I receive questions daily from social media followers asking me how I got into ICS cyber and what can they do to to break into the industry. Generally when I share my thoughts, the first thing that comes back is “that’s a lot” or “that seems complicated.” So, I figure I will talk about it a bit here, and let you decide for yourselves.
Many of us that have been in the industry for a while will tell you that you never really “break into” these niche spaces - they usually fall on your head like an avalanche and you have to dig your way out, suffering and learning along the way. ICS cyber, albeit gaining visibility and popularity recently, is still a very young discipline relatively speaking within the word of cyber. Keep in mind that most control systems (there are a few exceptions of course) were not necessarily designed with the connectedness of today’s networks in mind. They were designed with isolated buses, isolated networks, serial cables, and direct wired field bus connections in mind - which meant that physical proximity was almost a ubiquitous requirement. In lay terms - you had be close enough to touch it. But now - woohoo - the thirst for “machine data” has propelled control system environments out of the safety of darkness into the *gasp*…Internet, and perhaps more specifically, the cloud. *Facepalm*.
But alas - all is not lost, for there are those of us who just so happened to have suffered through the first utterances of “wtf is that” as we were asked to “secure” a piece of industrial machinery that takes up half a room…why? Because “the business” wants access to the data coming from said archaic dinosaur. Or, having suffered through standing near a pipeline in WhereTheEf, USA, trying to figure out what sin I was being punished for to have to “secure” cellular communications from pressure gauges or flow monitors - with nothing but a lowly lizard and the sun to keep me company.
Those were the early days, where raw industrial knowledge was almost a requirement to have any chance of protecting some of these assets - in addition to infosec principles (cyber really wasn’t a thing yet) and how they might be applied in doing so. Which meant reading - and I do mean A LOT of reading…virtually anything that I could find, not on infosec, but you guessed it - electrical and industrial engineering and embedded systems. Understanding how these systems worked (as is the case in cyber generally), is the key to protecting them - and interestingly enough, they were far less sophisticated than initially thought (at the time). With all systems of this type, though, it was more “engineering” than it was “infosec” and the true engineers gave IT guys the iceberg shoulder and glacial stare anytime we would ask “well what about doing this?”. Perhaps it was with good reason, given that unless you were an industrial or electrical engineer, you lacked the skill or expertise to do any real damage to these assets - or so we thought.
This “understanding” kept all but the most determined (or unlucky) infosec people away from this infrastructure for some time - which meant that you had to learn by “proximal osmosis” [yes I just created that phrase and I own it, don’t judge me]. Or, you had to befriend one of the engineers who took great pride in his superior intellect relative to yours and relished in the suffering detriment of your ego because his engulfed the whole room. But we trudged on, wrote diligent notes, swallowed our pride, bit our tongues (and every other euphemism), trying to make sense out of it all. This abusive and dysfunctional relationship would continue until…
Tune in tomorrow for Part 2 of “So You’re Interested in ICS Cyber…”