Hybrid warfare between nation-states is imperilling critical infrastructure around the world, both physically and electronically. Since the start of the Ukraine-Russia conflict, hybrid cyber/physical attacks on satellite and communications, energy, transportation, water, and other critical sectors have spread across Europe and beyond.
Chinese perpetrators are actively infiltrating telecommunications networks in the US and abroad, according to the FBI. Germany has also implicated China in the cutting of undersea cables in the Baltic Sea.
Meanwhile, denial-of-service attacks in the form of ransomware (often funded by nation-states and criminal gangs) also continue to wreak havoc in healthcare, energy, transportation, and manufacturing sectors, the FBI also reports.
With attacks against critical infrastructure on the rise, cybersecurity specialists are needed now more than ever. Yet, when it comes to specialized cybersecurity-specific certifications for each of the 16 designated critical infrastructure sectors, only a few exist.
“Today, we don’t have enough sector-specific training out there, but that’s changing,” says Rob T. Lee, chief of research and head of faculty at SANS Institute cybersecurity training firm. “These employers are now evaluating whether someone qualifies to engage in ITOS and OT systems in critical infrastructure, especially those directly connected to the internet.”
New courses and certifications take years to develop, however, SANS and other training firms have set up cybersecurity certifications in the catch-all categories of industrial control systems (ICS) and in critical infrastructure protection that apply to numerous sectors and the roles within them.
Many get layered cybersecurity certifications
Most organizations with critical infrastructure roles have historically relied on basic certifications that demonstrate proficiency in cybersecurity concepts, processes, or role specialization such as incident response or SOC analyst.
“When taking a look at any certifications, especially in critical infrastructure, a lot of IT folks get transferred over from other departments, and then they’re given an additional duty of security,” Lee says. “For these folks, any general foundational IT security certification will do,” Lee says.
But now with ICS and critical infrastructure certifications widely available, organizations working in or supporting these critical infrastructure sectors are asking for ICS certifications, such as GICSP Global Industrial Cybersecurity Professional, and/or critical infrastructure certifications, such as CCICE Certified Critical Infrastructure Security Expert. Today, these two types of certifications apply to most critical infrastructure sectors, particularly in manufacturing, energy, nuclear, water, chemical, commercial facilities, food and agriculture, and the defense industrial base.
Augmented knowledge such as standards and compliance specific to the industry also helps. For example, a medical systems hire with basic knowledge of HIPAA, or in the financial sector, a candidate versed in PCI DSS, or in the telecommunications sector, the candidate understands applicable Telecommunications Industry Association standards, and so on.
While ICS and critical infrastructure certifications apply to most critical infrastructure sectors, some sector-specific certifications also exist. For example, healthcare employers may also require a HCISPP Healthcare Information Security and Privacy Practitioner. In the public sector CPSCP, the Certified Public Sector Continuity Professional would apply. In some cases, when healthcare is part of the government, both may apply.
Putting it all together, take the energy sector, for example. Start with foundational cybersecurity certifications, such as CompTIA Security+ or SANS GFACT. Layer on an ICS certification and add in NERC CP3 (National Energy Reliability Counsel Certified Compliance Professional) certification, which builds relevant knowledge of NERC Reliability Standards.
Sector by sector critical infrastructure certifications
The Cybersecurity and Infrastructure Security Agency (CISA), under the Department of Homeland Security, has identified 16 designated critical infrastructure sectors and provides resources to manage risk and train or educate workers. In alphabetical order, these include:
Defense Industrial Base Sector
Government Services and Facilities Sector
Healthcare and Public Health Sector
Nuclear Reactors, Materials, and Waste Sector
Foundational cybersecurity certifications
Keep in mind that foundational certifications for entry-level security administration and response proficiency usually call for the fewest pre-requisites, while certifications in management, compliance, audit and other higher-level job functions require more prerequisites such as proficiency and experience, other courses and certifications, and /or a college degree.
Below, we list certifications in order of beginner/entry-level to management, noting that many more certifications for specific job roles (admin, responder, SOC analyst, etc.) are also available, but there are too numerous to list here.
