What does an ICS security practitioner do?

[00:00:05] Chris Sienko: Welcome to the InfoSec Career Video Series. These series of short videos will provide a brief look inside cybersecurity careers and the experience needed to enter them. Today, I’ll be speaking with InfoSec skills author, Steve Allen, about the role of industrial security control security practitioner. Let’s get into it. Welcome, Steve.

[00:00:23] Steve Allen: Welcome.

[00:00:24] CS: Steve, let’s start with the basics. What is an industrial control system, and what specifically does an ICS security practitioner do? What are the day-to-day tasks involved?

[00:00:35] SA: Well, if you look at industrial control systems, they’re like 95% of all the computers we have out there. They’re the things that control the nuclear power plants, and our power grid, and our water supply systems, and our pipelines, and our sewer systems, everything, literally everything is an industrial control system. Now, what a security practitioner would do is try to make sure that the bad guys can’t get in. Because if you look at cyber war nowadays, one of the big things that these nation states want to do to each other, if you ever get into war is to try to take down things like the power grid and stop a lot of that stuff. Really, what you’re going to do on a day-to-day task is make sure that that is secure, make sure that there’s no basically bad guys getting in. We had a situation about a year or so ago, where somebody got into a water supply system in –

[00:01:36] CS: Yep, Ultima, Florida.

[00:01:37] SA: Yeah. It was lucky a guy watched seen it happen at the time and was able to stop it. Because if he hadn’t, there would have been a lot more sodium hydroxide thrown into the water.

[00:01:48] CS: Yes. Yeah, that’s a scary one. We talked about that on the Cyber Work podcast a number of times. It really sort of brings home the importance of this particular – again, because, one, it’s so ubiquitous in terms of all of the sort of computer networks we have and two, there’s so many reports out there that a lot of these security systems are so under protected.

[00:02:11] SA: There’s the one thing that really comes in life and limb controlling things.

[00:02:17] CS: Yes. Yeah, you’re literally talking about the day-to-day workings of society. How does one become an ICS security practitioner? I’m assuming this isn’t an entry level position, but are there entry level versions of it? Do you need experience first?

[00:02:31] SA: There can be. Generally, the people that get into this start usually from a networking background. You were at networking first, because most of your security in an ICS system oftentimes comes from physical security and also your network security. Because the devices themselves have very little security built into it. Congress just passed a law last year that says, “Hey! We’re not going to buy any more security equipment, unless it has – ICS equipment unless is has security built into it. That’s a very good start.

[00:03:07] CS: Yeah. And also, yeah, but that also means that you’re going to have to worry about sort of working with the stuff that’s in place, and it’s not being placed, right?

[00:03:16] SA: Yeah. Typically, in IT or recycling of equipments about maybe five years, it’s multiple decades for ICS stuff. You’re going to end up working with a lot of old technology. There are lot of things where we deal with that don’t have security in them. You have to provide. Your job is to provide that security. If you always talk about an ICS, air gapping is the ultimate solution for those type of things. But that’s not what corporate really wants corporate wants to be able to talk to systems and, “No, that’s usually a very bad idea from ICS.”

[00:03:56] CS: Okay. Got you. From a from a learning perspective, what type of education is typically required? Is this a degree type program, experience, certifications? What do you need to know to start getting in?

[00:04:08] SA: Okay. There’s not really any bachelor’s degree in this stuff, but there are programs that will teach you industrial control systems. There are teachers who will teach you or classes that will teach you how to do like PLCs, programmable ladder logic and stuff like that. I would think one of the first things I would do if I wanted to head that direction, that’s a huge field. If you know, you’re never going to want for a job. That is, one little thing, learn to program, the basics of programming. Even though ladder logic is a very unique language in itself, it’s very graphical. It’s very important that you understand the basics of programming, if you’re going to move that direction. But then I would also learn basic networking.

[00:04:58] CS: Okay. Great. Moving to like a soft skill kind of direction, what soft skills does an ICS security practitioner needs to do their job well?

[00:05:10] SA: Same everybody needs in real life, getting along with other people.

[00:05:13] CS: Writing and personnel.

[00:05:15] SA: Writing, things like that. But also, all the fact that this stuff, you can’t postpone. This is the stuff where you can’t procrastinate, because if you procrastinate, maybe that multimillion-dollar refinery, catches on fire, and things like that. Or we’ve seen the skill sets kind of –in a lot of stuff go away. Colonial Pipeline, which everybody heard about last year, that pipeline. When that happened, when their main systems got ransomware, it took down their industrial control system, automated systems. Nobody knew how to do it manually. Those people had retired or left the company. Keeping those skills active is also a very important thing.

[00:06:05] CS: Okay. Now, what are some common tools that ICS security practitioners use? Is it a tool heavy position or are you sort of working with existing machines?

[00:06:15] SA: You’re existing with a lot of old machines, things like that. But things like protocol analyzers are good, so you can see things. But ultimately, ICS relies very heavily on physical security. Understanding how to keep the bad guys outside is really the big thing.

[00:06:36] CS: Yeah. Even sort of skimming through it, like a CISSP book or higher-level thing is going to be good in terms of giving you that sort of physical background.

