banner

Achieving the ISA/IEC 62443 Cybersecurity Expert Certification

ISA/IEC 62443 Cybersecurity Expert

In February 2023 I was attending a conference for safety. I was introduced to many new people with roles that involved safe implementation of processes, equipment, and manual procedures that support the entertainment and safety of people all around the world. During one of my conversations, I was told that people purchasing services from large industrial control and automation vendors are not asking for people that have achieved the GIAC GICSP certification. They are specifically asking for people that have achieved the ISA/IEC 62443 Cybersecurity certifications. That was the moment I decided I was going to achieve the ISA/IEC 62443 Cybersecurity Expert certification before the end of 2023.

My journey started simple enough. I logged into my ISA account and signed up for the ISA/IEC 62443 Cybersecurity Fundamentals Specialist. The program allows students three methods to study: in person, online, or self-paced training. Due to my schedule and timeline goal I decided to take the self-paced training. This means that I would miss out on the valuable instructor influence and experiences which I do regret. A fair tradeoff since I have some experience in cybersecurity of industrial and automation control systems (IACS) but I do value others experiences since there are some many diverse sectors in this field. NOTE: As I am a member of ISA I did save approximately $1600 for all certifications attempts, so my membership did pay for itself.

Once I started taking the ICS/IEC 62443 Cybersecurity Fundamentals Specialist class I knew this process was the right decision. As a certified SANS instructor teaching the ICS410: ICS/SCADA Security Essentials class I have a lot of experience in the security of IACS. What I do not (did not) have a lot of experience in was the actual contents of the ISA/IEC 62443 series of standards. During the self-paced course, I learned about how these standards outline the Cyber Security Management Systems (CSMS) which is the equivalent of a cyber security program for the IACS environment. I learned about the concepts of Zones, Conduits, Security Levels, and other IACS concepts. It provided me an appreciation of the standard and the hard work that the standard committees have put into its development.

After achieving the ISA/IEC 62443 Cybersecurity Fundamentals Specialist certification I had a choice of the next three certifications on my way to expert. Because my role in cybersecurity is related to assessments, I decided to take the ISA/IEC 62443 Cybersecurity Risk Assessment Specialist certification next. Again, I was pleasantly surprised by the content. This class outlined how to do a risk assessment to identify and prioritize efforts as a part of the CSMS. I realized that I have been thinking about my typical role incorrectly. When I help organizations review their environments, I thought I was doing a risk assessment. In fact, according to the standard, I was conducting a vulnerability assessment. The results of the vulnerability assessment feed valuable information into the risk assessment, but the leadership of the organization I am working for needs to evaluate that information, determine where they want to be (as in Target Security Levels), the consequences of the vulnerabilities identified, and document the unmitigated risk. All of which will ultimately identify how they will manage the risk through the different risk reduction techniques.

With my ISA/IEC 62443 Cybersecurity Risk Assessment Specialist certification in hand I tackled the final two certifications in order: Design Specialist and Maintenance Specialist. I am combining these certifications as these two were a bit repetitive to me. These certifications are specifically designed for individuals that are going to fulfill the role of design specialist or maintenance specialist. These individuals may only be allowed to take one certification after the fundamental specialist certification. Each of these courses covered the topics and equipment that are necessary for these roles. But, because of my previous experience, the material felt like more of a refresher. That said, the target audience for this training are people with less experience in cybersecurity, the techniques, and the countermeasures. For these, each course did help to re-enforce all the primary concepts and ensure that I have been exposed and tested to this knowledge repeatedly. In the end, since I passed each of the exams, I do feel I have demonstrated an understanding of all the standard’s cybersecurity concepts.

Now, I am not going to conclude with a comparison between the GIAC GICSP and the ISA/IEC 62443 Cybersecurity certifications. I will note that while the GIAC GICSP test is an open book test the ISA/IEC62443 certification tests were not. Thus, there was a LOT of memorization and use of my test taking talents (thank you scantron tests during the 1970’s and 1980’s). I will say that I am proud of my GIAC GICSP certification, and I am waiting impatiently for my ISA/IEC 62443 Cybersecurity Expert black badge. I think it was an extremely valuable and potentially necessary experience. Both certifications augment each other, and I recommend them both. Whether the industry thinks that I am more valuable as a cybersecurity expert in the IACS fields is yet to be seen. Only time will tell.

Go forth and do good things,

Don C. Weber