How Cossacks GICSP certificate received

Hello! Everyone’s beloved portal had many different articles on certification in the field of information security, so I’m not going to claim originality and originality of content, but I would very much like to share my experience in obtaining GIAC (Global Information Assurance Company) certification in the field of industrial cybersecurity. Since the advent of such scary words as Stuxnet , Duqu , Shamoon, Triton, a market has gradually emerged for the provision of specialist services that seem to be IT, but can also overload the PLC with rewriting the configuration to ladders and the plant can not be stopped.

So the concept of IT&OT (Information Technology & Operation Technology) came into the world.

Following immediately, (it’s clear that unqualified personnel should not be allowed to work), there was a need to certify specialists in the field of ensuring the safety of process control systems, industrial systems - which, it turns out, in our life there are a lot from the automatic water supply valve in the apartment to the control system airplanes (remember a great article about investigating Boeing problems). And even, as it suddenly turned out - sophisticated medical equipment.

A little lyrics as I came to the need to get certification (you can skip): Having safely studied at the end of the 2000s at the Faculty of Information Security, I proudly raised my head into the ranks of the instrument-control sheep, working as a mechanic for low-current security alarm systems. It seems like IS told me at the enterprise at that time :) So my career as an ACS specialist started with a bachelor's degree in information security. Six years later, having risen to the head of the SCADA systems department, I left to work as a consultant on the safety of industrial control systems in a foreign software and hardware vendor company. This is where the need arose to become a certified IS specialist.

GIAC is a development of the SANS organization that provides training and certification of information security specialists. The reputation of the certificate from GIAC is very high among specialists and customers in the markets of EMEA, US, Asia Pacific. In our country, in the post-Soviet space and in the CIS countries, such a certificate can only be requested by foreign companies that have business in our countries, international and consulting agencies. Personally, I have never come across a request for the availability of such certification from domestic companies. All basically request CISSP. This is my subjective opinion, and if anyone shares their experience in the comments, it will be interesting to know.

SANS has quite a lot of different directions (in my opinion, lately the guys have expanded their number too much), but there are also very interesting practical courses. I especially liked NetWars . But the story will be about the ICS410 course : ICS / SCADA Security Essentials and a certificate called: Global Industrial Cyber ​​Security Professional (GICSP) .

Of all the SANS types of Industrial Cyber ​​Security certifications, this is the most versatile. Since the second relate more to Power Grid systems, which are given special attention in the West and belong to a separate class of systems. And the third (at the time of my certification path) was related to Incident Response.

The course is not cheap, but it provides quite extensive knowledge of IT&OT. It will be especially useful to those comrades who decided to change their sphere, for example, from IT security in the banking industry to Industrial Cyber ​​Security. Since I already had a background in the field of process control systems, instrumentation and Operation Technology, for me there was no fundamentally new or vital in this course.

The course consists of 50% theory and 50% practice. From practice, the most interesting contest was NetWars. For two days, after the main course of classes, all students of all classes were divided into teams and performed tasks of obtaining access rights, extracting the necessary information, gaining access to the network, a bunch of tasks for promoting hashes, working with Wireshark and all sorts of different goodies.

The course material is summarized in the form of books, which you then receive for your perpetual use. By the way, they can also be taken for the exam, as the Open Book format, but they will not help you much there, since the exam takes 3 hours, 115 questions, the language of delivery is English. For all 3 hours you can take a break for 15 minutes. But keep in mind that taking a break of 15 minutes and returning to the tests after 5 - you simply give the remaining ten minutes, since there will be no more stopping the time in the testing program. You can skip up to 15 questions, which then appear at the very end.

Personally, I do not recommend leaving a lot of questions for later, because the time at 3 o’clock is really short, and when in the end you still have unresolved issues come up, that is, there is a high probability of failure. I left “for later” only three questions that were really difficult for me, because they related to knowledge of the NIST 800.82 and NERC standards. Psychologically, such questions “for later” are nerves at the very end - when your brain is tired, you want to go to the toilet, the timer on the screen seems to accelerate exponentially.

In general, to pass the test you need to score 71% of the correct answers. Before passing the exam, you will have the opportunity to practice real tests - as the price includes 2 practice tests with 115 questions and with conditions similar to a real exam.

I recommend taking the exam one month after the training, spending this month on systematic independent classes on those issues - in which you feel insecure. It will be nice if you take the printed materials received on the course, which look like brief abstracts on each topic - and you will purposefully search for information on the topics that are contained in these books. Break the month into two parts by performing trial tests and getting an approximate picture of what issues you are strong in and where you need to catch up.

I would like to highlight the following main areas of which the exam itself consists (not a training course, since it covers much more extensive topics):

1. Physical security: as in other certification exams, a lot of attention is paid to this issue at GICSP. There are questions about the types of physical locks on the doors, situations with falsification of electronic passes are described, where you need to give an answer by unambiguous identification of the problem. There are questions directly related to the safety of the technology (process) depending on the subject area - oil and gas processes, nuclear power plants or electrical networks. For example, there may be a question of the type: Determine what type of physical security control is the situation when the Alarm comes from the steam temperature sensor on the HMI? Or a question of the form: What situation (event) will serve as a reason for analyzing video recordings from surveillance cameras of the perimeter security system of an object?
   
