• United States




Top IT security certifications for critical infrastructure — by sector

Oct 06, 20177 mins
CertificationsData and Information SecurityIT Skills

A look at cybersecurity certifications beyond CISSP

data science certification brain with data
Credit: Thinkstock

With the rising tide of trouble for organizations trying to protect their infrastructures, training companies, consulting services businesses, technology vendors and higher institutions have all jumped on the training-cum-certification bandwagon. Given that there are currently 16 designated critical infrastructure sectors in the U.S., many of the IT Security professionals with whom I have spoken, have suggested that their respective sector’s needs varies just enough to require further focus on issues relating to those sectors. For example, a cyber security professional with a strong background in HIPAA might be somewhat out of place in the Energy or Utilities sectors of business, in which key security issues are found in understanding NERC (although many of the NERC compliance rules are common across most Critical Infrastructures). Aside from the CISSP Uber-cert, and the rising need for CISM / CISA and the heavy-duty SANS GSE / GIAC certification, the following table provides suggested links to industry-leading certifications by sector…

Critical infrastructure sector: Chemical

Relevant IT security certification: “The Chemical Sector is an integral component of the U.S. economy that manufactures, stores, uses, and transports potentially dangerous chemicals upon which a wide range of other critical infrastructure sectors rely. Securing these chemicals against growing and evolving threats requires vigilance from both the private and public sector.”—DHS

Critical infrastructure sector: Commercial Facilities

Relevant IT security certification: “The Commercial Facilities Sector includes a diverse range of sites that draw large crowds of people for shopping, business, entertainment, or lodging. Facilities within the sector operate on the principle of open public access, meaning that the general public can move freely without the deterrent of highly visible security barriers.”—DHS

Critical infrastructure sector: Communications

Relevant IT security certification: “The Communications Sector is an integral component of the U.S. economy, underlying the operations of all businesses, public safety organizations, and government. Presidential Policy Directive 21 identifies the Communications Sector as critical because it provides an “enabling function” across all critical infrastructure sectors.”—DHS

Critical infrastructure sector: Critical Manufacturing

Relevant IT security certification: “The Critical Manufacturing Sector is crucial to the economic prosperity and continuity of the United States. A direct attack on or disruption of certain elements of the manufacturing industry could disrupt essential functions at the national level and across multiple critical infrastructure sectors.”—DHS

Critical infrastructure sector: Dams

Relevant IT security certification: “The Dams Sector delivers critical water retention and control services in the United States, including hydroelectric power generation, municipal and industrial water supplies, agricultural irrigation, sediment and flood control, river navigation for inland bulk shipping, industrial waste management, and recreation. Its key services support multiple critical infrastructure sectors and industries.”—DHS

Critical infrastructure sector: Defense Industrial Base

Relevant IT security certification: “The Defense Industrial Base Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements. Defense Industrial Base companies include domestic and foreign entities, with production assets located in many countries.”—DHS

Critical infrastructure sector: Emergency Services

Relevant IT security certification: “The Emergency Services Sector (ESS) is a community of millions of highly-skilled, trained personnel, along with the physical and cyber resources, that provide a wide range of prevention, preparedness, response, and recovery services during both day-to-day operations and incident response.”—DHS

Critical infrastructure sector: Energy

Relevant IT security certification: “The U.S. energy infrastructure fuels the economy of the 21st century. More than 80 percent of the country’s energy infrastructure is owned by the private sector, supplying fuels to the transportation industry, electricity to households and businesses, and other sources of energy that are integral to growth and production across the nation.”—DHS

Homeland Security (Specific to Energy Sector)

Critical infrastructure sector: Financial Services

Relevant IT security certification: “The Financial Services Sector represents a vital component of our nation’s critical infrastructure. Large-scale power outages, recent natural disasters, and an increase in the number and sophistication of cyberattacks demonstrate the wide range of potential risks facing the sector.”—DHS

Critical infrastructure sector: Food & Agriculture

Relevant IT security certification: “The Food & Agriculture Sector is almost entirely under private ownership and is composed of an estimated 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing, and storage facilities, and accounts for roughly one-fifth of the nation’s economic activity.”—DHS

