{"id":1013,"date":"2024-12-02T06:00:00","date_gmt":"2024-12-02T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1013"},"modified":"2024-12-02T06:00:00","modified_gmt":"2024-12-02T06:00:00","slug":"working-in-critical-infrastructure-boost-your-effectiveness-with-these-cybersecurity-certifications","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1013","title":{"rendered":"Working in critical infrastructure? Boost your effectiveness with these cybersecurity certifications"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Hybrid warfare between nation-states is imperilling critical infrastructure around the world, both physically and electronically. Since the start of the Ukraine-Russia conflict, hybrid cyber\/physical attacks on satellite and communications, energy, transportation, water, and other critical sectors have spread across Europe and beyond.<\/p>\n

Chinese perpetrators are actively infiltrating telecommunications networks<\/a> in the US and abroad, according to the FBI<\/a>. Germany has also implicated China in the cutting of undersea cables<\/a> in the Baltic Sea.<\/p>\n

Meanwhile, denial-of-service attacks in the form of ransomware (often funded by nation-states and criminal gangs) also continue to wreak havoc in healthcare, energy, transportation, and manufacturing sectors, the FBI also reports<\/a>.<\/p>\n

With attacks against critical infrastructure on the rise, cybersecurity specialists are needed now more than ever. Yet, when it comes to specialized cybersecurity-specific certifications for each of the 16 designated critical infrastructure<\/a>\u00a0sectors, only a few exist.<\/p>\n

\u201cToday, we don\u2019t have enough sector-specific training out there, but that\u2019s changing,\u201d says Rob T. Lee, chief of research and head of faculty at SANS Institute cybersecurity training firm. \u201cThese employers are now evaluating whether someone qualifies to engage in ITOS and OT systems in critical infrastructure, especially those directly connected to the internet.\u201d<\/p>\n

New courses and certifications take years to develop, however, SANS and other training firms have set up cybersecurity certifications in the catch-all categories of industrial control systems (ICS) and in critical infrastructure protection that apply to numerous sectors and the roles within them.<\/p>\n

Many get layered cybersecurity certifications<\/h2>\n

Most organizations with critical infrastructure roles have historically relied on basic certifications that demonstrate proficiency in cybersecurity concepts, processes, or role specialization such as incident response or SOC analyst.<\/p>\n

\u201cWhen taking a look at any certifications, especially in critical infrastructure, a lot of IT folks get transferred over from other departments, and then they\u2019re given an additional duty of security,\u201d Lee says. \u201cFor these folks, any general foundational IT security certification will do<\/a>,\u201d Lee says.<\/p>\n

But now with ICS and critical infrastructure certifications widely available, organizations working in or supporting these critical infrastructure sectors are asking for ICS certifications, such as GICSP<\/a> Global Industrial Cybersecurity Professional, and\/or critical infrastructure certifications, such as CCICE<\/a> Certified Critical Infrastructure Security Expert. Today, these two types of certifications apply to most critical infrastructure sectors, particularly in manufacturing, energy, nuclear, water, chemical, commercial facilities, food and agriculture, and the defense industrial base.<\/p>\n

Augmented knowledge such as standards and compliance specific to the industry also helps. For example, a medical systems hire with basic knowledge of HIPAA, or in the financial sector, a candidate versed in PCI DSS, or in the telecommunications sector, the candidate understands applicable Telecommunications Industry Association standards<\/a>, and so on.<\/p>\n

While ICS and critical infrastructure certifications apply to most critical infrastructure sectors, some sector-specific certifications also exist. For example, healthcare employers may also require a HCISPP<\/a> Healthcare Information Security and Privacy Practitioner. In the public sector CPSCP<\/a>, the Certified Public Sector Continuity Professional would apply. In some cases, when healthcare is part of the government, both may apply.<\/p>\n

Putting it all together, take the energy sector, for example. Start with foundational cybersecurity certifications, such as CompTIA Security+<\/a> or SANS GFACT<\/a>. Layer on an ICS certification<\/a> and add in NERC CP3<\/a> (National Energy Reliability Counsel Certified Compliance Professional) certification, which builds relevant knowledge of NERC Reliability Standards<\/a>.<\/p>\n

