Why GICSP?
The GICSP – Global Industrial Cyber Security Professional is a certification I’ve recently passed. The certification focuses on ICSS (Integrated Control and Safety Systems). If you plan to work in OT (operational technology) security, the GICSP is the staple certification.
At the start of September 2023, I was scheduled to take a 5-day training course for the GICSP in London. I’d only been working in OT security for a month at that point. In this blog post, I’ll go over my experience with the GICSP training course, what it entailed, how I studied, and how the exam went. This training course and exam were paid for by my employer ARC (as all training should be <3). Big shout-out to ARC for getting me on a certification course so soon into my employment.
The GICSP was chosen as it’s a certification that will teach you all of the basics, is proof of competence and is often specified on a statement of work sent to us by clients.
Training course
After a training plan was agreed upon with my manager, it was decided that I’d be going on a week-long training course on site. I stayed in the hotel attached to the training site, ate and slept there. If you are going to do the same thing, pack some shampoo and snacks.
The course was supposed to start on Sunday but due to a miscommunication, the students weren’t informed of this, resulting in us being a day late right away on Monday. The delay meant our days were quite long; Day 1: 0900-2015, Day 2,3,4: 0830-2015, Day 5: 0830-1530. I rushed the practice exam at the end in order to catch my flight back.
Content
The style of teaching reminded me of PowerPoint of Death. The students all got a printout of the slides, all 1,000 pages. The days were long, and it quickly felt like information overload. Too much to take in too fast. The learning material that was being presented was able to keep me engaged in the course because it was either things I had not come across before or that I needed a refresher on. For things I struggled to learn I wrote notes in the workbook, so I’d have more to take into the exam.
Firebrand Training Site
Everything outside of the course was great. There were 3 meals a day that were very nice. While at class you had access to infinite free coffee, and it’s not what you’re thinking, it was quite nice. The location of the training compound was 20 mins by foot to a shop, easily done but not safe when it’s a path next to a motorway. While I was there the AC was out, so the rooms were a bit too warm at night. At the facility there was plenty of entertainment and a nice gym, however, there wasn’t much time for that.
Labs
We got access to the online Labs about a month after the course ended and would have access to them for 10 months. There’s a limitation on active hours but I can’t seem to find what that is. The labs for this say that you’ll need 9 hours to complete them. However, if you’re confident in Linux and Wireshark, it’ll take 4 hours at most. If you like to tinker, you’ll spend all your time messing with a virtual PLC (Programmable Logic Controller).
Exam
To achieve the GICSP you need to sit a proctored exam of 82-115 questions and some practice labs in 3 hours. You need a score of 71% to pass. 3 hours might seem like a lot of time but to have time for the labs you’re going to be answering one question per minute. For my exam I decided to do it in a Pierson View centre, that way I’d have no distractions.
I passed the exam with a score of 78% and only had to do 82 questions. In this exam, I knew exactly what questions I got wrong. The ones I couldn’t look up in my index, the ones I was overthinking.
Passing GICSP Checklist
Here’s a checklist of things that will really help you pass the exam:
- Good, full index of the material you’re taking to the exam.
- You should be able to find any information in your material within a minute. An index can really help you pass as you’ll be referencing the material rather than remembering. You should aim to be able to answer one question per minute.
- Have a good understanding of the core concepts.
- AIC triad, PERDU modal, what is a RTOS, what makes OT different from IT.
- Practice your labs.
- Wireshark – You can deeply analyse a Modbus traffic capture in Wireshark.
- PowerShell – This TryHackMe room and write in your material all the cmdlets you’ll need.
- Hashing in Linux – You know all the basic commands and can use more than 3 tools to generate file hashes. This TryHackMe room may help.
- PLC programming – You understand ladder logic and can use inputs and outputs to program some traffic lights.
- Go through these YouTube playlists and make sure you KNOW everything in them.
- ICS Basics – YouTube
- Seach the SANS ICS YouTube channel for anything you’re unsure of.
- Ladder Logic – YouTube
- ICS Basics – YouTube
- Take the day of the exam easy, relax.
- Remember, you have all the information with you, you can do it!
Conclusion
The GICSP is a great certification if being thrown in the deep end is training that suits your style. It covers all the main areas of Industrial Control System Security (ICSS). The certification is an industry staple with little alternatives that are as good. If you do decide this certification is for you, good luck and have fun. If you liked this post, check out my previous one on the TryHackMe room Attacking ICSS.