Working in critical infrastructure? Boost your effectiveness with these cybersecurity certifications – Source: www.csoonline.com

Hybrid warfare between nation-states is imperilling critical infrastructure around the world, both physically and electronically. Since the start of the Ukraine-Russia conflict, hybrid cyber/physical attacks on satellite and communications, energy, transportation, water, and other critical sectors have spread across Europe and beyond.

Chinese perpetrators are actively infiltrating telecommunications networks in the US and abroad, according to the FBI. Germany has also implicated China in the cutting of undersea cables in the Baltic Sea.

Meanwhile, denial-of-service attacks in the form of ransomware (often funded by nation-states and criminal gangs) also continue to wreak havoc in healthcare, energy, transportation, and manufacturing sectors, the FBI also reports.

With attacks against critical infrastructure on the rise, cybersecurity specialists are needed now more than ever. Yet, when it comes to specialized cybersecurity-specific certifications for each of the 16 designated critical infrastructure sectors, only a few exist.

“Today, we don’t have enough sector-specific training out there, but that’s changing,” says Rob T. Lee, chief of research and head of faculty at SANS Institute cybersecurity training firm. “These employers are now evaluating whether someone qualifies to engage in ITOS and OT systems in critical infrastructure, especially those directly connected to the internet.”

New courses and certifications take years to develop, however, SANS and other training firms have set up cybersecurity certifications in the catch-all categories of industrial control systems (ICS) and in critical infrastructure protection that apply to numerous sectors and the roles within them.

Many get layered cybersecurity certifications

Most organizations with critical infrastructure roles have historically relied on basic certifications that demonstrate proficiency in cybersecurity concepts, processes, or role specialization such as incident response or SOC analyst.

“When taking a look at any certifications, especially in critical infrastructure, a lot of IT folks get transferred over from other departments, and then they’re given an additional duty of security,” Lee says. “For these folks, any general foundational IT security certification will do,” Lee says.

But now with ICS and critical infrastructure certifications widely available, organizations working in or supporting these critical infrastructure sectors are asking for ICS certifications, such as GICSP Global Industrial Cybersecurity Professional, and/or critical infrastructure certifications, such as CCICE Certified Critical Infrastructure Security Expert. Today, these two types of certifications apply to most critical infrastructure sectors, particularly in manufacturing, energy, nuclear, water, chemical, commercial facilities, food and agriculture, and the defense industrial base.

Augmented knowledge such as standards and compliance specific to the industry also helps. For example, a medical systems hire with basic knowledge of HIPAA, or in the financial sector, a candidate versed in PCI DSS, or in the telecommunications sector, the candidate understands applicable Telecommunications Industry Association standards, and so on.

While ICS and critical infrastructure certifications apply to most critical infrastructure sectors, some sector-specific certifications also exist. For example, healthcare employers may also require a HCISPP Healthcare Information Security and Privacy Practitioner. In the public sector CPSCP, the Certified Public Sector Continuity Professional would apply. In some cases, when healthcare is part of the government, both may apply.

Putting it all together, take the energy sector, for example. Start with foundational cybersecurity certifications, such as CompTIA Security+ or SANS GFACT. Layer on an ICS certification and add in NERC CP3 (National Energy Reliability Counsel Certified Compliance Professional) certification, which builds relevant knowledge of NERC Reliability Standards.

Sector by sector critical infrastructure certifications

The Cybersecurity and Infrastructure Security Agency (CISA), under the Department of Homeland Security, has identified 16 designated critical infrastructure sectors and provides resources to manage risk and train or educate workers. In alphabetical order, these include:

• Chemical Sector
• Commercial Facilities Sector
• Communications Sector
• Critical Manufacturing Sector
• Dams Sector
• Defense Industrial Base Sector
• Emergency Services Sector
• Energy Sector
• Financial Services Sector
• Food and Agriculture Sector
• Government Services and Facilities Sector
• Healthcare and Public Health Sector
• Information Technology Sector
• Nuclear Reactors, Materials, and Waste Sector
• Transportation Systems Sector
• Water and Wastewater Sector

Foundational cybersecurity certifications

Keep in mind that foundational certifications for entry-level security administration and response proficiency usually call for the fewest pre-requisites, while certifications in management, compliance, audit and other higher-level job functions require more prerequisites such as proficiency and experience, other courses and certifications, and /or a college degree.

Below, we list certifications in order of beginner/entry-level to management, noting that many more certifications for specific job roles (admin, responder, SOC analyst, etc.) are also available, but there are too numerous to list here.

• CompTIA Security+ baseline skills to perform core security functions
• GFACT GIAC foundational cybersecurity technologies
• CISSP Certified Information Systems Security Professional
• ISC2 ISSEP Information Systems Security Engineering Professional
• Various certifications for functional roles within cybersecurity and risk management, such as Certified SOC Analyst, CISA Certified Information Systems Auditor, various GIAC certifications, GGRC Governance, Risk and Compliance Certification, etc.
• CISM Certified Information Security Manager
• CompTIA SecurityX (expert)
• CCSO Certified Chief Security Officer

General critical infrastructure certifications

For many sectors, ICS and critical infrastructure certifications generally apply, including:

• CCICE Certified Critical Infrastructure Security Expert
• GICSP Global Industrial Cybersecurity Professional
• CCIPS Certified Critical Infrastructure Protection Specialist
• GCIP, SANS GIAC Critical Infrastructure Protection
• ISA 62443 International Society of Automation cybersecurity certificate program
• ISO 2800 Supply Chain Security Certifications
• Disaster Recovery Institute (various certs)

While not certificates per se, CISA shares critical infrastructure security, awareness, and resilience training courses that also apply across multiple sectors.

Sector-specific cybersecurity certifications

CISA also shares training and education resources to augment any certifications or lack thereof, specifically for the:

• Chemical Sector
• Commercial Facilities Sector
• Dams Sector
• Emergency Services Sector
• Nuclear Reactors, Materials, and Waste Sector

Additionally, some specialized cybersecurity certifications specific to government, defense, emergency services, manufacturing, energy, healthcare and IT can also apply to a subset of industries within those sectors.

For example, cybersecurity professionals working in organizations that service government and defense agencies should also consider the FISMA CFCP Certified FISMA Compliance Professional, which applies specifically to federal sectors and those servicing federal sectors, including the defense industrial base, government services and facilities, nuclear reactor/waste and public healthcare.

To work in the Defense Industrial Base, cyber security pros will also benefit from various certifications designed to meet DoD 8570/8140.

Additionally, CPSCP Certified Public Sector Continuity Professional applies to most public sector agencies, healthcare included.

Below, we break down these and other sector-specific certifications, some of which we combine with applicable subsets of related sectors.

Emergency Services:

• FEMA EMI Courses
• ISO 22320 Homeland Security (Specific to Emergency Services)
• CHSM Certified Homeland Security Manager

Critical Manufacturing, Nuclear/Waste, Water and Energy:

• ICS-CERT Industrial Control System certification through CISA
• ISA 62443 cybersecurity certificate for ICS (Industrial Control Systems)
• CAP Certified Automation Specialist
• CCST Certified Control Systems Technician
• GICSP Global Industrial Cyber Security Professional
• ISO 28000 Cert for manufacturing supply chain
• ISA 62443 Industrial Automated Control Systems (IACS)
• CCIPS Certified Critical Infrastructure Protection Specialist
• GCIP GIAC Critical Infrastructure Protection (GCIP) practitioner certification for NERC CIP (National Energy Reliability Council Critical Infrastructure Protection)
• FEMA EMI Courses

Financial Services: 

• AICPA SOC for Cybersecurity Certificate (accounting and finance)
• BCPA Basil ii Compliance certification
• PCIP PCI SSC Payment Card Industry Professional
• CISA Certified Information System Auditor
• GGRC Governance, Risk and Compliance

Healthcare and Public Health: 

• HCISPP Healthcare Information Security and Privacy Professional (sunsets in 2026, ISC2 update course not yet available)
• AHPCP Associated Healthcare Provider Continuity Professional or CPSCP Certified Public Sector Continuity Professional  
• CHPA Certified Healthcare Protection Administrator
• CHP Certified HIPAA Professional

Information Technology: 

• CEH Certified Ethical Hacker
• COBIT 5 IT Governance Framework
• COBIT 5 Assessor

Certifications may be the ultimate goal for onboarding cybersecurity skills into critical infrastructure sectors, but foundational cybersecurity training often makes a difference in keeping a utility up and running even in times of hybrid warfare, Lee contends.

“We’ve run programs, including mass training for Ukrainians who work in their infrastructure, and we focused more on basic hygiene than getting a specific certification,” Lee explains. “We’re doing mass training to make a difference, and Ukraine is staving off many cyber infrastructure attacks. This shows how basic foundational cybersecurity training makes a difference across the critical infrastructure.”