Organizations are increasingly preoccupied with strengthening the digital security of their industrial control systems (ICS). They no doubt heard FireEye reveal that it had detected a second intrusion by the same actor behind Triton malware at a second critical infrastructure organization. More recently, they likely heard confirmation of a digital attack that struck the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India back in September.
In response to these as well as many other cyber incidents, organizations are looking to protect their operational technology (OT) environments using a nuanced approach. Doing nothing is no longer an option. One way that organizations can better protect their ICS is by encouraging their industrial cybersecurity professionals to hone their skills and training using respected technical resource providers in the field. These providers can also help IT cybersecurity personnel learn about industrial environments and how best to implement cyber controls relative to uptime and safety of the industrial process.
Towards that end, here are eight providers that ICS professionals should use to train and continuously educate their teams to defend their organizations’ ICS.
1. Global Information Assurance Certification (GIAC)
Among the State of Security’s 11 respected providers of IT security training, the Global Information Assurance Certification (GIAC) offers more than 30 certifications to aspiring security professionals. Personnel working in industrial security should consider achieving three certifications in particular. The first certification, Global Industrial Cyber Security Professional (GICSP), is a vendor-neutral program that teaches enrollees how to balance IT, engineering and digital security to protect industrial control systems. The second accreditation, Response and Industrial Defense (GRID), teaches participants how to take an Active Defense approach towards securing an ICS network. Finally, ICS professionals can aspire to achieve Critical Infrastructure Protection certification to bolster their understanding and implementation of NERC-defined terms and CIP standards.
2. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
Created by the U.S. Department of Defense (DoD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) partners with law enforcement, governments of all levels and industry actors to reduce digital risks facing all critical infrastructure sectors. It helps all these actors remain aware of the latest threats by publishing advisories, alerts, security awareness reports and other publications. For ongoing digital defense learning, ICS-CERT also provides hands-on and web-based training, and it works with ICS subject matter experts to make recommended security practices as well as standards and recommendations available.
3. Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)
The Industrial Control System Information Sharing and Analysis Center (ICS-ISAC) is a non-profit organization whose mission is to “provide members and associated sectors practical information regarding the cybersecurity of their facilities.” Members of the Center enjoy access to real-time intelligence feeds that they can use to stay on top of the latest digital security threats confronting their industrial control systems, a secure membership portal from which they can coordinate their defensive measures and access to webinar events, a regular conference as well as regular briefings on evolving threats. They can also review additional information provided by dozens of separate knowledge centers.
4. International Society of Automation (ISA)
A part of the Automation Federation, the International Society of Automation (ISA) is a non-profit organization with that caters to tens of thousands of industrial security professionals and other automation personnel worldwide. In cooperation with the American National Standards Institute, ISA has developed various standards specifying fundamental ICS terms and concepts, ICS security system requirements and security levels (IEC 62443) and steps needed to create an ICS security program. It promotes security awareness of these standards via workforce development and training programs as well as professional certificate tracks. Additional industrial security system resources provided by ISA can be found here.
5. National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States government that advances measurement science, standards and technology. The laboratory is responsible for developing the Guide to Industrial Control Systems (ICS) Security – NIST Special Publication 800-82 (PDF), a special publication which has gone through two revisions as of this writing. The document provides guidance on how professionals can secure ICS networks consisting of supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS) and other control system configurations like programmable logic controllers (PLC) while observing each system’s performance, reliability and safety requirements.
6. The SANS Institute
Another one of the State of Security’s 11 respected IT security training providers, the SANS Institute offers training in the classroom from a SANS-certified instructor, in a self-paced program that is conducted online or in a mentored setting. Industrial security professionals can complete several courses with SANS to advance their careers, including two in partnership with GIAC to obtain GICSP and GRID certification. They can also deepen their knowledge on their own time via perusing SANS’ library of analyst surveys, whitepapers and use cases as well as following its industrial control systems security blog.
SCADAhacker.com provides professional services designed to help personnel in critical infrastructure sectors secure their industrial control systems. Founded by Joel Langill, director of critical infrastructure and SCADA representative for the Cyber Security Forum Initiative (CSFI), the ICS security resource center offers training through its online university. Its “Understanding, Assessing and Securing Industrial Control Systems” course, for example, provides students with the necessary knowledge to achieve GICSP certification through GIAC. SCADAhacker.com is comprehensive in its library of ICS security vulnerabilities, whitepapers, standards, and events; Security professionals can also make use of its toolsets, receive its newsletter and read its blog.
8. Information Assurance Certification Review Board
The Information Assurance Certification Review Board (IACRB) is a not-for-profit legal entity that says its sole purpose is to certify infosec professionals. For instance, industrial security personnel can work to become a Certified SCADA Security Architect. This program teaches individuals how to develop a SCADA security policy, how to implement SCADA security best practices as well as how to implement user authentication and authorization to their industrial control systems. Those who pass the exam, a two-hour test consisting of randomly selected questions, will also emerge with a firm understanding of how to conduct vulnerability assessments in industrial environments and protect SCADA systems against digital attacks.
Two More for the Road…
Once ICS professionals have referred to the trusted technical providers discussed above, they might want to consider industrial cybersecurity solutions like those offered by Tripwire and its parent company Belden to gain visibility, implement protective controls, and perform continuous monitoring to protect against cyber events negatively impacting safety, productivity, and quality.