Attacks and Vulnerabilities
Critical infrastructure
Features
ICS Cyber Security Training
ICS Security Framework
Industrial Cyber Attacks
ISA/IEC 62443
IT/OT Collaboration
Malware, Phishing & Ransomware
The Skills Gap - Training & Development
Threat Landscape

Addressing ICS cybersecurity training amid rising adversarial threats and evolving tactics

November 19, 2023
Addressing ICS cybersecurity training amid rising adversarial threats and evolving tactics

The evolving threat landscape has emphasized the importance of focusing on gaining knowledge and training in industrial control systems (ICS) cybersecurity. This is essential for professionals who want to gain practical insights into the complexities of operational technology (OT) infrastructure. These critical systems encompass various technologies and devices used in the energy, manufacturing, and transportation sectors, and lie at the heart of modern infrastructure. They play a crucial role in monitoring and controlling physical processes, making them attractive targets for malicious actors seeking to disrupt operations, steal sensitive data, or cause physical harm. 

By focusing on gaining expertise in ICS cybersecurity, professionals can safeguard these critical systems from potential threats, by understanding the unique challenges and vulnerabilities associated with OT infrastructure, which often differs significantly from traditional IT environments. From legacy systems with outdated security measures to the convergence of IT and OT networks, professionals must navigate a complex landscape to ensure the resilience and security of ICS infrastructure. Moreover, gaining knowledge in ICS cybersecurity enables professionals to stay ahead of emerging threats and evolving attack techniques. 

As cyber criminals continuously adapt their tactics, professionals must remain up-to-date with the latest trends and best practices in securing ICS infrastructure. This includes understanding common attack vectors, such as spear-phishing, malware injection, or exploiting vulnerabilities in ICS protocols, and implementing robust defense mechanisms to mitigate these risks. By building a knowledgeable workforce, critical infrastructure organizations can work towards bridging the skills gap and defending their infrastructure against the increasing number and complexities of cyber threats and attacks.

In its 2023 cybersecurity skills gap report, Fortinet showed that organizations are fighting an uphill battle against cyber threats—incurring more breaches, in need of skilled professionals, and continuing to struggle to fill key positions. 72 percent of leaders indicate hiring certified people have increased security awareness and knowledge within their organization, while approximately 40 percent have difficulty finding qualified candidates who are women, military veterans, or from minority backgrounds. Data also indicated that 68 percent of organizations indicate they face additional risks because of cybersecurity skills shortages, consistent with 67 percent in 2021, while 56 percent struggle to recruit and 54 percent struggle to retain talent. 

Cyber professionals should assess their existing cybersecurity knowledge and understanding of ICS and OT. This self-assessment will help identify any knowledge gaps that need to be addressed and determine the appropriate starting point for training. When choosing training providers, professionals should look for those who specialize in ICS cybersecurity and have relevant certifications and accreditations. Seeking feedback from previous attendees can also provide valuable insights. Opting for providers that offer hands-on, practical training ensures the acquisition of real-world skills, as these can enhance comprehension and application of the learned concepts. 

With several training options available for ICS cybersecurity, professionals can now choose from various platforms that cater to different skill levels and learning preferences. Online training platforms offer flexibility and convenience, allowing individuals to learn at their own pace. It is recommended to look for comprehensive courses that cover topics such as risk assessment, incident response, network security, and secure coding specific to ICS/OT environments. Additionally, some in-person workshops and classes provide a more interactive learning experience. Attending these events can be highly beneficial as they often provide opportunities for networking and hands-on exercises to reinforce understanding.

ICS security professionals can enhance their professional credibility and unlock new opportunities by obtaining accreditation after completing their ICS cybersecurity training. Some of the recognized certifications in the field include the GIAC Global Industrial Cybersecurity Professional (GICSP) certification that validates knowledge of ICS security essentials, risk assessment, incident response, and defense-in-depth strategies. Another example is the ISA/IEC 62443 cybersecurity certifications, offered by the International Society of Automation (ISA), which cover various roles, from specialist to expert levels, focusing on implementing and maintaining cybersecurity in industrial automation and control systems (IACS). 

