# Opener

The One Thing Your Utility Security Program is Missing

Published by Axio

Ever since the Federal Energy Regulatory Commission approved mandatory cybersecurity standards for the nation’s grid, self-proclaimed gurus and experts have been making a headache of things. The Critical Infrastructure Protection (CIP) standards are one of the few compliance requirements that can monetarily penalize asset owners/operators for poor cybersecurity hygiene. And all the cool kids want to be CIP “ninjas.” But how do hiring managers, engineers, or IT peers know that the person they are talking to is really a CIP master?

Late last year, SANS announced a new certification for electric grid stakeholders interested in verifying their CIP chops—the GIAC Critical Infrastructure Protection (GCIP) certification (https://www.giac.org/certification/critical-infrastructure-protection-gcip ). The multi-hour exam tests participants on all the necessary knowledge and skills needed to execute a successful utility security program, including:

  • BES Cyber System identification and strategies for lowering their impact rating
  • Nuances of NERC defined terms and CIP standards applicability
  • Strategic implementation approaches for supporting technologies
  • Recurring tasks and strategies for CIP program maintenance

The exam is great for life-long CIP experts and newbies who want to take that next step in their career. Moreover, it covers the entire CIP universe—so you know any GCIP certified personnel will be a well-rounded security professional with an understanding of compliance, technical aptitude, and all the various components to not just be compliant, but to be secure.

The certification is accompanied by a course from SANS, the foremost leader in security training —ICS456: Essentials for NERC CIP (https://www.sans.org/course/essentials-for-nerc-critical-infrastructure-protection ). The course is not a prerequisite for taking the certification, but the amount of information you will be given over 5 days (and 25 hands-on labs!) will definitely help out any one looking to prove themselves with the GCIP.

Critical Infrastructure Protection and NERC

Critical Infrastructure Protection, (or “CIP”), involves protecting vital utilities against cyber threats and terrorist activities. It involves integrating national security into the U.S power and electricity sectors, to keep our population safe from harm. Having CIP in place helps ensure that the large machines used to transmit the nation’s electricity remain secure. 

The North American Electric Reliability Corporation, (or “NERC”), is the body responsible for ensuring that organizations that offer electricity are protected. It does this by ensuring that every electric grid stakeholder has GCIP certification. You can get this certification after taking a NERC Critical Infrastructure Protection Course. 

GCIP Certification

Critical Infrastructure Protection, GCIP/NERC, certification helps ensure that the people hired to work in industrial control systems are proficient in cybersecurity. When you have mastered the course, you will be able to protect essential infrastructures that keep our country running. You will also be able to add some value to your workplace, by taking active precautions to look after our electricity sector.

To get NERC certification, you first need to take (and pass) the all-important CIP exam. Whether you are a life-long IT security expert or are new to CIP, you will be able to apply to undertake this exam, which covers everything you need to know to operate our power and electricity plants safely. Upon graduation, you will be regarded as a well-rounded security professional who understands compliance and technical aptitude in order to protect general data as well as your workplace.  

A Course Offered by the SANS Institute

After getting GCIP certification, you might also need to undertake a course offered by the SANS Institute. This course is usually not a prerequisite for taking GCIP certification but it is a great addition to proving your expertise and declaring yourself a master of Critical Infrastructure Protection. 

Contact Axio today to learn more about how your organization can better manage cyber risk.