CompTIA Security+ baseline skills to perform core security functions
GFACT GIAC foundational cybersecurity technologies
CISSP Certified Information Systems Security Professional
ISC2 ISSEP Information Systems Security Engineering Professional
Various certifications for functional roles within cybersecurity and risk management, such as Certified SOC Analyst, CISA Certified Information Systems Auditor, various GIAC certifications, GGRC Governance, Risk and Compliance Certification, etc.
CISM Certified Information Security Manager
CompTIA SecurityX (expert)
CCSO Certified Chief Security Officer
General critical infrastructure certifications
For many sectors, ICS and critical infrastructure certifications generally apply, including:
CCICE Certified Critical Infrastructure Security Expert
GICSP Global Industrial Cybersecurity Professional
CCIPS Certified Critical Infrastructure Protection Specialist
GCIP, SANS GIAC Critical Infrastructure Protection
ISA 62443 International Society of Automation cybersecurity certificate program
ISO 2800 Supply Chain Security Certifications
Disaster Recovery Institute (various certs)
While not certificates per se, CISA shares critical infrastructure security, awareness, and resilience training courses that also apply across multiple sectors.
Sector-specific cybersecurity certifications
CISA also shares training and education resources to augment any certifications or lack thereof, specifically for the:
Nuclear Reactors, Materials, and Waste Sector
Additionally, some specialized cybersecurity certifications specific to government, defense, emergency services, manufacturing, energy, healthcare and IT can also apply to a subset of industries within those sectors.
For example, cybersecurity professionals working in organizations that service government and defense agencies should also consider the FISMA CFCP Certified FISMA Compliance Professional, which applies specifically to federal sectors and those servicing federal sectors, including the defense industrial base, government services and facilities, nuclear reactor/waste and public healthcare.
To work in the Defense Industrial Base, cyber security pros will also benefit from various certifications designed to meet DoD 8570/8140.
Additionally, CPSCP Certified Public Sector Continuity Professional applies to most public sector agencies, healthcare included.
Below, we break down these and other sector-specific certifications, some of which we combine with applicable subsets of related sectors.
Emergency Services:
ISO 22320 Homeland Security (Specific to Emergency Services)
CHSM Certified Homeland Security Manager
Critical Manufacturing, Nuclear/Waste, Water and Energy:
ICS-CERT Industrial Control System certification through CISA
ISA 62443 cybersecurity certificate for ICS (Industrial Control Systems)
CAP Certified Automation Specialist
CCST Certified Control Systems Technician
GICSP Global Industrial Cyber Security Professional
ISO 28000 Cert for manufacturing supply chain
ISA 62443 Industrial Automated Control Systems (IACS)
CCIPS Certified Critical Infrastructure Protection Specialist
GCIP GIAC Critical Infrastructure Protection (GCIP) practitioner certification for NERC CIP (National Energy Reliability Council Critical Infrastructure Protection)
Financial Services:
AICPA SOC for Cybersecurity Certificate (accounting and finance)
BCPA Basil ii Compliance certification
PCIP PCI SSC Payment Card Industry Professional
CISA Certified Information System Auditor
GGRC Governance, Risk and Compliance
Healthcare and Public Health:
HCISPP Healthcare Information Security and Privacy Professional (sunsets in 2026, ISC2 update course not yet available)
AHPCP Associated Healthcare Provider Continuity Professional or CPSCP Certified Public Sector Continuity Professional
CHPA Certified Healthcare Protection Administrator
CHP Certified HIPAA Professional
Information Technology:
CEH Certified Ethical Hacker
COBIT 5 IT Governance Framework
Certifications may be the ultimate goal for onboarding cybersecurity skills into critical infrastructure sectors, but foundational cybersecurity training often makes a difference in keeping a utility up and running even in times of hybrid warfare, Lee contends.
“We’ve run programs, including mass training for Ukrainians who work in their infrastructure, and we focused more on basic hygiene than getting a specific certification,” Lee explains. “We’re doing mass training to make a difference, and Ukraine is staving off many cyber infrastructure attacks. This shows how basic foundational cybersecurity training makes a difference across the critical infrastructure.”
No Responses