By Vivek Ponnada, Engineer, MBA, GICSP, Regional Sales Director at Nozomi Networks, (CS)²AI Fellow
January 2, 2023
While attending another well-organized BSides in Edmonton last month (closing out the triumvirate in the Western part of Canada after Calgary and Vancouver earlier in the year), a student inquired how she might get started in OT Cybersecurity. This is a common question that is often asked in other forums including Social media, online webinars etc. While I answered her a bit in our conversation, I figured that publishing a more detailed article is helpful since the answer is slightly complicated.
Quick background: OT is the term used for technology used in Industrial control applications, and includes purpose-built systems & protocols (e.g., Programmable Logic Controllers, Distributed Control Systems), general IT systems repurposed with specific software to configure or view data from those control systems (e.g., Windows based Human Machine Interface, or Engineering Workstations), or a combination of technologies (Firewalls that might be ruggedized or available with ability to parse industrial protocols). Definition here from NIST.
A few things about OT Cybersecurity that trip up a lot of folks are:
1) OT domain knowledge: Some contend that no one can be in OT cybersecurity unless you’ve already had experience in industrial control systems, having worked in power plants, refineries etc. While that might be a valid expectation in several contexts, especially if you are billing a customer as a ‘experienced’ consultant, that stance is often is overplayed. Don’t get me wrong, a sure way for a consultant to be kicked out of a plant is to make a basic error in safety, such as not wearing the appropriate safety boots, or removing your hearing/eye protection where they are mandated. And if you go in with a swagger that you are better than the ICS personnel as you ‘know’ security better, you’ll burn bridges really quick. However, various IT Security skills are much needed in the OT world e.g., configuring firewalls & routers as part of network segmentation projects, evaluating secure remote access solutions, helping figure out patching options etc. While not every IT best practice is applicable to OT Security, a strong collaboration between those that have ICS experience and those that have IT skills can improve the overall security posture of the organization. People with IT security experience are essential for the improving overall OT Security.
2) Certs: Frankly, it’s a related topic to above, but certifications are almost never a starting point in OT security, or even the best way to be successful. Reputed organizations now offer ICS Security certs but they are fairly expensive and ideally paid by organizations, not individuals on their own. Your credibility as an OT Security practitioner is more established based on your experience, projects completed etc. rather than the most recent cert you spent time, money and effort on. Lots of communities exist where you can get involved – see below ‘Content, Connections and how you can get started!’ section - while you are building either your ICS knowledge or Cybersecurity skills. It never hurts to get real-world experience including plant visits whenever you can (that surely means safety orientations, general awareness of what’s important to plant personnel etc.).
3) Pace of technological change: If you are a keyboard ninja that’s excited about constantly updating your tools with docker, k8s etc., this industry, even the rare penetration-testing roles, might not be for you. OT technologies rarely update that quickly though learning about them might take a lifetime. Suffice to say that OT technology will be like your home iPad/tablet that’s been around for 5 years even while newer versions are available. Though you might typically update other devices like a Smartphone every year, you use the iPad/tablet longer because it works really well for the purpose you bought it for, and unless it fails, you find it hard to justify upgrading. OT has a lot of older equipment because the controllers and systems were engineered for a purpose they work for very well even after 15+ years, replacement is CapEx driven & resource intensive etc., so upgrading them based on security alone is rarely justifiable due to the outage time required that impacts business revenue.
I sincerely hope you consider a career in OT Cybersecurity because it’s challenging, fun and rewarding. From a dispassionate point of view, the industry is fairly new, clearly needs significant additional resources, and the added public scrutiny leading to regulatory pressure is adding more jobs. For organizations, it’s not easy to find anyone with the ideal combination that is a mix of IT Security skills and operational knowledge. So, the more people cross-pollinate their skillsets and focus on OT Security, the better. Being in OT Security invariably leads to working towards protecting Critical Infrastructure, such as Power, Oil & Gas, Transportation and so many more verticals, which besides being economically attractive can be something you can be extremely proud of, a rare combination in a civilian job!
Content, Connections and how you can get started!
There are quite a few resources available these days that you can learn in your preferred audio/visual/in-person methods!
