CYBERSECURITY SMART GRID TECHNOLOGY CYBERSECURITY and CERTIFICATIONS: a beginner’s guide By Adrian Davis Introduction Cybersecurity, like many professions, has its own terminology, qualifications and certifications. Individuals working in the field have letters such as CISSP, CISM, CISA, CEH and so on after their name. To an outsider – and especially those in an industry where cybersecurity is not well known – these can be a confusing alphabet soup. This short article will explain what these letters indicate, how an individual can gain one or more of them and who should consider working towards putting these letters after their name. Why is cybersecurity certification important in utilities? Over the last ten years, we have had a significant rise in both the ubiquity and pervasiveness of IT and information; we have seen consequential rises in both the use of IT and information across industries, infrastructure and ICS (SCADA); and we have seen an even more significant rise in the attacks aimed at disrupting IT and infrastructure and information. Utilities, because of their position within the critical national infrastructure, the information they hold (which typically includes customer and financial information) and their own infrastructure, are seen as targets for attack. The adoption of cloud computing, big data analytics and social media have changed both IT and cybersecurity provision across many industries, utilities included. These changes have pushed cybersecurity up the business agenda and driven a need for cybersecurity professionals within utilities – and raised the profile of certifications as a mechanism for both selecting skilled, knowledgeable individuals and METERING INTERNATIONAL ISSUE – 2 | 2015 highlighting an organisational commitment to cybersecurity. Professionalism and certification The cybersecurity industry – itself only 25/30 years old – has sought to mark itself out as a profession. According to Professions Australia 1 : “A profession is a disciplined group of individuals who adhere to ethical standards and who hold themselves out as, and are accepted by the public as possessing special knowledge and skills in a widely recognised body of learning derived from research, education and training at a high level, and who are prepared to apply this knowledge and exercise these skills in the interest of others. It is inherent in the definition of a profession that a code of ethics governs the activities of each profession. Such codes require behaviour and practice beyond the personal moral obligations of an individual. They define and demand high standards of behaviour in respect to the services provided to the public and in dealing with professional colleagues. Further, these codes are enforced by the profession and are acknowledged and accepted by the community.” Certification is a method for indicating the membership of a professional body and indicating that an individual will adhere to a code of ethics as laid out by that professional body. Several professional bodies – chiefly (ISC) 2 2 and ISACA 3 – have long-standing information security credentials: (ISC) 2 is behind the CISSP (Certified Information Systems Security Professional, now in its 26th year) and ISACA is behind the CISM (Certified Information Security Manager) and CISA (Certified Information Systems Auditor). These three certifications – CISSP, CISM and CISA – are the most well-known cybersecurity certifications globally. Each has its merits. Speaking to our own certification, the CISSP, it is fair to say that it has become the most recognised certification for both practitioners and managers because it ensures a breadth of knowledge and perspective that supports professionals whatever area of specialisation they may choose to pursue later in their career. CISA and CISM are also broad and have their heritage in the work that is done by professionals tasked with auditing systems. Others – such as the Certified Ethical Hacker – reflect a more specialised area of practice and can complement a broader certification, but wouldn’t necessarily support a move to Such codes require behaviour and practice beyond the personal moral obligations of an individual” 39