SANS Industrial Control Systems Security Blog

...But I'm a CIP Cyborg Warrior with Real Kung Fu Grip... Then Prove It!

This blog is written by Jason Christopher, SANS ICS456 instructor.

Ok, sure, that's an exaggeration on the existing CIP Ninja[1] nomenclature so many of us use, but you get the point. Sometimes it's hard to make CIP exciting. Depending on your responsibilities, you may face death-by-patching updates or log reviews. You may be trapped in a constant debate on configuration baselines and what exactly is a "port" or "intentionally installed software." You may also be wondering why you do some of the daily tasks a CIP manager gives you ahead of your mock audit.

So we, as an industry, started to adopt identities around CIP Ninjas, warriors, knights - I've seen them all over the years. Identities are great for owning not only the problem, but your role in solving the problem. We know what we do - we keep the lights on regardless of the cyber risks our organizations face. That's vitally important, but what skills do you need as a CIP Level 82 Battlemage? How do you know that a "CIP expert" is actually an expert? It's a problem as old as the standards themselves and something every utility, consultant, and auditor contends with on a regular basis.

Enter the GIAC Critical infrastructure Protection (GCIP) certification. Earlier this year, GIAC released this new certification based on real-life industry experience implementing and auditing the North American Electric Reliability Corporation (NERC) CIP standards. Those of us familiar with the standards know that they cover everything a cybersecurity program needs: governance, asset and configuration management, identity and access management, incident response, disaster recovery, workforce management, and more. The list is exhaustive, and a CIP Paladin may have stronger skills in one or two requirements out of dozens. The GCIP, however, does not discriminate - it tests across the entire knowledge base that is NERC CIP, including how the regulations are created and enforced. It may not be everything you can learn in NERC CIP, but it is definitely a solid foundation that validates a security professional's knowledge on the basics of CIP compliance and the value of each requirement within the standards.

While there is certainly value in other certifications, they most definitely do not cover the challenges in performing an active vulnerability assessment in generation facilities, or the different approaches utilities may use in classifying BES Cyber Systems. And that's just a fraction of the information you need to know to attain the GCIP certification. It is, without a doubt, the must-have certification for anyone implementing, consulting, or auditing the NERC CIP Standards.

GCIPIf you're new to your CIP Knighthood journey, or want to be more well-rounded as a CIP professional in preparation for taking the GCIP exam, there's plenty of great training and professional development options. As a former regulator, I love helping my students master CIP jujitsu and take the next step in their career. If you have more questions on the GCIP, check out the GIAC page here or take a look at some additional training options, including where I'm teaching ICS456: Essentials for NERC Critical Infrastructure Protection next.


[1]The first rule of being a ninja is knowing how to spell CIP - which stands for the North American Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standard


Posted October 5, 2018 at 5:05 PM | Permalink | Reply


My CIP fu is strong.