Hi all! There were many different articles on certification in the field of information security on everyone’s favorite portal, so I’m not going to claim originality and originality of the content, but I would still like to share my experience in obtaining GIAC (Global Information Assurance Company) certification in the field of industrial cybersecurity. Since the advent of such terrible words as , , Shamoon, Triton, gradually began to form a market for the provision of services of specialists who seem to be IT, but can also overload the PLC with rewriting the configuration to ladders and at the same time the plant cannot be stopped.
So the concept of IT&OT (Information Technology & Operation Technology) came into the world.
Immediately after, (it is clear that unqualified personnel should not be allowed to work), it became necessary to certify specialists in the field related to ensuring the safety of process control systems, industrial systems - which, it turns out, have become very numerous in our life from an automatic water supply valve in an apartment to a control system airplanes (remember the excellent article on investigating the problems ). And even, as it suddenly turned out, complex medical equipment.
A little lyric about how I came to the need to get certified (you can skip it): Having successfully graduated at the end of the XNUMXs at the Faculty of Information Security, I proudly stepped into the ranks of the KIP sheep, working as a mechanic for low-voltage security alarm systems. It seems like information security was told to me at the enterprise at that time :) This is how my career as an automated control system specialist with a bachelor's degree in information security began. Six years later, having risen to the head of the SCADA systems department, I went to work as a security consultant for industrial control systems in a foreign software and equipment vendor company. This is where the need to be a certified information security specialist arose.
is a development an organization that provides training and certification for information security specialists. The reputation of the certificate from GIAC is very high among specialists and customers in the markets of EMEA, US, Asia Pacific. Here, in the post-Soviet space and in the CIS countries, only foreign companies that have business in our countries, international and consulting agencies can request such a certificate. Personally, I have never come across a request for such certification from domestic companies. Everyone basically asks for CISSP. This is my subjective opinion and if anyone shares their experience in the comments, it will be interesting to know.
There are quite a few different directions in SANS (in my opinion, recently the guys have expanded their number too much), but there are also very interesting practical courses. Particularly liked . But the story will go about the course and a certificate called: .
Of all the types of Industrial Cyber Security certifications offered by SANS, this one is the most versatile. Since the second relates more to Power Grid systems, which are given special attention in the West and they belong to a separate class of systems. And the third (at the time of my certification path) related to Incident Response.
The course is not cheap, but it gives quite extensive knowledge of IT & OT. It will be especially useful for those comrades who decide to change their field, for example, from IT security in the banking industry to Industrial Cyber Security. Since I already had a background in the field of process control systems, instrumentation and Operation Technology, for me there was nothing fundamentally new or vital in this course.
The course consists of 50% theory and 50% practice. From practice, the most interesting was the contest - NetWars. For two days, after the main course of classes, all students of all classes were divided into teams and performed tasks to obtain access rights, extract the necessary information, gain access to the network, a bunch of tasks to promote hashes, work with Wireshark and all sorts of different goodies.
The course material is summarized in the form of books, which you then receive for your perpetual use. By the way, they can also be taken to the exam, since the Open Book format, but they will not help you much there, since the exam has 3 hours, 115 questions, the language of delivery is English. For all 3 hours you can take a break for 15 minutes. But keep in mind that taking a break for 15 minutes and returning to the tests after 5 - you just give away the remaining ten minutes, since it will not work to stop time in the testing program anymore. You can skip up to 15 questions, which will then appear at the very end.
Personally, I do not recommend leaving a lot of questions for later, because the time at 3 o’clock is really not enough, and when at the end you still have unresolved questions, then there is a high probability of not being on time. I left "for later" only three questions that were really difficult for me, since they related to knowledge of the NIST 800.82 standard and NERC. Psychologically, such questions “for later” hit the nerves at the very end - when your brain is tired, you want to go to the toilet, the timer on the screen seems to accelerate exponentially.
In general, in order to pass the test, you need to score 71% of the correct answers. Before taking the exam, you will have the opportunity to practice on real tests - as the price includes 2 practice tests of 115 questions and with conditions similar to a real exam.
I recommend taking the exam a month after completing the training, spending this month on systematic self-study on those issues - in which you feel insecure. It will be nice if you take the printed materials received in the course, which look like short abstracts for each of the topics - and purposefully search for information on the topics that are contained in these books. Break the month into two parts by doing trial tests and getting a rough picture of what areas you are strong in and where you need to improve.
I would like to highlight the following main areas that the exam itself consists of (not a training course, since it covers much more extensive topics):
- Physical Security: As with other certification exams, this is a subject that gets a lot of attention in the GICSP. There are questions on the types of physical locks on the doors, situations with a fake electronic passes are described, where you need to give an answer by unambiguously identifying the problem. There are questions directly related to the safety of technology (process) depending on the subject area - oil and gas processes, nuclear power plants or power grids. For example, a question like: Determine what type of physical security control is the situation when an Alarm comes from a steam temperature sensor on the HMI? Or a question of the form: What situation (event) will serve as a reason to analyze video recordings from surveillance cameras of the facility's perimeter security system?