Sector by sector critical infrastructure certifications<\/h2>\n

The Cybersecurity and Infrastructure Security Agency (CISA), under the Department of Homeland Security, has identified 16 designated critical infrastructure<\/a>\u00a0sectors and provides resources to manage risk and train or educate workers. In alphabetical order, these include:<\/p>\n

Chemical Sector<\/a><\/p>\n

Commercial Facilities Sector<\/a><\/p>\n

Communications Sector<\/a><\/p>\n

Critical Manufacturing Sector<\/a><\/p>\n

Dams Sector<\/a><\/p>\n

Defense Industrial Base Sector<\/a><\/p>\n

Emergency Services Sector<\/a><\/p>\n

Energy Sector<\/a><\/p>\n

Financial Services Sector<\/a><\/p>\n

Food and Agriculture Sector<\/a><\/p>\n

Government Services and Facilities Sector<\/a><\/p>\n

Healthcare and Public Health Sector<\/a><\/p>\n

Information Technology Sector<\/a><\/p>\n

Nuclear Reactors, Materials, and Waste Sector<\/a><\/p>\n

Transportation Systems Sector<\/a><\/p>\n

Water and Wastewater Sector<\/a><\/p>\n

Foundational cybersecurity certifications<\/h2>\n

Keep in mind that foundational certifications for entry-level security administration and response proficiency usually call for the fewest pre-requisites, while certifications in management, compliance, audit and other higher-level job functions require more prerequisites such as proficiency and experience, other courses and certifications, and \/or a college degree.<\/p>\n

Below, we list certifications in order of beginner\/entry-level to management, noting that many more certifications for specific job roles (admin, responder, SOC analyst, etc.) are also available, but there are too numerous to list here.<\/p>\n

CompTIA Security+<\/a> baseline skills to perform core security functions<\/p>\n

GFACT<\/a> GIAC foundational cybersecurity technologies<\/p>\n

CISSP<\/a>\u00a0Certified Information Systems Security Professional<\/p>\n

ISC2<\/a> ISSEP Information Systems Security Engineering Professional<\/p>\n

Various certifications for functional roles within cybersecurity and risk management, such as Certified SOC Analyst<\/a>, CISA<\/a> Certified Information Systems Auditor, various GIAC<\/a> certifications, GGRC<\/a> Governance, Risk and Compliance Certification, etc.<\/p>\n

CISM<\/a> Certified Information Security Manager<\/p>\n

CompTIA SecurityX<\/a> (expert)<\/p>\n

CCSO<\/a> Certified Chief Security Officer<\/p>\n

General critical infrastructure certifications<\/h2>\n

For many sectors, ICS and critical infrastructure certifications generally apply, including:<\/p>\n

CCICE<\/a> Certified Critical Infrastructure Security Expert<\/p>\n

GICSP<\/a> Global Industrial Cybersecurity Professional<\/p>\n

CCIPS<\/a> Certified Critical Infrastructure Protection Specialist<\/p>\n

GCIP<\/a>, SANS GIAC Critical Infrastructure Protection<\/p>\n

ISA 62443<\/a> International Society of Automation cybersecurity certificate program<\/p>\n

ISO 2800<\/a> Supply Chain Security Certifications<\/p>\n

Disaster Recovery Institute (various certs<\/a>)<\/p>\n

While not certificates per se, CISA shares critical infrastructure security, awareness, and resilience training courses<\/a> that also apply across multiple sectors.<\/p>\n

Sector-specific cybersecurity certifications<\/h2>\n

CISA also shares training and education resources to augment any certifications or lack thereof, specifically for the:<\/p>\n

Chemical Sector<\/a><\/p>\n

Commercial Facilities Sector<\/a><\/p>\n

Dams Sector<\/a><\/p>\n

Emergency Services Sector<\/a><\/p>\n

Nuclear Reactors, Materials, and Waste Sector<\/a><\/p>\n

Additionally, some specialized cybersecurity certifications specific to government, defense, emergency services, manufacturing, energy, healthcare and IT can also apply to a subset of industries within those sectors.<\/p>\n

For example, cybersecurity professionals working in organizations that service government and defense agencies should also consider the FISMA CFCP<\/a> Certified FISMA Compliance Professional, which applies specifically to federal sectors and those servicing federal sectors, including the defense industrial base, government services and facilities, nuclear reactor\/waste and public healthcare.<\/p>\n

