ENISA’s recommendations for Certifying ICS/SCADA professionals
February 2015 by ENISA
ENISA’s publishes a new study - looking into the challenges and providing recommendations - for the development of schemes certifying the skills of cyber security experts working on industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) in Europe.
An online survey and interviews with experts from EU Member States and worldwide, analyses how current initiatives on the certification of professional skills are related to the topic of ICS/SCADA cyber security.
The convergence between Operations Technology (OT) for industrial processes and Information Technology (IT) raises the need for the security of ICS/SCADA systems but also for qualified professionals. Currently there is limited awareness of the available certification schemes in the sector which results in few qualified professionals.
The complexity of ICS/SCADA systems lays mainly with its multi-disciplinary character (cyber security, operations and information technology) and the broad range of sectors using industrial systems (such as automation, energy, chemical, pharmaceutics, energy etc.). As such, ICS/SCADA systems display differences in their processes, operational procedures, and consequences.
A main challenge of current certification schemes is managing the convergence of cyber security and operations technology. Another is the complexity of different and multi-levelled professional profiles and roles from a functional point. Furthermore, it is necessary to raise the relevance, credibility and strength of future certifications for ICS/SCADA cyber security, by obtaining the support of professional associations.
The report proposes a series of recommendations to harmonize the certification of skills for ICS/SCADA professionals in Europe. These recommendations are relevant for both public and private sector across the EU:
an independent steering committee should assess current global or national certification schemes and define a European Cyber Security certification scheme for ICS/SCADA professionals. This is important to achieve the degree of measured knowledge applicable to industrial operations.
certifications should be multi-level to reach a wide range of professionals from different fields of practice, including operational and managerial topics, and practical aspects.
a certification scheme should be established with management content. This would add value, ensuring that managers are qualified to make the right decisions in crisis situations.
a simulation environment should be developed both for training purposes and for testing practical skills.
ENISA’s Executive Director said: “ICS/SCADA cyber security is at the core of many industrial processes and a growing field which will present commercial and industrial opportunities. Specialised schemes certifying the skills of cyber security experts working on ICS/SCADA would be advantageous to industry sectors and sub-sectors, and important in ensuring the level of cyber security across Europe”.