As a percentage, I would note that the number of questions on this section in my exam and in trial tests did not exceed 5%.
- Another and one of the most popular categories of questions are questions on process control systems, PLC, SCADA: here it will be necessary to systematically approach the study of materials on how process control systems are arranged, from sensors to servers where the application software itself works. A sufficient number of questions will be met on the varieties of industrial data transfer protocols (ModBus, RTU, Profibus, HART, etc.). There will be questions about how the RTU differs from the PLC, how to protect the data in the PLC from being modified by an attacker, in which memory areas the PLC stores data, and where the logic itself is stored directly (a program written by the APCS programmer). For example, a question of this type can be: Give an answer how can an attack be detected between a PLC and an HMI that work on the ModBus protocol?
There will be questions about the differences between SCADA systems and DCS. A large number of questions on the rules for delimiting APCS networks at the L1, L2 level from the L3 level (I will describe in more detail in the section with questions on the network). Situational questions on this topic will also be very heterogeneous - they describe the situation in the control room and you need to select the actions that must be performed by the process operator or dispatcher.
In general, this section is the most specific and narrow-profile. Requires good knowledge from you:
— Automatic control system, field part (sensors, types of device connection, physical features of sensors, PLC, RTU);
— emergency shutdown systems (ESD) for processes and objects (by the way, Habré has an excellent series of articles on this topic from )
- a basic understanding of the physical processes that occur, for example, in oil refining, power generation, pipelines, etc.;
— understanding of the architecture of DCS and SCADA systems;
I would note that questions of this type can occur up to 25% throughout all 115 questions of the exam. - Network technology and network security: I think that the number of questions in this topic is in the first place in the exam. There will probably be absolutely everything - OSI model, at what levels this or that protocol works, a lot of questions on network segmentation, situational questions on network attacks, examples of connection logs with a proposal to determine the type of attack, examples of switch configurations with a proposal to determine a vulnerable configuration, questions on vulnerabilities network protocols, questions on the specifics of network connections of industrial communication protocols. Especially a lot of people ask about ModBus. The structure of network packets of the same ModBus, depending on its type and versions supported by the device. Much attention is paid to attacks on wireless networks - ZigBee, Wireless HART, just questions about network security of the entire 802.1x family. There will be questions about the rules for placing certain servers in the APCS network (here you need to read the IEC-62443 standard and understand the principles of the reference models of APCS networks). There will be questions about the Purdue model.
- A category of questions that relates exclusively to the functional features of the operation of power transmission systems and information security systems for them. In the USA, this category of process control systems is called Power Grid and it has a separate role. For this, separate standards are even issued (NIST 800.82) that regulate the approach to creating information security systems for this sector. In our countries, for the most part, this sector is limited to AMR systems (correct me if someone has come across a more serious approach to controlling distribution and delivery systems of electricity). So, in the exam you will meet quite specific questions related to the Power Grid. For the most part, these were use-cases for a specific situation at the Power Plant, but there may also be questions about devices that are used specifically in the Power Grid. There will be questions addressing knowledge of the NIST sections for this category of systems.
- Questions related to knowledge of standards: NIST 800-82, NERC, IEC62443. I think here without any special comments - you need to navigate in the sections of the standards, which one is responsible for what and what recommendations it contains. There are specific questions, for example, asking the frequency of checking the functionality of the system, the frequency of updating the procedure, etc. As a percentage of such questions, up to 15% of the total number of questions can be found. But here, how lucky. For example, on two trial tests, I met only a couple of similar questions. But on the other hand, there were really a lot of them on the exam.
- Well, the last category of questions is all kinds of use-cases and situational questions.
In general, the training itself, with the possible exception of CTF NetWars, was not very informative for me in terms of acquiring potentially new knowledge. Rather, deeper details of some topics were acquired, especially in the field of organization and protection of radio networks used to transmit technological information, as well as more streamlined material on the structure of foreign standards devoted to this topic. Therefore, for engineers and specialists who have sufficient knowledge and experience with process control systems / instrumentation or Industrial Networks - you can think about how to save on training (and it makes sense to save), prepare yourself and go immediately to take a certification exam, which by the way is worth 700 USD. In the event of a fail, you will have to pay again. There are plenty of certification centers that will accept you for the exam, the main thing is to apply in advance. In general, I recommend immediately setting the date for the exam, because otherwise you will constantly delay it, replacing the preparation process with other vital and not very important things. And having a specific deadline date will make you self-motivated.
Source: habr.com