Cybersecurity is a critical topic for industrial control systems that will continue to accelerate in importance over the coming years. Personnel working with industrial control systems everywhere in the world will be expected to possess a general awareness of cybersecurity topics. There are a variety of cybersecurity courses and certifications that provide cybersecurity training. Available courses can be broken into categories:
- Training courses that provide an overview of cybersecurity concepts. These courses are typically provided by industry organizations and professional training enterprises. Examples include courses provide by ISA or the SANS Institute.
- Training courses that provide details on product capabilities and configuration techniques for specific products. An example would be a multi-day course that provides details on how to configure a specific firewall product. These courses are typically provided by product vendors.
Personnel will require a mixture of courses from the two training categories to properly design and implement security solutions. Many end users, machine builders, and system integrators are actively defining cybersecurity training programs. Industrial vendors can assist their customers by creating cybersecurity training/certification programs. In this blog we will discuss how these programs can be structured to deliver maximum value to personnel. Three key principles include the creation of a tiered program, the utilization of both internal and external training courses, and the use to testing to certify knowledge.
The first important implementation principle is the creation of a tiered training offer. A tiered offer should define the target audience for each training tier. It should also clearly define the training hours and expenses associated with each tier, helping customers to properly budget for cybersecurity training. An initial tier could be designed to offer an overview of industry cybersecurity, including concepts like standards, networking basics, defence in depth principles, security features, security appliances, infection vectors, best practices, and risk analysis. The initial tier would be of value to both management and technical personnel.
A secondary tier would build on the knowledge imparted from the courses specified in the first tier. The second tier would provide detailed technical training on products. These courses would consist of both classroom and lab based exercises. The second tier of courses would target individuals who would design and manage industrial networks.
A third tier would require completion of the first 2 tiers, and would add advanced training. This tier would be targeted to a small handful of people responsible for Cybersecurity at a corporation or customer facility. Examples of content would include conducting a security assessment, developing a security acceptance test plan, and identifying gaps in existing security policies and procedures.
Utilization of Both Internal and External Training
The curriculum should consist of a mix of webinars, e-learning, classes, and hands-on labs. Courses could be offered by both product vendors and recognized industry organizations. Internally generated courses would provide an overview of cybersecurity concepts, and define security features/configuration details of vendor products. Externally provided courses would provide details on more generic industry practices, like how to conduct a vulnerability assessment. External course selections would be provided by reputable training organizations, and would be vetted in advance by the vendors. Examples of external course could include SANS SEC401, ISA IC32, or ICS Cybersecurity 301 provided by the Department of Homeland Security (DHS). Internal courses could be provided at no cost, external courses could be provided at a discount based on arraignments between the vendors and the selected training organizations.
Testing to Certify Knowledge
A third key principle of a certification program is testing to certify that content was learned. At the conclusion of each training course, a test should be administered to insure that attendees actively learned the material. Having tests typically causes attendees to study material again before taking the test. Many external training courses have tests proctored by third party testing companies. Participants must present proof that they have passed requisite testing in order to receive credit for courses.
Vendors who create a cybersecurity certification program will help customers, machine builders, and system integrators who seek to build cybersecurity expertise. Vendors can take guess work out of the process by researching and selecting best in class training programs. An example of such a program was created by Schneider Electric for its System Integrator Alliance Partners in early 2017. The cybersecurity track is part of Schneider Electric’s Certified Expert Program.