banner

Bashing Education and Certifications Reduces Safety of Industrial and Automation Control Environments

Gatekeeping, building the wall

Recently, I have noticed people emphasizing the name of certifications and personally attacking the people who obtain them. This is unfortunate as it is shining light on the wrong subject. The value of a certification is not in the name. The value of the certification is that it is an indication that an individual has received a level of instruction and demonstrated the ability to retain, reference, and recall that information. It is this foundation of knowledge that the individual can be held accountable for using during decision making.

The purpose of certifications is to provide a level of instruction that exposes the student to new concepts. Typically, the concepts are a collection of details about individual data points that combine into a specific domain. Some education is designed to initiate individuals into concepts the student has not been exposed to or that require a new way of considering the concept’s implementation. Other educational experiences expose the student to the actual implementation of these concepts. Most students benefit more by receiving the former before the latter. In the case of industrial and automation concepts this is extremely important as the implementation of technologies within control environments has a combination of new technologies and known technologies that are implemented with a different purpose.

It is widely known that I am an instructor for the SANS-ICS ICS410: ICS/SCADA Security Essentials class. The name of the GIAC certification for this course, which I personally certify every four years, is the Global Industrial Cyber Security Professional (GICSP). I have also, recently, taken the courses and received a certification in the ISA/IEC 62443 program and received the ISASecure certification named ISA/IEC 62443 Cybersecurity Expert certification. My knowledge from both experiences demonstrates that none of the teams involved with teaching and supporting these efforts care one bit about the name of the certification. They understand that it is the distribution of the information in a manner that can be applied by the individual receiving the training, regardless of them obtaining the certification. The intent is to make the world a safer place through this education and allow them to succeed in their career efforts.

There is a lot to argue about any education, from content to cost. Personally, I am proud to be a part of both programs. I have found that I can apply information from both in the application of my skills and my interactions with people that are new OR experienced in this field. I have never, in any professional or education interactions, portrayed my role as more or less than I am bringing to the table as an information security professional with experience helping engineers, operators, vendors, and integrators secure their process environments. I have expressed this to my students, people attending my talks, clients, partners, and during discussions on these topics. The people I choose to surround myself with are people who manage themselves in a similar manner.

The belittling behavior of people experienced in the implementation of industrial and automation environments is not a new experience. For the past ten years it has been referred to by the name ‘gatekeeping.’ The misguided initial intent for this behavior was tied to safety. The concept was that people with no experience in industrial and control environments will, through their actions and recommendations, create a safety issue that is more likely to be realized. Only people with experience in these fields can properly deploy technologies to support the process while also ensuring the safety of people, the environment, and the process. Ten years ago, I could understand this argument even when I was being thrust, by my own choice, into this fray.

Over the past ten years I, along with you, have seen connectivity into the industrial and control environments grow. In the past ten years I have seen professionals from various industrial and automation sectors deploy technologies with limited knowledge of the actual technology. Let’s use a simple example from an organization with a very experienced Windows Domain administration team. A new control environment was being stood up by the engineering team with the assistance of an experienced integrator team. They deployed all the technologies, ensured that all the process flows worked, and then asked our team to evaluate the solutions for any security-related gaps. Our analysis determined that everything, and I mean everything, had been deployed and was running as Domain Administrator. All user accounts – Domain Administrator. All service accounts – Domain Administrator. All applications – Domain Administrator. When we asked them about it their response was “when we go live next week, we will change everything to the correct user.” While this is just one situation, my experiences in industrial and automation environments are that engineers, operators, vendors, and integrators will not accept the help from individuals or teams that understand these technologies better than they do. Not realizing that, by not accepting this help, they are creating situations that will have a negative impact on safety.

Of course, some people will argue the fact that I am not talking about the actual process. They will argue that processes are built to be resilient to unexpected and unsafe situations and inputs. They will argue that I am proving their point and that I, as an information security professional with ten years of experience securing control environments, should not be allowed anywhere near a process. To that point I would argue that these individuals have shallow experiences. They are pulling their flimsy and ineffective arguments tighter around themselves because they are scared that they are not the most important and knowledgeable person. I would argue that the processes can be impacted by these situations in a manner that is difficult to predict but can lead to losses or denial of view, control, and safety. ISA/IEC 62443 requires that ALL technologies are reviewed for this impact on the process and that they are configured (hardened) appropriately according to their Security Target Level (SL-T). This includes supporting technologies as well as the configuration, deployment, and programming of process level devices. To do this ISA/IEC 62443 recommends a TEAM of stakeholders with the appropriate skill levels to understand the technologies. Some team members will come from the operations side but the team should also includes individuals with experience from the information technology and information security teams.

As I mentioned, remote connectivity into industrial and automation control environment is expanding rapidly. We cannot continue denying that these environments require an infusion of talent of information technology and information security professionals. These new skills are needed to allow the personnel experienced with the implementation of industrial and automation technologies to do their jobs deploying operationally sound and safe processes. We cannot expect people to know everything. We can expect that individuals will operate as adults within a team of experts in their chosen fields. To this end, all individuals need training in initial and in-depth concepts. To use a saying I’ve been hearing a lot lately, “This is a marathon, not a sprint.” But if people keep locking the gate nobody can run the marathon or the sprint.

Go forth and do good things,

Don C. Weber (cutaway)