The European Union Agency for Network and Information Security (ENISA) has published a new study on the challenges of developing certification schemes for cybersecurity professionals in the field of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA).
ICS/SCADA systems are increasingly targeted by malicious actors. A perfect example is the BlackEnergy2 threat group that has targeted numerous organizations in the energy sector. The group has been spotted attempting to deliver malware in ICS environments by leveraging vulnerabilities in Siemens products.
ENISA has pointed out that securing ICS/SCADA systems requires knowledge of operational technology (OT), information technology (IT), and cyber security. What makes this task even more challenging is the fact that industrial systems are used in a wide range of sectors, such as energy, automation, oil and gas, chemical, manufacturing, and pharmaceutical. While all of these sectors use similar physical systems, there are significant differences in their processes and operational procedures.
Avoiding commercial interests that can impact credibility, obtaining support from stakeholders, ensuring that future certifications will be improved compared to existing ones, and exploring the professional roles of ICS/SCADA experts are also on the list of challenges identified in the report.
ENISA has identified several certification schemes specific to ICS/SCADA cybersecurity, such as the International Society of Automation’s ISA 99/IEC 62443 Cyber Security Certificate Program, the SANS Global Industrial Cyber Security Professional certification (GICSP), and the Certified ICS/SCADA Security Architect (CSSA) certification from the Information Assurance Certification Review Board.
Current certifications have a theoretical approach and the EU agency believes a practical aspect should be included in future programs. However, including a practical component can be challenging because ICS operations usually need to be executed continuously, which makes it difficult to put knowledge into practice on production systems.
There is currently only a limited offer of ICS/SCADA cybersecurity training programs. The list of organizations that provide such courses includes ICS-CERT, CCI-ES, ECNS, Firebrand, InfoSecure, TSTC, Deloitte, and SCADAHacker.
A survey conducted by ENISA has revealed that only 55% of ICS/SCADA experts are aware of existing certification schemes. While three quarters of respondents are considering getting certified, only one third of them have obtained or are in the process of obtaining a cybersecurity certificate.
Interviewed experts believe existing certifications should be used as a foundation for building comprehensive European certification schemes.
ENISA has provided a series of recommendations for the public and private sectors in the EU regarding the development of future ICS/SCADA cybersecurity certifications. The recommendations include creating a steering committee to evaluate the criteria for reviewing and assessing current and future certifications, developing simulation environments for practical training, and creating a framework to define the main features and contents of future schemes.
“ICS/SCADA cyber security is at the core of many industrial processes and a growing field which will present commercial and industrial opportunities. Specialised schemes certifying the skills of cyber security experts working on ICS/SCADA would be advantageous to industry sectors and sub-sectors, and important in ensuring the level of cyber security across Europe,” noted Prof. Udo Helmbrecht, the executive director of ENISA.