Hackers are increasingly attacking operational technology systems in industrial plants. These systems detect physical effects or control motors, pumps, or valves in industrial systems. These systems are increasingly connected to the Internet to improve efficiency or help gain a competitive edge. These systems or components may have vulnerabilities that can be exploited by cyber-attacks. As cybersecurity knowledge and skills in this domain are lacking, TÜV Rheinland has developed the “Certified Operational Technology Cybersecurity Professional (TÜV)” certification program, which supports companies in identifying and improving team skills and thus increasing the overall cybersecurity of industrial and operational technology facilities.
The Triton malware attack reported in December 2017 was the first publicly documented cyber-attack on an industrial control infrastructure (ICS) designed to interfere with the operation of a Safety Instrumented System (SIS) used to protect an industrial plant as a fail-safe against fire or explosion. According to experts, this incident was an urgent warning that attackers with geopolitical motives are now targeting security-critical systems.
The aim of attacks is usually to obtain intellectual property, trade secrets, and technical information, but many companies are unaware of the dangers cyber-attacks pose to their plants. In addition, their controls for cybersecurity are typically not tailored to the protection of OT systems. According to the new study “Industrial Security in 2019: A TÜV Rheinland Perspective“, 40 percent of respondents say they have never investigated the risks posed by cyber-attacks on industrial plants. A further 34 percent do not know whether their own company has ever investigated these risks. In addition, only one in five companies has tailored its cybersecurity measures specifically to industrial or OT facilities. This is alarming, as attacks from the network can shut down entire plants. This leads to production losses with high consequential costs and, in the case of critical infrastructures, can also have an impact on the overall security of supply and the smooth operation of modern society.
Attractive targets for cybersecurity attacks: critical infrastructures
If production facilities or critical infrastructures – such as those of energy suppliers – are networked, this offers additional targets for cyber-attacks. Almost 70 percent of the respondents to the survey came from the manufacturing industry; in addition, the automotive industry, logistics companies, the oil and gas industry, public institutions as well as the telecommunications, energy, and chemical industries were represented. The aim of the study was to better understand how companies detect and take protective measures against cyber-attacks. Because traditional knowledge in the field of cybersecurity is often not sufficient to meet the complex requirements of the industrial, networked world, TÜV Rheinland has developed this new certification for experts in the field of industrial cybersecurity.
More quality for the industry
With the new personal certification, TÜV Rheinland is responding to the increasing demand from specialists. In such a complex area as cybersecurity, a certification program from a neutral third party such as TÜV Rheinland can help to align companies’ expertise with the requirements of industrial cybersecurity and further professionalize industrial companies in this area.
The certification program actively evaluates candidates through a combination of professional career review, interview, and technical review. Participants must have at least ten years of experience in cybersecurity, including five years in a leadership role. The candidates prepare a case study as part of the examination. After a critical review by TÜV Rheinland experts, they will be invited to an online presentation and technical question and answer session. Experts who meet the standard receive a certificate from TÜV Rheinland and can use the title “Certified Operational Technology Cybersecurity Professional (TÜV)”. Re-certification by TÜV Rheinland is required every three years. Further information on the program can be found at: www.tuv.com/en/otcybersecurityprofessional