Additionally, ICS cybersecurity professionals need to pursue accredited training programs offered by recognized organizations like the Cybersecurity and Infrastructure Security Agency (CISA), SANS Institute, Industrial Control System Cyber Security Institute (ICSCSI), or Industrial Control Systems Emergency Response Team (ICS-CERT). Accreditation plays a vital role in validating expertise in this field.

Role of Practical Experience in OT Cybersecurity

Industrial Cyber reached out to industry experts from across the industrial cybersecurity training space to gain insights into the significance of practical experience in the field of OT cybersecurity. Additionally, they explored the primary challenges faced by professionals when seeking to acquire this experience. The team also examined the emerging trends in ICS cybersecurity training, highlighting how these trends align with the evolving nature of cyber threats and technological advancements within these systems.

Tim Conway, certified instructor and technical director for ICS and SCADA programs at SANS Institute
Tim Conway, certified instructor and technical director for ICS and SCADA programs at SANS Institute

“Practical, real-world, hands-on experience is absolutely necessary for OT-specific training programs and workforce needs,” Tim Conway, a certified instructor and technical director for ICS and SCADA programs at the SANS Institute, told Industrial Cyber. “Ensuring a broad training curriculum exists that provides the unique training needs of individuals across various job roles and experiences is a critical need for professionals in this space.”

Conway pointed out that ICS training programs that recognize the evolving nature of cyber threats and ever-changing operational environments need to recognize there is no single approach or single SME who will save the day, but rather a need to draw from the valuable experience and knowledge of many diverse skill sets and perspectives as we attempt to develop courseware, credentials, range environments, and apprenticeships to address the needs of current and future practitioners who work in this field.

Mike Holcomb, cybersecurity fellow and ICS/OT cybersecurity global lead for Fluor
Mike Holcomb, cybersecurity fellow and ICS/OT cybersecurity global lead for Fluor

Mike Holcomb, a cybersecurity fellow and ICS/OT cybersecurity global lead for Fluor, told Industrial Cyber that practical experience for those new to OT is challenging to obtain. “Thankfully, we are starting to see internships in OT organizations which can provide experience to new people.  Additionally, we are seeing OT, cyber security courses, introduced at the university and college level, which include practical hands-on labs,” he added. 

“Practical experience is of much importance otherwise you won’t connect to the topics on which you need to work. Practical experience in OT (Operational Technology) cybersecurity is invaluable,” Sourabh Suman, managing consulting for OT/ICS cybersecurity at Capgemini Engineering, told Industrial Cyber. “It’s not just about understanding theories but actually applying them in real-world scenarios, which can be quite challenging. Professionals often face hurdles like limited access to real systems for training purposes or the high costs associated with simulated environments.”

Sourabh Suman, managing consulting for OT/ICS cybersecurity at Capgemini Engineering
Sourabh Suman, managing consulting for OT/ICS cybersecurity at Capgemini Engineering

Meanwhile, Suman highlighted that the emerging trends in ICS cybersecurity training are a reflection of the ever-changing landscape of cyber threats and technological advancements. “We’re seeing more immersive simulations, VR environments, and training modules that mimic actual ICS scenarios, highlighting the importance of adapting to evolving threats,” he added. 

Manjunath Hiregange, industrial senior cybersecurity consultant at Defentos, told Industrial Cyber that practical experience is very important in OT cybersecurity due to the unique and complex nature of ICS. “It is very crucial in OT cybersecurity to understand real-world risks and vulnerabilities. Professionals often face challenges in gaining hands-on experience because of the high stakes involved; mistakes can lead to significant operational disruptions.” 

Manjunath Hiregange, industrial senior cybersecurity consultant at Defentos
Manjunath Hiregange, industrial senior cybersecurity consultant at Defentos

Hiregange highlighted the lack of test environments, outdated legacy systems, and limited access to ICS environments are some of the other key challenges. “Emerging training trends focus on simulations, virtual environments, and hands-on labs to provide realistic practice. More and more ICS cybersecurity training programs are incorporating hands-on exercises and simulations to provide practical experience. New certifications are being developed to specifically address the needs of OT cybersecurity professionals. Training providers are adopting new technologies, such as virtual reality and augmented reality, to create more immersive and realistic training experiences,” he added.

