrial Control Systems (210W): This
is a free course available on the ICS-CERT Virtual Learning Portal. The training is all self-paced and requires
between 10 to 15 hours to complete. It
is a great way to begin your ICS security knowledge journey.
· ICS-CERT Cyber Security Industrial Control Systems (210W): This is a free course available on the ICS-CERT Virtual Learning Portal. The training is all self-paced and requires between 10 to 15 hours to complete. It is a great way to begin your ICS security knowledge journey.
· SANS ICS 410: ICS/SCADA Security Essentials: If you take the course, you’ll essentially have the necessary training to pass the SANS GICSP – Global Industrial Cyber Security Professional certification. The details on the 5-day class are located here. Of note, you don’t need to take the course but can instead pay to take the test.
· ISA Cybersecurity Training: The International Society for Automation (ISA) offers a series of four different classes covering ICS security. These class titles include:
o Industrial Networking and Security (TS12)
o Introduction to Industrial Automation Security and the ANSI/ISA99 Standards (IC32C)
o Using the ANSI/ISA99 Standard to Secure Your Control System (IC32)
o Assessing the Cybersecurity of New or Existing IACS Systems (IC33)
o IACS Cybersecurity Design & Implementation (IC34), and
o IACS Cybersecurity Operations & Maintenance (IC37)
As I understand, each course has an associated certificate (not certification) with each class which you can receive after you satisfactorily pass a written test.
Overall, the ISA training has come a long way and should help with understanding practical ICS security.
You can find out more information regarding the ISA classes here.
READING RECOMMENDATIONS
In regards to reading, I’d highly recommend the following documents to read and establish your baseline knowledge of ICS security.
- Guide to Industrial Control Systems (ICS) Security, NIST SP 800-82 R2: Even though this is issued by the National Institute of Standards and Technology (NIST) it is a decent “textbook” prepared to give the reader a comprehensive view of ICS and the security issues associated with “operational technology (OT).” I’d recommend the student read this document before moving ahead to any of the training above. By the way, this is free.
- An Abbreviated History of Automation & Industrial Controls Systems and Cybersecurity, SANS: This document is a high-level introduction to industrial controls, control theory, the history of industrial controls and a history of the security issues affecting ICS – including the infamous Stuxnet. This information will be very helpful to the reader as they progress through the courses above and in their work. Again, another resource available at no charge.
- Industrial Network Security, by Eric D. Knapp and Joel Thomas Langill, Syngress Press: Although a $40 investment, this book offers excellent information on ICS and ICS security you will not normally see in the resources above or in other books written on SCADA security. Messrs. Knapp and Langill provide excellent, real-world perspective on ICS security. So, if you’re serious about your ICS security training, I strongly recommend you get this book and read/study it.
I’ve been lucky in my past 45+ years of work where I’ve operated power plants, evaluated various factories, and had a chance to practice “practical ICS security.” Fortunately, my background has given me the tools to advance in this area but I’ve also taken advantage of the resources above.
### END ###
