ICS/OT Cyber Security Certification Paths - One of the most common questions I get about the ICS/OT cyber security world is what certifications exist and which have the most meaning. While learning about ICS/OT cyber security does not always mean taking a certification course, becoming certified can help demonstrate your knowledge and passion in a subject area while accelerating your learning - especially if you are new to the field. Not only this, but being certified can help demonstrate your knowledge and passion to potential clients and hiring managers. Here is how I explain them: 1. ISA 62443 Cybersecurity Expert Series ISA 62443 is considered the gold standard today in understanding how to properly secure an ICS/OT network. It makes complete sense that the International Society of Automation (ISA) team would put together a series of certifications for demonstrating ICS/OT cyber security knowledge. The series is comprised of four courses, each with their own dedicated certification (see the included picture). If you complete all four courses and the associated certification exams, you become an "ISA 62443 Cybersecurity Expert." For the purpose of comparison, some refer to this as the "CISSP of the ICS/OT world" as being the most generally recognized and accepted. Unfortunately, you must take each course before taking the corresponding certification exam. Compared to the SANS certification courses, the ISA classes are considered affordable and cost effective. 2. SANS ICS/OT Certifications The heavy weights of the ICS/OT cyber security space in terms of knowledge and real-world experience by far are the three certifications (GICSP, GRID and GCIP) and associated courses from the SANS Institute. Unfortunately, the price at approximately $10,000 USD (for the course and certification attempt) each these days, can put these courses out of price range for a lot of people. Each course provides participants with a tremendous amount of knowledge from industry and world leaders in the field such as Robert M. Lee and Tim Conway. I consider myself very fortunate to have been able to take these courses through my current employer. If I was a hiring someone for an ICS/OT cyber role and was evaluating certifications, these would be my first choice, especially the GRID certification based on the course written (and taught often) by Rob Lee (more on my incredible experience with this course in another post.) 3. Vendor Certifications While ISA and SANS take up most of the space in the certification market, there are other ICS/OT vendors that provide training courses with associated certifications. I have not taken any of these other certifications, but I would be curious to hear everyone else's feedback from those that have. The one vendor I hear about the most in this space is exida. What else am I missing in the ICS/OT cyber certification world? #icssecurity #icscybersecurity #otsecurity #otcybersecurity #cybersecurity
Tobias Zillner
10mo
Limes Security has a series of OT Security Certifications (practicioner, technical expert, manager). https://limessecurity.com/en/academy/
Jean Louis Di Fede
10mo
Hi, I passed all 4 ISA exams and now I’m looking for an hands on training in risk assessment procedures using IEC62443. I couldn’t find anything specific. I got this site from a friend and then I got lost: https://pauljerimy.com/security-certification-roadmap/
Mariusz Nowak
10mo
Hello. I did exactly the same research as you. I discovered the ISA and SANS paths. Unfortunately, costs are a huge barrier. They make it almost impossible to obtain the necessary qualifications, without external support. Thank you for bringing up the topic. The comments under the article are very helpful. Thanks Jean Louis Di Fede , Tobias Zillner , Denrich Sananda and Jason Cordingley .
Umais Ahmed
10mo
You have explained very well and defines the correct path to pursue career in OT Cybersecurity 👍🏻👍🏻🙏🏻
Alex Burns
10mo
All comes down to cost, for 8-9k you can do all the ISA 62443 certs to become expert. Each SANs cert is equivalent cost so it really boils down to employer weighting up the cost/benefit of the particular certs. Would they rather pay the 9k for ISA 62443 expert or 24k for the SANs certs to achieve the same goal. I agree the SANs are really great certs having passed GICSP last year. If I had deep pockets would do them all!
Raman Kumar (CSM®)
10mo
Hello Mike, Thanks for bringing up this topic. Can you tell, if there is any way to get discount ? Otherwise, I also think it is out of budget for most people like me. Thanks.
Jason Cordingley
10mo
There is also https://sikercyber.com/ there training is on a par with sans, but cheaper
Exida also offers one of most comprehensive 62443 Training program. https://www.exida.com/Certification/IEC62443-Cyber-Cert
IACS/OT Security Evangelist, Trainer und Dozent
10moI would like to add the Cyber Security (CySec) Training Program of TÜV Rheinland Energy & Industry to the list of trainings and certifications. The contents of the different trainings are closely related to ISA/IEC 62443 but do consider aspects of OT/IACS Security in a more broader range. The higher level trainings typically end with a "CySec Specialist (TÜV Rheinland)" certificate which can be compared with the internationally well recognised "FS Engineer (TÜV Rheinland)" certificates of their Functional Safety Training Program. More trainings are currently being developed, at least one of it will focus on the technician level with a "CySec Technician (TÜV Rheinland)" certificate. #iacssecurity #otsecurity #tuevrheinland #cybersecurity #trainings