Examining Hands-on Experience in ICS Cybersecurity Training

The experts explore the significance of hands-on experience in ICS cybersecurity training. They also assess how these programs provide practical exposure to different types of attacks, vulnerabilities, and defense strategies within ICS infrastructure. 

Conway identified hands-on experience as extremely important for job roles working directly with or supporting cyber-physical systems. “Specifically, what the hands-on elements of a particular training program consist of will differ based on the learning objectives of a particular course.” 

“There isn’t a single right or wrong way to approach this, as you may see some introductory courses focused on concepts, theory, and leveling up individual working professionals utilizing dozens of hands-on labs used to reinforce learning through the use of simulators, virtual machines, or small-scale physical devices,” according to Conway. “Similarly, you will find more advanced practitioner-focused courses and credentialing exams that leverage complex real-world equipment used to teach very specific defense approaches from adversary system effects-based targeting.”

Likewise, Holcomb said that hands-on experience is critical to learning OT cyber security. “The more a training program can emulate the real world with hands-on experience for real physical OT assets the better. As alternatives, open source software can be used to simulate control systems at a lower cost, which makes training more affordable,” he added. 

Suman identified hands-on experience as pivotal in ICS cybersecurity training, as it allows learners to understand and mitigate the complexities of attacks on industrial systems. 

“Practical training programs incorporate simulations of real-world attack vectors like Stuxnet-style attacks, Advanced Persistent Threats (APTs), and ransomware targeting SCADA systems,” according to Suman. “They also cover vulnerabilities specific to industrial protocols like Modbus, DNP3, and PROFIBUS, and defense strategies such as network segmentation, anomaly detection, and the implementation of robust security policies. This exposure is crucial for developing the skills needed to protect critical infrastructure effectively.”

“Hands-on experience is essential for effective ICS cybersecurity training. It allows professionals to apply theoretical knowledge to real-world scenarios and develop the skills they need to identify, assess, and respond to cybersecurity threats,” Hiregange observed. “Quality programs provide exposure to threat scenarios through virtual environments, test rigs, and simulated ICS systems. These programs often include simulations of cyber-attacks, vulnerability assessments, and implementation of defense strategies in a controlled environment.”

Evaluating SANS, ISA, CISA Strategies in OT Cybersecurity Preparedness

The executives move on to address the fundamental differences between the training approaches of leading organizations such as SANS, ISA, and CISA, and how these approaches cater to the varying needs of professionals in the field. They also examine professionals’ perceptions of the effectiveness of training programs offered by SANS, ISA, and CISA in preparing them to tackle the ever-evolving challenges and complexities of safeguarding OT infrastructures against sophisticated cyber-attacks.

Conway said that he does “not claim to know the ISA or CISA training approaches or programs, nor those of the many independent training providers who train in this space. What I can say is we need them all to keep trying to address this important training gap through their unique approaches and perspectives, as the training need here is broad and diverse, requiring specialists skilled in safety and risk management, engineering professionals, operations staff, IT & OT teams, cybersecurity practitioners with specialized skills, and others contributing to the overall safety and reliability mission.” 

“Equally important, we need critical infrastructure sector leadership to understand the need for investment in cybersecurity training and resources for the personnel supporting OT environments within their organization,” Conway highlighted.  

Speaking from a SANS perspective, “We are focused on meeting the needs of our customers with a full curriculum of resources that addresses the depth and breadth of their needs,” Conway outlined. “Our courseware authors and instructors work in the field that they teach and instruct from the position of being a partner with the students in any given course.”  

He added that focusing on content, technical tools, and capability development in a manner that enables students to return to work with meaningful skills that can be immediately applied. “Adversaries leverage and work across diverse teams, learn from each other, and share information and resources – defenders certainly need to do the same.”

Holcomb outlined that the approaches between the three providers are very different.  “While CISA makes solid general content available to everyone at no cost, there are fees associated with the others. ISA provides training tailored to teaching cyber security to OT professionals while providing an introduction to the ISA 62443 standard.”  

He added that SANS provides the most in-depth knowledge and hands-on labs from global thought leaders in ICS/OT cybersecurity but the costs can be unaffordable for many.  “For true, real-world, defense of OT, environments, the SANS training is second to none.”