   
   
   In percentage terms, I would note that the number of questions on this section in my exam and in trial tests did not exceed 5%.
2. Another and one of the most widespread categories of questions are questions about process control systems, PLC, SCADA: here it will be necessary to systematically approach the study of materials on how the process control systems are arranged, starting from sensors and ending with servers where the application software itself works. A sufficient number of questions will be encountered on varieties of industrial data transfer protocols (ModBus, RTU, Profibus, HART, etc.). There will be questions about how the RTU differs from the PLC, how to protect the data in the PLC from modification by the attacker, in which parts of the memory the PLC stores data, and where the logic itself is stored (a program written by the control system programmer). For example, there may be a question of this type: To give an answer, how can an attack be detected between PLCs and HMIs that operate on the ModBus protocol?
   
   
   
   There will be questions about the differences between SCADA systems and DCS. A large number of questions on the rules for distinguishing control systems networks at the L1, L2 level from the L3 level (I will describe in more detail in the section with questions on the network). Situational questions on this topic will also be very heterogeneous - they describe the situation in the control room and you need to select the actions that must be performed by the process operator or dispatcher.
   
   
   
   In general, this section is the most specific and narrow-profile. It will require good knowledge from you:
   
   - Automated process control systems, field parts (sensors, device connection types, physical features of sensors, PLC, RTU);
   
   - emergency protection systems (ESD - emergency shutdown system) of processes and objects (by the way, there is an excellent series of articles on this topic from Vladimir_Sklyar on the hub )
   
   - a basic understanding of the physical processes that take place, for example, in oil refining, electricity generation, pipelines, etc.
   
   - understanding of the architecture of DCS and SCADA systems;
   
   I would note that up to 25% of questions of this type can be encountered throughout all 115 questions of the exam.
3. Network technologies and network security: I think that the number of questions in this topic comes first in the exam. There will probably be absolutely everything - the OSI model, at what levels this or that protocol works, a lot of questions on network segmentation, situational questions on network attacks, examples of connection logs with a proposal to determine the type of attack, examples of switch configurations with a proposal to determine a vulnerable configuration, questions about vulnerabilities network protocols, questions on the specifics of network connections of industrial communication protocols. People ask a lot about ModBus. The structure of network packets of the same ModBus, depending on its type and the versions supported by the device. Much attention is paid to attacks on wireless networks - ZigBee, Wireless HART, just questions about the network security of the entire 802.1x family. There will be questions about the rules for placing these or those servers in the control system network (here you need to read the IEC-62443 standard and understand the principles of reference control system networks). There will be questions about the Purdue model.
4. A category of issues that relates exclusively to the functional features of the operation of electric power transmission systems and information security systems for them. In the USA, this category of process control systems is called Power Grid and has a separate role to play. For this, separate standards (NIST 800.82) are even issued that regulate the approach to creating information security systems for this sector. In our countries, for the most part, this sector is limited to ASKUE systems (correct me if someone has met a more serious approach to controlling distribution and delivery systems of electricity). So, in the exam you will encounter quite specific questions related to the Power Grid. For the most part, these were use-cases for a specific situation prevailing at Power Plant, but there may also be inquiries about devices that are used specifically in Power Grid. There will be questions addressing the knowledge of NIST sections for this category of systems.
5. Questions related to knowledge of standards: NIST 800-82, NERC, IEC62443. I think here without any special comments - you need to navigate in the sections of the standards, which one is responsible for what and what recommendations it contains. There are specific questions, for example, asking the frequency of checking the functionality of the system, the frequency of updating the procedure, etc. As a percentage of such questions, up to 15% of the total number of questions may occur. But then how lucky. For example, in two trial tests, I came across just a couple of similar questions. But on the exam, there really were a lot of them.
6. Well, the last category of questions is all kinds of use-cases and situational questions.

In general, the training itself, with the possible exception of CTF NetWars, was not very informative for me in terms of acquiring potentially new knowledge. Rather, deeper details of some topics were acquired, especially in the field of organization and protection of radio networks used to transmit technological information, as well as more ordered material on the structure of foreign standards devoted to this topic. Therefore, for engineers and specialists who have sufficient knowledge and experience with process control systems / instrumentation or Industrial Networks, you can think about saving on training (and it makes sense to save), prepare yourself and go immediately to pass the certification exam, which, by the way, is worth 700USD. In case of a fail, you will have to pay again. There are plenty of certification centers that will take you to the exam, the main thing is to submit an application in advance. In general, I recommend immediately setting the date for the exam, because otherwise you will constantly delay it, replacing the preparation process with other vital and not very important things. And having a specific deadline date, you will be self-motivated.