[00:06:44]SA: Yeah. Again, a lot of the governance of an ICS system is very identical to the governance of regular it stuff, with the certain caveats that you don’t get to patch ICS systems very often. Because the patching, a lot of the manufacturers say you patch, we’re not supporting it, or the patches come out very rarely, or if you’ve got 20-year-old devices, they’re not making patches for them anymore. You have to protect them in other ways.

[00:07:12] CS: I mentioned that, from a soft skill perspective, there’s also some problem solving to be done in terms of – it’s not just put tab A into slot B or whatever, like you’re going to have to figure out how to sort of use gum and Band-Aids to patch up some of these things.

[00:07:28] SA: Exactly. A lot of stuff, a lot of it is jerry-rigged together with the duct tape and baling wire, because we’re taking all these old devices that were meant to be talking on like RS-232 networks. Now. we’re trying to slam them into a TCP/IP network. The protocols don’t match as well. It comes understanding kind of what the protocols are, but understanding good solid knowledge of networking is critical.

[00:07:59] CS: You said before that ICS security practitioners worth their salt are not going to be lacking for job opportunities. But where do they work? Obviously, they work in sort of industrial environments, and maybe the government sector and so forth, but like, what types of job options should they be looking for?

[00:08:18] SA: With 5G everywhere, everything’s going to have connectivity. Cars will have connectivity, refineries, power grids. I have a good friend who manages the ICS environment for the Bureau of Reclamation here in the Northwest United States. And he says, he has 63,000 devices that he has to manage with a small group of people and it keeps him busy. He was trying to hire me away. Yeah, I resisted.

[00:08:55] CS: Provide you’re still here.

[00:08:57] SA: But yeah, the skills and in most cases, all these places are so willing to teach you the skill. If you have somewhat of a good background, this is a job that they want people so bad, that they’ll let you come in entry level and train you.

[00:09:15] CS: Yeah. You can pretty much knock on doors at this point. I mean, what would you be looking for in terms of industry and organization that they’re not going to – that’s why I have a sign on their door saying, like, “Help! Help! Our networks going to be compromised.” How would you necessarily which ones to say. Do you need do you need more people? Is that something to –

[00:09:40] SA: Well, they’re always hunting, but it’s – because everything runs. I mean, 95% of the computers in the world run this stuff, And everybody – IT is the glorified position. Everybody knows IT position, but very few people know about the OT positions. That’s why I say, you’ll never want for a job if you learn this technology.

[00:10:03] CS: I love it. Okay, that’s fantastic. One of the things we always get asked about is people who don’t want to feel locked into a certain type of a role or whatever. If you’re in ICS, and you want to try something different, are there other roles that you can pivot out, into based on the sort of knowledge and experience that you get as an ICS pre-practitioner?

[00:10:23] SA: Well, since the basic knowledge is networking, that’s going to be appliable both in OT and IT. The management, the governance, you’re going to be a better manager on the IT side if you’ve managed OT. Because you have so many more restrictions on the OT side that you’re going to have to learn how to get, but you don’t get the patch. You have to be much more proactive on how you’re going to protect things on that were a lot of times on the OT side, it’s Patch Tuesday, let’s patch this weekend or whatever. Don’t get to do that. You have to plan stuff out way in advance, because refineries just don’t want to come down. People want power. People want their natural gas, things like that. It takes much more planning. Those skills translate very well into the IT side.

[00:11:18] CS: Okay. I mean, it almost sounds like a sort of a harder job within the ICS role, almost like learning stenography by learning it at twice the speed. Then once you get to regular speed, it seems like a breeze or something. I mean, are they comparable in that regard or is it just –

[00:11:36] SA: I would say, the big thing is the fact that you don’t have the normal tools that we all grow up with in IT. You don’t have those tools, so you have to work around not having those tools.

[00:11:47] CS: Got it. You got to come up with those strategies.

[00:11:49] SA: Yeah. You have to come up with those strategies, but you still need to be proactive, things like that. I would say, if you wanted to get into it, I would learn programming, I would learn basic networking, I would learn basic IT. But then they’ll still understand there’s the caveat that you don’t get the patch, you don’t get to do things like that. This is why they’re screaming for people. People don’t hear about these jobs.

[00:12:16] CS: Yeah. I think you just answered my last question. But I’ll ask it anyway, for our listeners who are ready to get started right now, what’s something they can do right after this video is over that will move them towards the goal of being an ICS security practitioner? But it sounds like sounds start with networking, programming.

[00:12:30] SA: Networking and programming are the key elements of having to do this. Again, shake on the doors, shake on the doors because it’s so needed. I know that my, my friend, Rich was looking for two people and he’s been looking for two people for like the past year. These are, he’s bringing in GS level 12, 13 for the government. That’s not an entry level.

[00:12:59] CS: Yes, for sure. All right. Well, I know at least more than two people are listening to this video right now. You know what you need to do. Get yourself started. Steve Allen, thank you very much for your time and insights today. This was great.

[00:13:11] SA: Well, thank you. Hopefully, I’ll see some people in our SCADA class that I teach occasionally.

[00:13:16] CS: Fantastic. For all of those of you who are listening and watching, thank you very much. If you’d like to know more about other cybersecurity job roles, please check out the rest of InfoSec Career Video Series. We’ll talk to you next time. Bye now.