The training approaches of SANS, ISA, and CISA differ significantly, according to Suman. “SANS courses are known for their technical depth, often covering advanced topics like reverse engineering and forensic analysis, making them suitable for professionals seeking in-depth technical skills. ISA focuses more on the industrial aspect, offering training that aligns closely with industrial engineering principles and operational needs, ideal for professionals working directly with ICS.” 

“CISA’s training, while comprehensive, is more accessible and provides a foundational understanding of cybersecurity principles applicable to a broad range of sectors,” according to Suman. “The perceived effectiveness of these programs depends largely on the specific needs and background of the cybersecurity professional, with some favoring the technical rigor of SANS, others the industry-specific focus of ISA, or the broad accessibility of CISA’s offerings.”

SANS, ISA, and CISA each have their unique training approaches, Hiregange said. “SANS and ISA are seen as more thorough but cost prohibitive for some. CISA reaches a wider audience. The effectiveness of these programs varies based on individual career paths and the specific demands of their roles in securing OT infrastructures.”

Financial Considerations of ICS Cybersecurity Training

The executives analyze the financial implications for individuals or organizations considering investing in comprehensive ICS cybersecurity training. They carefully evaluate the costs of programs offered by SANS and ISA in comparison to the free offerings from CISA. Additionally, they assess the value that these programs bring to the table, taking into account who typically bears the certification costs – whether it is individuals or their organizations.

Without speaking for ISA or CISA or the many others who have ICS cybersecurity training courses or certificates or certifications, Conway said that he believes “most of the organizations who choose to provide training in the ICS cybersecurity space are here for a reason and it isn’t financially driven.” 

“SANS works across numerous customer groups, from large corporate enterprises and government organizations to small organizations and individual students around the globe. Financial implications can be very different for each customer in each region,” Conway said. “SANS works with each customer in meaningful ways to understand unique needs and work together to identify the best path to provide  resources based on customer needs.” 

From the perspective of training value, Conway said he believes “our instructors, authors, and leaders are mission-focused and intent on making a difference for the ICS community of dedicated practitioners and professionals working in critical infrastructure across the world every day. We give everything we can in the classroom, in an effort to equip students to defend the environments that make, move, and power the world.”

“While CISA makes training available at no cost, most will look to the ISA and SANS programs for training as each offers certification exams with training,” Holcomb said. “These exams can help demonstrate someone’s knowledge and potential skill set in a particular area. Unfortunately, at $10K US a SANS course, these courses are simply not affordable for many. This is why many will gravitate to the ISA series which still isn’t free at $8000 US for all four courses and exams, but is a much more affordable option for those looking to demonstrate their growing knowledge and skill set.”

Suman identified the financial aspect as a significant consideration in ICS cybersecurity training. “SANS and ISA courses, being more specialized and comprehensive, come with a higher price tag. These programs are often seen as investments in high-level skills and knowledge, potentially leading to better job opportunities and enhanced ability to secure complex systems. CISA’s free offerings, while more general, provide essential knowledge and are a great starting point for those new to the field or organizations with limited budgets.” 

“The decision to invest in these programs often comes down to the specific needs of the individual or organization, weighing the cost against the potential return on investment in terms of skills acquired,” according to Suman. “Generally, organizations fund these certifications for their employees, recognizing the direct benefit to their cybersecurity posture. However, individuals seeking career advancement or specialization may also choose to invest in these programs personally.”

“SANS and ISA courses can cost 6000 USD to 9000 USD per person. The higher cost of SANS and ISA programs reflects the more in-depth training they provide,” Hiregange said. “These programs are designed for professionals who need a deep understanding of ICS cybersecurity and the skills to protect ICS systems from sophisticated cyber-attacks. CISA’s resources are free but less extensive. The cost of ICS cybersecurity training is typically borne by either the individual or their organization.”

He also said that individuals who are looking to advance their careers in ICS cybersecurity may be willing to pay for training out of their own pockets, while organizations that need to ensure that their employees are properly trained in ICS cybersecurity may be willing to pay for training as part of their employee development programs.

“ICS cybersecurity is a critical and growing field. Professionals who are interested in entering this field can find a variety of training programs to suit their needs and budget,” Hiregange concluded. “By investing in training, professionals can develop the skills they need to protect critical infrastructure from cyber threats and protect their organizations.”

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems