The Global Industrial Control System Professional (GICSP) is a relatively new certification offered by the SANS...
Institute, initially announced on Sept. 12, 2013, with plans to begin offering the certification in November 2013. I had the opportunity to take the associated SANS training in March 2014, and took and passed the GICSP test in April 2014. In this tip, we'll look at what the certification covers, how to prepare for it and whether it has value to new and current ICS security professionals.
Within SANS is the Global Information Assurance Certification (GIAC) entity. GIAC is an affiliate of the SANS Institute and is a certification body featuring over 25 hands-on, technical certifications in information security. GIAC has certified over 51,000 IT security professionals since it was founded in 1999. The GIAC program is accredited under the IEC/ISO/ANSI 17024 quality standard for certifying bodies.
As noted in a SANS press release and as observed in the past 5+ years, there is increasing concern about industrial controls systems (ICS) cybersecurity. The crescendo of activity on ICS security began with recognition that the Stuxnet attack on the Iranian nuclear fuel processing facility in June 2010 was a cyberattack on an industrial control system that ultimately resulted in physical damage of the fuel processing centrifuges. Since then there have been ICS cyber events and many initiatives by government bodies -- such as the National Institute of Standards and Technology (NIST) and the government of Qatar -- to establish new and more detailed cybersecurity standards for ICS. Additionally, the International Society of Automation (ISA), in conjunction with the International Electrotechnical Commission, has been publishing standards for security of industrial controls. However, one key concern continues to be raised: There are not many qualified and experienced professionals in the industrial controls cybersecurity space. The GICSP is intended to help fill that gap.
In particular, there are many cybersecurity professionals with experience and certifications in Information Technology (IT), but there are not many who have experience and knowledge of cybersecurity of industrial control systems or operations technology (OT). Hence, SANS began moving ahead with GIAC to establish the GICSP.
GIAC and selected industry leaders in the OT environment -- led by Mr. Mike Assante, SANS ICS director and former North American Electric Corporation chief security officer -- established a panel of subject matter experts (SMEs) to identify the knowledge, skills and abilities necessary to be a successful cybersecurity professional in the OT space. The SME panel met in Houston in May 2013 to begin the process of developing the GICSP. A further outcome of the SME panel was to develop a Job Task Analysis survey that was sent to a broad array of critical infrastructure participants to ensure the GICSP certification aligned with job duties.
According to SANS and GIAC, the global industry experts involved in the GICSP initiative represented U.S. national and international companies including electric/gas utilities, industrial controls companies, major players in the energy consulting domain, large oil and gas companies and security consultants with expertise in ICS security. Of note, one of the SMEs on the panel has said that his employer -- a large global oil company -- will require GICSP certifications by those employees working on his company's industrial control systems.
About the GICSP
The GICSP certification entails a written, proctored exam of 115 multiple-choice questions. There is a time limit of three hours and the minimum passing score is 69%. The test is administered on a computer at an approved testing center and informs the candidate of their final score at the end of the test -- thank goodness!
The test itself is open-book; however, there are restrictions as to what references and resources can be brought to the test site due to the small table space allotted. For example, laptops and electronic devices such as PDAs, tablets, cell phones, etc. are prohibited in the test area.
The exam covers roughly 49 different exam certification objectives and outcome statements. The test is vendor-neutral and practitioner-focused and includes questions from both the OT and IT areas of expertise.
As an option, candidates may prepare for the GICSP exam by first taking the SANS Training Course: ICS410 - ICS/SCADA Security Essentials, which is offered by SANS globally multiple times a year.
The ICS410 course is offered in a classroom environment covering five days. The course syllabus is broken down as follows:
- Day 1 -- ICS overview
- Day 2 -- ICS attack surface
- Day 3 -- Defending ICS servers and workstations
- Day 4 -- Defending ICS networks and devices
- Day 5 -- ICS governance and resources
The course includes hands-on training on a laptop each candidate provides for the course. One excellent resource included in the course is the Samurai Project's Security Testing Framework for Utilities (SamuraiSTFU) which is a compilation of free and open source tools that can be used for cybersecurity testing of control systems. The SamuraiSTFU is used for many of the exercises in the course and offers some examples of where the cyber tools should and should not be used to test ICS and ascertain vulnerabilities.
The course is roughly $4,000+ USD and the GICSP test is an additional $599 USD.
