The CFSE Advisory Board is set up to both assess the relevant qualifications of a candidate and administer the skills examination. In addition, the board processes certificates, maintains a register of candidates and those who have successfully achieved the designation of Certified Automation Cybersecurity Expert (CACE) and Certified Automation Cybersecurity Specialist (CACS).
A candidate must show relevant qualifications and experience as well as meet performance-based criteria through sitting an examination on the skills relevant to the field in question. Details can be found through the Application Information link.
CACE/CACS Application Information
CACE/CACS Exam Date Information
CODE OF CONDUCT
The CFSE Advisory Board considers ethical conduct of all those achieving certification to be a vital part of the designation and requires signed acceptance of the following Code of Ethics:
An applicant must have clear obligations and duties to exercise his or her skills toward the creation, promotion, and maintenance of functional safety and/or industrial control or SCADA system cybersecurity.
Toward that end it shall be considered professional and consistent with honorable and dignified bearing for anyone certified to:
- Use reasonable and careful judgment to ensure that one’s work is executed to promote safety and security of both those directly employed in using the particular equipment or process as well as those in the general public who also could be adversely affected.
- Confine one’s practice of engineering and safety fully within the limits of one’s skills and proficiencies.
- Continue to develop one’s skills and knowledge in the field of safety and security as long as one continues to practice in the specified area
- Comply with all codes and standards appropriate to the work undertaken
- Act for one’s client, customer, or employer in all professional matters with complete integrity as a faithful agent or trustee
- Accept no remuneration other than one’s stated recompense for services rendered.
- Never attempt to injure falsely or maliciously, directly or indirectly, the professional reputation, prospects, or business of anyone.
- Never use or permit the use of one’s signature on work over which one was not in responsible charge.
- The certificates can be suspended or withdrawn if the candidate has violated the terms described in the Code of Conduct. Certificates cannot be signed by Course Providers, Proctors, or Authorized Grading agents of the exams they graded or taught.
The ten major domains (bodies of knowledge) covered by CACE / CACS certification are:
- IACS Cybersecurity Basics – Terminology, concepts and models, knowledge of relevant ICS cybersecurity standards and best practices
- Cybersecurity Risk Assessment - Identification of threats and vulnerabilities, consequence and likelihood analysis, risk assessment methodologies.
- IACS Cybersecurity Architecture/Design - The concepts, principles, structures, and standards used to design, monitor, and secure industrial control systems; defense in depth, network segmentation, definition of zones & conduits, trusted / untrusted segments, and redundancy.
- Networking Basics - The basic building blocks of networking; the OSI model, Ethernet, WAN’s serial communications, Network devices (switches, routers, firewalls), and troubleshooting tools.
- Industrial Networking - Evaluation and selection of SCADA, DCS / PLC network architectures based on understanding the risks associated with each type of design, and ICS protocols.
- Network Cybersecurity Basics - Access control; cryptography, firewall configuration, network intrusion detection, security information event monitoring, and remote access.
- Host/Application Cybersecurity - Techniques for securing Windows OS, Unix and ICS application software, Anti-virus, patch management and whitelisting.
- Operational Cybersecurity - Policies and procedure for physical / environmental access control, vulnerability management, information security, management of change, and intrusion alerts.
- IACS Cybersecurity Assessments – Evaluating the security of an ICS system, cybersecurity factory acceptance testing, cybersecurity site acceptance testing, periodic cybersecurity audits
- Business Continuity/Disaster Recovery - Preservation and recovery of business operations in the event of outages; backup / restore, cross-training, spares, and incident response.
Because security is such an important issue in the process and machine industries, the Advisory Board treats the CACE/CACS application and examinations very seriously. As a result, the certificate exams are extremely rigorous and often demand significant preparation in order to achieve the 80% passing grade for both exams. With this in mind, the Advisory Board strongly recommends that all candidates develop an in-depth study plan to properly prepare for the examinations. Due to the comprehensive nature of the exams, the Advisory Board recommends that candidates put in at least 40 self- study hours as part of their preparation for the CACE/CACS exams.
Maintaining the CACE/CACS Qualification
When an individual becomes a CACE or CACS, the qualification is initially valid for 3 years. After that date it must be renewed by submitting the renewal application form and accompanying fee. The renewal consists of a confirmation that the renewal applicant is still active in their corresponding certificate specialty along with opportunities for additional supporting qualifications and experience. Once the renewal has been accepted, the certificate is valid for an additional two (3) year period. In the event that the certificate expires through either lack of renewal from the initial issue of the certificate, it can be renewed by re-taking the examination.
The Advisory Board is a volunteer body supported by firms in the safety and security industries with a shared interest in working to improve the practice of safety engineering and industrial control or SCADA system cybersecurity. The guiding purpose and motivation for its creation is:
To improve the skills and formally establish the competency of those engaged in the practice of safety system application and industrial control or SCADA system cybersecurity in the process and manufacturing industries.
The committee correspondingly seeks to:
- Establish a demonstrable standard of competence based on experience and practical knowledge of safety system application that can be clearly identified and recognized internationally as part of compliance with the IEC and other related standard requirements for qualified safety system engineers.
- Establish a demonstrable standard of competence based on experience and practical knowledge of industrial control or SCADA system cybersecurity that can be clearly identified and recognized internationally as part of compliance with related standard requirements for qualified security engineers.
- Support the training of individuals in safety system application and industrial control or SCADA system cybersecurity.
- Skills to achieve this level of demonstrated competence.
- Support the development and dissemination of research and information required to maintain an active international forum and dialogue for identifying future paths to achieve the primary objective.