Critical infrastructure sector: Government Facilities

Relevant IT security certification: “The Government Facilities Sector includes a wide variety of buildings, located in the United States and overseas, that are owned or leased by federal, state, local, and tribal governments. These facilities include general-use office buildings and special-use military installations, embassies, courthouses, national laboratories, and structures that may house critical equipment, systems, networks, and functions.”—DHS

Critical infrastructure sector: Healthcare & Public Health

Relevant IT security certification: “The Healthcare and Public Health Sector protects all sectors of the economy from hazards such as terrorism, infectious disease outbreaks, and natural disasters. Because the majority of the sector’s assets are privately owned and operated, collaboration and information sharing between the public and private sectors is essential to increasing resilience of the nation’s Healthcare and Public Health critical infrastructure.”—DHS

Critical infrastructure sector: Information Technology

Relevant IT security certification: “Information Technology is central to the nation’s security, economy, and public health and safety as businesses, governments, academia, and private citizens are increasingly dependent upon Information Technology Sector functions. These virtual and distributed functions produce and provide hardware, software, and information technology systems and services, and—in collaboration with the Communications Sector—the Internet.”—DHS

Critical infrastructure sector: Nuclear Reactors, Materials, Waste

Relevant IT security certification: “The Nuclear Reactors, Materials, and Waste Sector covers most aspects of America’s civilian nuclear infrastructure. The Nuclear Sector-Specific Agency within the Department of Homeland Security is responsible for coordinating the security and resilience of the Nuclear Sector.”–DHS

Homeland Security (Specific to Nuclear Materials Sector)

Critical infrastructure sector: Transportation Systems

Relevant IT security certification: “Homeland Security and the Department of Transportation are designated as the Co-Sector-Specific Agencies for the Transportation Systems Sector. The nation’s transportation system quickly, safely, and securely moves people and goods through the country and overseas.”—DHS

Critical infrastructure sector: Water & Wastewater Systems

Relevant IT security certification: “Safe drinking water is a prerequisite for protecting public health and all human activity. Properly treated wastewater is vital for preventing disease and protecting the environment. Thus, ensuring the supply of drinking water and wastewater treatment and service is essential to modern life and the Nation’s economy.”—DHS


U.S. Navy Veteran Drew Williams has a core philosophy about life and work: "Keep busy, stay engaged, and always be productive." Whether as a writer, video producer, lecturer or educator, Drew has been involved in information risk management since the mid-80s. He has developed and published Information Security standards and guidelines.

During the late 1990s, Drew contributed to re-tooling security policies for some of the largest financial institutions in the world, and worked on early adoption of GRC standards and frameworks (SOX, ITIL, ISO27799, CObIT). An original contributor to the HIPAA Security Policy (1995-1996), Drew wrote one of the early security policy guides, "HIPAA Code Blue."

As former product manager for what was the world's top Host Intrusion Detection System (AXENT/Intruder Alert), Drew also contributed to IT security initiatives (IETF / NIST), and worked with MITRE to build the Common Vulnerabilities Enumeration (CVE) framework. Drew served on the President's Council on Critical Infrastructure Security (precursor to DHS), and worked on the NIST's "Common Criteria" directives.

Drew co-authored some of the industry’s first Incident Response & Information Security Risk Assessment Services while head of the SWAT Team at AXENT/Symantec (1997-2002), and from 2006 to 2011, Drew hosted Asia's "Hacker Halted" security symposium.

As founder of Condition Zebra (2011) Drew developed information security readiness programs & mission-critical risk assessments for ministries of defense throughout Asia. He also co-developed post-graduate programs on cybersecurity at Utah Valley University and Southern Utah University, the latter where he also serves as a member of the faculty in the Graduate Program.

Drew also initiated the first "Gold" funding opportunities for the annual Black Hat Briefings in Las Vegas in 2000. A former speaker at CSI/FBI and N+i events during the 1990s-2000's, Drew is also a member of the “Founder’s Circle” at the annual RSA Security Conference, and has been a contributing source in broadcast media, including MSNBC, CNN, and NPR, and has been featured in USA Today, The Washington Post and publications throughout the US and Europe.

The opinions expressed in this blog are those of Drew Williams and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.