Attacks against industrial control systems (ICS) are on the rise. In its 2020 X-Force Threat Intelligence Report, for instance, IBM found that digital attacks targeting organizations’ ICS had increased by more than 2,000% between 2019 and 2018. Most of those attacks involved the exploitation of vulnerabilities affecting supervisory control and data acquisition (SCADA) and other ICS hardware components as well as brute-force login attacks. IBM X-Force also documented the release of 200 ICS-related vulnerabilities in 2019, leading the research team to forecast that digital threats confronting organizations’ ICS would continue to increase in 2020.
Acknowledging these threats, organizations are looking to protect their ICS using a nuanced approach. Many are specifically encouraging their ICS security professionals to hone their skills and training using respected technical resource providers in the field. These providers can also help IT cybersecurity personnel learn about industrial environments and how best to implement cyber controls relative to uptime and safety of their organizations’ industrial process.
Towards that end, here are eight providers that ICS professionals can use to train and continuously educate their teams to defend their organizations’ ICS.
1. Global Information Assurance Certification (GIAC)
Among the State of Security’s 11 respected providers of IT security training, the Global Information Assurance Certification (GIAC) offers more than 30 certifications to aspiring security professionals. Personnel working in industrial security should consider achieving three certifications in particular. The first certification, Global Industrial Cyber Security Professional (GICSP), is a vendor-neutral program that teaches enrollees how to balance IT, engineering and digital security to protect industrial control systems. The second accreditation, Response and Industrial Defense (GRID), teaches participants how to take an Active Defense approach towards securing an ICS network. Finally, ICS professionals can aspire to achieve Critical Infrastructure Protection certification to bolster their understanding and implementation of NERC-defined terms and CIP standards.
2. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT)
Created by the U.S. Department of Defense (DoD), the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) partners with law enforcement, governments of all levels and industry actors to reduce digital risks facing all critical infrastructure sectors. It helps all these actors remain aware of the latest threats by publishing advisories, alerts, security awareness reports and other publications. For ongoing digital defense learning, ICS-CERT also provides hands-on and web-based training as well as works with ICS subject matter experts to make recommended security practices and standards and recommendations available.
3. Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)
The Industrial Control System Information Sharing and Analysis Center (ICS-ISAC) is a non-profit organization whose mission is to “provide members and associated sectors practical information regarding the cybersecurity of their facilities.” Members of the Center enjoy access to real-time intelligence feeds that they can use to stay on top of the latest ICS security threats, a secure membership portal from which they can coordinate their defensive measures and access to webinar events, a regular conference and regular briefings on evolving threats. They can also review additional information provided by dozens of separate knowledge centers.
4. International Society of Automation (ISA)
A part of the Automation Federation, the International Society of Automation (ISA) is a non-profit organization that caters to tens of thousands of industrial security professionals and to other automation personnel worldwide. In cooperation with the American National Standards Institute, ISA has developed various standards specifying fundamental ICS terms and concepts, ICS security system requirements and security levels (IEC 62443) and steps needed to create an ICS security program. It promotes security awareness of these standards via workforce development and training programs as well as professional certificate tracks. Additional industrial security system resources provided by ISA can be found here.
5. National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States government that advances measurement science, standards and technology. The laboratory is responsible for developing the Guide to Industrial Control Systems (ICS) Security – NIST Special Publication 800-82 (PDF), a special publication which has gone through two revisions as of this writing. The document provides guidance on how professionals can secure ICS networks consisting of SCADA systems, distributed control systems (DCS) and other control system configurations like programmable logic controllers (PLC) while they continue to observe each system’s performance, reliability and safety requirements.
6. The SANS Institute
Another one of the State of Security’s 11 respected IT security training providers, the SANS Institute offers training in the classroom from a SANS-certified instructor, in a self-paced program that is conducted online or in a mentored setting. Industrial security professionals can complete several courses with SANS to advance their careers, including two in partnership with GIAC to obtain GICSP and GRID certification. They can also deepen their knowledge on their own time via perusing SANS’ library of analyst surveys, whitepapers and use cases as well as by following the training provider’s industrial control systems security blog.
SCADAhacker.com provides professional services designed to help personnel in critical infrastructure sectors to secure their industrial control systems. Founded by Joel Langill, director of critical infrastructure and SCADA representative for the Cyber Security Forum Initiative (CSFI), the ICS security resource center offers training through its online university. Its “Understanding, Assessing and Securing Industrial Control Systems” course, for example, provides students with the knowledge to achieve GICSP certification through GIAC. SCADAhacker.com is comprehensive in its library of ICS security vulnerabilities, whitepapers, standards and events. Security professionals can also make use of the organization’s toolsets, receive its newsletter and read its blog.
8. Information Assurance Certification Review Board
The Information Assurance Certification Review Board (IACRB) is a not-for-profit legal entity that says its sole purpose is to certify infosec professionals. For instance, industrial security personnel can work to become a Certified SCADA Security Architect. This program teaches individuals how to develop a SCADA security policy, how to implement SCADA security best practices as well as how to implement user authentication and authorization to their industrial control systems. Those who pass the exam, a two-hour test consisting of randomly selected questions, will also emerge with a firm understanding of how to conduct vulnerability assessments in industrial environments and protect SCADA systems against digital attacks.
Two More for the Road…
Once ICS professionals have referred to the trusted technical providers discussed above, they might want to consider investing in industrial cybersecurity solutions like those offered by Tripwire and its parent company Belden to gain visibility, implement protective control and perform continuous monitoring to protect against cyber events that negatively affect safety, productivity and quality.