Fellow ICNSiders,
So to recap from part 1, we were talking about how difficult it was to even get exposure or access (remember those two words - you’ll understand why they are important as we go through this journey together) to ICS, let alone actually be any good at securing it. But I left you with a cliffhanger - one with an interesting twist. As it were, while the early ICS cyber folk were suffering through the gauntlet, bad actors and adversaries would subsequently be laying in wait like a predator watching its prey, and would ultimately turn on its end how we perceive threats in ICS and foster in the era of the ICS cyber professional.
Remember when we talked about “connectedness” of industrial assets? Well, it turns out, in some cases (and sadly this is true even today), many operators, manufacturers, etc. didn’t realize that assets were in fact “connectable” or “connected”, and certainly not vulnerable to exploits. That ignorance (little “i”, not big “i” as in “ignit”) over time would result in an extraordinary threat landscape waiting to be exploited, should someone be so bold AND motivated to do so. And guess what - nation state actors had an increasing curiosity concerning our critical infrastructure assets…many of which just so happened to be industrial control system assets. Starting to see a theme recur? If not, don’t worry, you will along this journey.
I won’t go into the history of ICS attacks here (will do that in a different article), but suffice it to say that this “interest” sent ripple effects across the cyber security community in a way that perhaps had not been felt since Mitnick melted the Internet to its knees in the ‘90s. Systems that were long thought to be “isolated”, “air gapped”, “not connected”, “protected” (stop me when you recognize one of these scenarios) where now not only connected, but VISIBLE and VULNERABLE - oh s**t! The sheer pervasiveness of industrial control systems within our daily lives is staggering, and just imagine that they ALL could be potentially be vulnerable and exploitable, and even worse - could hurt/kill people?
Those of us however that had been close to the industry for years, always feared that as these assets became more complex and capable that ONE day they would potentially bite us square on the ass, and guess what - tada, whole ass bitten. We, however, bite back, and to date have been in a whole ass-biting coupe-de-tat with bad actors within ICS ever since. While this is certainly comedic (I even had to laugh a little), this is what makes industrial cyber so damned interesting and exciting - and frightening at the same time. Every skill that you have - and will acquire will come to bear at some point to figure out why the hell some random asset sitting in a dark recess of your plant or facility is having a whole ass conversation with something in Russia or China, and only God knows for how long. Where this differs potentially from traditional cyber is that in the former case, it is “possible” to kill people, should conditions be just right…and lots of people, depending on what it is. Are we on the precipice of an industrial apocalypse - of course not, there are systems in place, as well as manual overrides that are specifically designed to lessen the potential of loss of life. However - as industrial environments become more cyber-physical (i.e. robots, for example), the potential to cause damage to property and people becomes quite real. And those days are already here.
But hey - that’s why we need you…all of you. In the final installment of this series, I will talk about what exactly it is that we need YOU to do, and why it’s important.
Next up, “So You’re Interested in ICS Cyber Part 3…Brang Yo Ass”. Going to pick it up and lay down the real in this one so we can start getting down to business with moving your ICS cyber career along, or running you away from it never to return. Until then - I will leave you with this: In order to be successful in cyber (of any type), you must possess two key qualities - tough skin and a short memory span…I’ll explain what that means later.