GIAC Response and Industrial Defence (GRID): Exit Notes

In march 2023, I had appeared for the GIAC Response and Industrial Defence (GRID) and passed it. In this article, I am sharing my preparation experience, the value of the certification and knowledge gain.

About SANS Certifications for ICS

SANS Institute has 5 different courses for Industrial Control System (ICS) Cybersecurity. They are designed for different roles in ICS security.

• ICS410: ICS/SCADA Security Essentials attached certification (GICSP)
• ICS418: ICS Security Essentials for Managers
• ICS456: Essentials for NERC Critical Infrastructure Protection attached certification (GCIP)
• ICS515: ICS Visibility, Detection, and Response attached certification (GRID)
• ICS612: ICS Cybersecurity In-Depth

(The general convention of SANS courses is the 3 digits in course code denotes the level from beginner to advanced hence 410 is beginner level and 612 is advanced level. SANS is currently working on ICS613 a practical penetration testing course for ICS)

The SANS courses with attached GIAC Certifications are very well designed, practical hands-on courses but come with a cost which is generally around $7000. This price is mostly out of pocket for developing world. The good thing is unlike ISA 62443 Cybersecurity Certifications the GIAC Certifications are available standalone as Challenge Exam and are open book exams.

If you have taken the SANS training, you can carry the course booklets to the exam hall (or to the proctored exam from home). If you are taking the GIAC certification as challenge exam you can have your handwritten notes or book but not the SANS booklets.

The SANS course experience

Taking a SANS Institute course was on my bucket list since 2016. I got the chance to take it in Nov 2022. The classroom experience was involving and enjoyable. I got to meet candidates from across the geographies and the discussions were very useful to get additional insights from various industries.

SANS ICS515 is an advanced level course, and you get to learn detection and mitigation of Incidents on a practical environment. The course comes with a small Electric Grid simulation Kit, which has the followings:

• A Physical PLC
• A virtual PLC
• A Grid Simulation board with indicators and controls
• Two Virtual machines with necessary tools to work

GRID Certification Exam Prep

The ICS515 course content is the syllabus of the exam. The questions in the exam could be from slides as well as the explanation notes. The GIAC Certifications exam attempt comes with 2 mock exams. These mock exams are super helpful to understand the pattern of the exam. and it helps in managing the time and what to focus for main exam attempt.

With mock exam i have learnt:

• What type of questions are asked in the exam.
• The time I can spend to search the handouts for a question (Time Management)
• Key focus areas
• Prepare some notes
• Index the handouts with post-its to make search easy and fast.

Study plan

ICS 515 has 5 booklets and i have read all of them, line by line. Mugging up was not easy so i had put some quick notes. this took me 4 weeks with regular work.

For the challenge exam participants the course booklets are not available. The following books and resources would help prepare for the exam.

1. Industrial Cybersecurity: Efficiently secure critical infrastructure systems?
2. Industrial Cybersecurity: Efficiently monitor the cybersecurity posture of your ICS environment
3. Pentesting Industrial Control Systems
4. My Linkedin posts that would help:

• OT Security Resource Repository

My Attempt

I had scheduled the exam in a Pearson exam center in Bengaluru to avoid the hassle of showing around the room and expected a clean setup. To my surprise the exam center was soddy and very badly maintained without Air conditioning or working computers.

My exam could not load even after waiting for 2 hrs. I got a 14-day extension and reattempted it from home. It was also not a smooth experience, the exam stopped 5 times in between. But, all this endurance paid up and I was able to successfully pass the exam.

My Learnings and gains after ICS515 and GRID

I have gained a global insight from ICS professionals thanks to my instructor ???? Dean Parsons ???? the class was fun. I also stood 5th in the class netwars and bagged a SANS ICS515 coin.

After the course i learnt the strategies to better plan/manage the incident response in ICS. This has also boosted the clarity of ICS assessments like what is more important for the company.

Lastly the connect with the community is somethnig I cherish for and this was invaluable.