1) Podcasts (search in your favorite podcast store)
a. CS2AI Podcast
b. The Industrial Security Podcast
c. Unsolicited Response Podcast
d. Hack the Plant Podcast
e. Many other vendor-sponsored ones (search for Industrial Security)
2) Videos/Webinars
a. On-Ramp, Highway and Autobahn playlists in S4xEvents YouTube - https://www.youtube.com/@S4Events
b. https://www.cs2ai.org/ - anyone can join the free webinars, membership required to watch recordings
c. Sans Webcasts - https://www.sans.org/webcasts/ - several ICS/OT focused webinars including recordings from past years
d. https://www.brighttalk.com/ has several ICS focused videos
e. https://www.cisa.gov/uscert/ics/Industrial-Control-Systems-Joint-Working-Group-ICSJWG has several video recordings and content including training
3) Cybersecurity groups – whether it’s a local DefCon chapter, a BSides Committee, or
Security meetup, explore the different options in your region. Obviously bigger cities have more options than in the rural areas, but you’ll be surprised how welcoming and close-knit the security members if you just reach out. While most might not have a significant OT content/focus, chances are they have someone or something that is in ICS/OT
4) Projects of special interest
a. MITRE ATT&CK for ICS - https://attack.mitre.org/techniques/ics/
b. Secure PLC Coding Practices – https://www.plc-security.com/
c. Incident Command System for Industrial Control Systems - https://www.ics4ics.org/
d. Sign up to the mailing list at ISA https://www.isa.org/connectivity-and-cybersecurity - they regularly blog on ISA/IEC 62443 implementations, Risk management in OT etc.; if you want to get further involved, join an ISA chapter in your area, and you can get view access to the standards as well, or participate in the committees
5) Conferences – while ICS/OT focused conferences are few but famous, there are many others that are critical infrastructure focused, so naturally will have a cybersecurity topic or two that would be relevant and are much more affordable for individuals, and might even be free for students. While building your interest/value prop towards being able to attend the later ones of the list, start with your regional conferences that might have some OT content
a. BSides (same link as above)
b. Houston Security Conference - http://houstonseccon.org/
c. Cyber Security for Critical Assets https://www.cs4ca.com/
d. Cyber Senate - https://www.cybersenate.com/control-systems-cybersecurity-usa/
e. Sans ICS Security Summit – Orlando - https://www.sans.org
f. API Cybersecurity Conference - https://events.api.org/
g. ICS Cyber Security Conference – Atlanta - https://www.icscybersecurityconference.com/
h. Industrial Security Conference – Copenhagen - https://insightevents.dk/isc-cph/
i. S4 Conference – Miami - https://s4xevents.com/
6) Vendors – use a throw-away email to sign up to all major OT vendors’ mailing lists. They provide regular content on various topics including threat reports, recent vulnerabilities and exploits etc., and you can unsubscribe later to those that don’t align with your interests
7) Social Media
a. There are some fantastic content creators and influencers; a recommended list is here https://mobile.twitter.com/i/lists/1549766676392165377 but be aware that due to recent shifts, many of these sources have moved to the federated universe. You can find many of them on LinkedIn as well, and they might be hosting content on YouTube, Github etc.
b. CISA (US-CERT) have social media presence. Pick your platform to follow them (or email list https://www.cisa.gov/uscert/ics/advisories)
8) CTFs and Gamified learning
b. https://tryhackme.com/paths - not ICS focused but still relevant
c. https://www.sans.org/mlp/holiday-hack-challenge/ - not ICS focused but still relevant
9) Books/Reading Material
a. NIST - 800-82R2 - Guide to Industrial Control Systems Security https://csrc.nist.gov/publications/detail/sp/800-82/rev-2/final
b. Industrial Network Security: Securing Critical Infrastructure Networks for Smart Grid, SCADA, and Other Industrial Control Systems - by Eric D. Knapp , Joel Thomas Langill
c. Handbook of SCADA/Control Systems Security – Illustrated, by Burt G. Look , Robert Radvanovsky , Jacob Brodsky
d. Hacking Exposed Industrial Control Systems: ICS and SCADA Security Secrets & Solutions –by Clint Bodungen, Bryan Singer, Aaron Shbeeb , Kyle Wilhoit , Stephen Hilt
e. Industrial Cybersecurity: Efficiently monitor the cybersecurity posture of your ICS environment, 2nd Edition – by Pascal Ackerman
f. Pentesting Industrial Control Systems: An ethical hacker's guide to analyzing, compromising, mitigating, and securing industrial processes Paperback – by Paul Smith
g. Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering (CCE)– by Andrew A. Bochman , Sarah Freeman
h. Industrial Cybersecurity: Case Studies and Best Practices by Steve Mustard
10) Formal training