To work in the Defense Industrial Base<\/a>, cyber security pros will also benefit from various certifications designed to meet DoD 8570\/8140<\/a>.<\/p>\n

Additionally, CPSCP<\/a> Certified Public Sector Continuity Professional applies to most public sector agencies, healthcare included.<\/p>\n

Below, we break down these and other sector-specific certifications, some of which we combine with applicable subsets of related sectors.<\/p>\n

Emergency Services:<\/h3>\n

FEMA EMI Courses<\/a><\/p>\n

ISO 22320<\/a>\u00a0Homeland Security (Specific to Emergency Services)<\/p>\n

CHSM<\/a> Certified Homeland Security Manager<\/p>\n

Critical Manufacturing, Nuclear\/Waste, Water and Energy:<\/h3>\n

ICS-CERT<\/a> Industrial Control System certification through CISA<\/p>\n

ISA 62443<\/a> cybersecurity certificate for ICS (Industrial Control Systems)<\/p>\n

CAP<\/a> Certified Automation Specialist<\/p>\n

CCST<\/a> Certified Control Systems Technician<\/p>\n

GICSP<\/a> Global Industrial Cyber Security Professional<\/p>\n

ISO 28000 Cert<\/a> for manufacturing supply chain<\/p>\n

ISA 62443 <\/a>Industrial Automated Control Systems (IACS)<\/p>\n

CCIPS<\/a> Certified Critical Infrastructure Protection Specialist<\/p>\n

GCIP<\/a> GIAC Critical Infrastructure Protection (GCIP) practitioner certification for NERC CIP (National Energy Reliability Council Critical Infrastructure Protection)<\/p>\n

FEMA EMI Courses<\/a><\/p>\n

Financial Services:\u00a0<\/h3>\n

AICPA SOC for Cybersecurity<\/a> Certificate (accounting and finance)<\/p>\n

BCPA<\/a> Basil ii Compliance certification<\/p>\n

PCIP<\/a> PCI SSC Payment Card Industry Professional<\/p>\n

CISA<\/a> Certified Information System Auditor<\/p>\n

GGRC<\/a> Governance, Risk and Compliance<\/p>\n

Healthcare and Public Health:\u00a0<\/h3>\n

HCISPP<\/a> Healthcare Information Security and Privacy Professional (sunsets in 2026, ISC2 update course not yet available)<\/p>\n

AHPCP<\/a> Associated Healthcare Provider Continuity Professional or CPSCP<\/a> Certified Public Sector Continuity Professional \u00a0<\/p>\n

CHPA<\/a> Certified Healthcare Protection Administrator<\/p>\n

CHP<\/a> Certified HIPAA Professional<\/p>\n

Information Technology:\u00a0<\/strong><\/a> <\/strong><\/strong><\/h3>\n

CEH<\/a> Certified Ethical Hacker<\/p>\n

COBIT<\/a> 5 IT Governance Framework<\/p>\n

COBIT 5 Assessor<\/a><\/p>\n

Certifications may be the ultimate goal for onboarding cybersecurity skills into critical infrastructure sectors, but foundational cybersecurity training often makes a difference in keeping a utility up and running even in times of hybrid warfare, Lee contends.<\/p>\n

\u201cWe\u2019ve run programs, including mass training for Ukrainians who work in their infrastructure, and we focused more on basic hygiene than getting a specific certification,\u201d Lee explains. \u201cWe\u2019re doing mass training to make a difference, and Ukraine is staving off many cyber infrastructure attacks. This shows how basic foundational cybersecurity training makes a difference across the critical infrastructure.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Hybrid warfare between nation-states is imperilling critical infrastructure around the world, both physically and electronically. Since the start of the Ukraine-Russia conflict, hybrid cyber\/physical attacks on satellite and communications, energy, transportation, water, and other critical sectors have spread across Europe and beyond. Chinese perpetrators are actively infiltrating telecommunications networks in the US and abroad, according […]<\/p>\n","protected":false},"author":0,"featured_media":1014,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1013","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1013"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1013"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1013\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1014"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1013"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1013"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1013"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}