As of July 2014 approximately 150 individuals have successfully completed the requirements to obtain the GICSP certification. The list of current professionals is available for public viewing online. The certifications must be renewed every four years and details on the renewal requirements are listed here.
Preparing for the GICSP
As a GICSP certificate holder, I can offer some advice to those interested in obtaining the certification. First, taking the ICS410 course will give you a sense of the depth and breadth of the certificate, with opportunities to learn more in those areas in which you are less experienced or knowledgeable.
Secondly, GISCP hopefuls should begin preparing for the test as soon as they've completed the ICS410 course. This preparation includes the following.
- Because it is an open-book test, make your notes accessible, legible, highly organized and usable during the time constraints of the exam.
- Review and follow the GIAC Exam Preparation Guides offered by SANS. There is an excellent list of Frequently Asked Questions on the SANS site in this regard. Also, there is the GIAC Certification Program Candidate's Handbook to help with preparation.
- Develop an index of the training materials received in the course. An example screenshot of an index developed for the ICS410 course is shown below. It includes the topic, the day the topic was covered and the page numbers associated with that topic from the course materials handed out that day:
- If taking the ICS410 class, SANS offers two practice tests as part of the registration. Practice tests are also available for purchase from SANS even for those who haven't taken the course. Be sure to take advantage of these opportunities to test your knowledge and ascertain the areas to study. It may be practical to take the first practice exam about a month before the test date and the second exam a week before the test date. The results of both tests should guide your study efforts.
- Get familiar with the Certification Objectives. It may be helpful to prepare a notebook with one Certification Objective listed on a page of paper. Then review the Certification Objective and take notes on references, lessons learned, resources, etc. on the appropriate pages to help study for and learn the Certification Objectives. For instance, for the Control Objective: Access Management -- Access Control Models, be certain to capture resources for mandatory access controls and discretionary access controls to answer this objective. It may also be helpful to insert printouts of the Wikipedia write-up on the MAC/DAC topics as well as excerpts from the classic cybersecurity texts.
- Prepare a notebook to take to the actual exam. Perhaps build a large, 3-inch, three-ring binder including A-Z tabs. Inside each tab include reference material to be used during the test itself. Also have some very specific tabs for Ports, Automation Protocols, the Course Index and a Glossary. Overall, the notebook is an awesome resource not only for the test preparation but also for work in Industrial Controls Security consulting and writing.
- Also consider using a free online tool called Quizlet. Quizlet is a fantastic tool that essentially builds flash cards, quizzes and even learning "games" from the added content that parallels the information in the notebook mentioned above and is consistent with the Certification Objectives.
The GICSP is a fairly new certification offered by SANS/GIAC that is intended to fill the knowledge void relative to industrial controls security. It is a broad and interesting course of study and will certainly help the student and current security professional gain a better sense of the cyber and physical security issues in today's factory, refinery and utility operations. I'm confident that it will prove to be a valuable course of study for those focusing their careers on ICS security.
About the author:
Ernie Hayden is a highly experienced and seasoned technical consultant, author, speaker, strategist and thought-leader with extensive experience in the power utility industry, critical infrastructure protection/information security domain, industrial controls security, cybercrime and cyberwarfare areas. His primary emphasis is on project and business development involving cyber and physical security of industrial controls, smart grid, energy supply, and oil/gas/electric systems and facilities with special expertise on industrial controls and NERC Critical Infrastructure Protection (NERC CIP) standards. Hayden holds certifications as a Global Industrial Cyber Security Professional (GICSP), Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Hayden is an Executive Consultant at Securicon, LLC; has held roles as Global Managing Principal -- Critical Infrastructure/Industrial Controls Security at Verizon; and held information security officer/manager positions at the Port of Seattle, Group Health Cooperative (Seattle), ALSTOM ESCA and Seattle City Light. In 2012 Ernie was named a "Smart Grid Pioneer" by Smart Grid Today and published an article on Microgrid security in Jesse Berst's Smart Grid News. Ernie is a frequent author of blogs, opinion pieces and white papers. He has been cited in the Financial Times, Boston Globe, Energy Biz Magazine, and Puget Sound Business Journal. Many of his articles have been posted to such forums as Energy Central, Public Utility Fortnightly "SPARK,"and his own blog on Infrastructure Security.
Curious about other certifications? Mike Chapple explains COBIT in this article.
Why ISO 27001 may be another certification to consider for your enterprise.