CompTIA announced it is developing a new certification focused on core cybersecurity skills for operational technology (OT) environments. The upcoming SecOT+ certification targets the persistent gap between OT and IT expertise. It aims to equip cybersecurity professionals, ranging from floor technicians and industrial engineers to cybersecurity engineers and network architects, with a unified skill set to detect, mitigate, and respond to security threats in manufacturing and critical infrastructure environments.
The association’s proposed SecOT+ certification will focus on several core domains. These include risk assessment-driven approaches to cybersecurity, ensuring professionals can identify and prioritize threats based on potential impact. The certification will also cover compliance with regulatory frameworks specific to operational technology environments. It will emphasize hardening techniques and secure configurations to protect critical systems from vulnerabilities.
Additionally, managing third-party risks and supply chain security will be key components, addressing the increasing threats from external partners. Finally, the program will cover strategies for integrating and securing legacy systems that remain essential in many OT settings.
Bridging divide between IT and OT
Detailing how the introduction of CompTIA’s SecOT+ certification reshapes the talent pipeline and workforce readiness in critical infrastructure sectors, James Stanger, chief technology evangelist at CompTIA, told Industrial Cyber that the organization has several goals in mind regarding the development of cybersecurity talent.
“First, it should help workers enter into the OT world more quickly. No one has ever tried that before on the scale we have in mind,” Stanger said. “Second, it should help traditional OT workers understand how IT security works. OT workers have traditionally focused on availability, more than confidentiality, integrity, authentication, and encryption. Because OT is a fundamental part of the world’s critical infrastructure, and because OT and IT technologies are now being combined, it is vital that OT workers become literate about IT technology concerns, as well.”
Third, he added that the goal is to help IT professionals develop a new skill set focused on securing OT systems. “Fourth, we want to streamline the process for workers to get into OT security. Fifth and most importantly, we hope that it will help each division of the critical infrastructure dynamic duo, the IT and the OT worker, to communicate more effectively. That is very likely the most important contribution we could make to global efforts to secure critical infrastructure.”
Unifying skills to accelerate transformation
Addressing how a unified skills framework across IT and OT domains could accelerate digital transformation while strengthening cyber resilience, Stanger noted that the convergence of IT and OT has been gradually unfolding over the past several years. “Yet, workers have lagged behind in their knowledge of either IT or OT. It’s long past time that we get everyone literally on the same set of pages, in terms of managing risk and understanding the technologies and workflows in each world. We envision that SecOT+ will provide that kind of unity, because it’s industry-driven,” he added.
Influence on policy and regulation
Stanger examined the potential long-term impact of the SecOT+ certification on how governments and regulators shape industrial cybersecurity policies and workforce requirements.
“Governments and regulators tend to approach cybersecurity with an IT-specific mindset. You see this with various directives, from NIS2 and GDPR in Europe to the ISO 2700x series worldwide and CMMC 2.0 in the United States,” according to Stanger. “This change will affect both implementation polices and upskilling frameworks: Literally thousands of working SMEs and leaders help create our certifications; many of the same people who create these industrial cybersecurity policy and framework mandates end up contributing directly to our standards. Except, in our case, we focus on hands-on, practical implementation.”
He added, “So, you could argue that SecOT+ will provide a scalable, affordable, and efficient way to put policies and frameworks to work. That’s our long-term goal.”
A unified theory for IT and OT?
Another issue Stanger addressed was whether a single certification can realistically bridge the cultural, technological, and operational divides that have historically separated IT and OT environments.
“As we create SecOT+, it will reflect current industry practices in both the IT and OT worlds. That’s what we do; we’ve matured processes for crowdsourcing wisdom from working experts. So, the program will hold up a mirror to the industry,” he said.
As such, it will, like CompTIA’s other education programs, present best practices in a clear and accessible way, he added. “It will make leaders and workers alike realize that they need to change their practices and lengthen their stride a bit. Nothing is more transformational than education, especially when it originates directly from the industry. You could argue that our goal with this certification is to act as a sort of unified field theory for IT and OT.”
Stanger mentioned that as organizations look for the best ways to reorganize themselves to secure critical infrastructure, “we’ll meet them with the ideal education program to help them make this happen in the best possible way.”
CompTIA isn’t alone in pushing forward OT cybersecurity education. The SANS Institute also rolled out a first-of-its-kind course to train professionals in safely assessing vulnerabilities in OT environments. ICS613: ICS/OT Penetration Testing & Assessments will debut in beta August 25–29 in Sandy, Utah, as an in-person-only offering. The beta run of the course will deliver critical hands-on training for cybersecurity professionals working in industrial environments.
