Hopefully you're right, cd1zz. 

My experience to date has primarily been with the Modbus family of protocols; I'm starting to dig into BACnet for a potential client. The most interesting project for me, at this time, is designing a SCADA lab for pen-testing a couple of PLC's. I tend to agree with you: I may not have an opportunity to do such a thing on a running system, so it will be nice to be able to do such a thing in a lab. The easy part for the lab has been specifying the PLC hardware, programming enviornment, HMI, etc. Hard part has been designing the InfoSec / Pentesting "side", as I have little practical experience to date.

I hired Red Tiger Security to come onsite and present their SCADA Security training material. It was a great class. I believe that Jonathan will be presenting similar material at this year's Black Hat. If anyone has the money, I can't recommend it highly enough.
 
I am hopeful that the coming year, with a new job that is security centric, and further coursework, will make me stronger in the long run. I just don't have the confidence from a pen testing or vulnerability assessment perspective yet. Mid-year resolution: keep reading this board and start studying one of the aforementioned courses.

Thanks, all.

That does help, thank you. I have heard of, and hope to take, CISSP and the INL SCADA advanced security course at some point. I will probably defer both until after the first year of the grad degree, so that I have a broader foundation.

I've only heard a little about OSCP, but the website is quite intriguing. I had been planning to look into hackingdojo; I took the Novice course last summer and really enjoyed it. It's hard to tell how hackingdojo's content maps to OSCP; any thoughts?

(BTW, I'm a US citizen in the NOVA/DC area.)

More than a year later, and I look at my original post and ... wow.

I got accepted into a masters program for Information Security and Assurance after successfully passing the foundational courses in Computer Science; and I've taken a job with another company that is more of a cyber security role for SCADA systems. And I now understand that there's so much to learn.

I'm probably MORE confused now than I was a year ago on the best cert's to get. I finished up the coursework for CCNA, and while the material was interesting enough, I think that other, security-centric certs might be more beneficial in the long run. 

Anyway, cd1zz: You were right -- mile wide and an inch deep isn't the way to go. I appreciate your insight.

Good morning,

I am seeking a bit of advice from a career / education perspective. I'm a Process Control Engineer, working at a public utility. I work in SCADA systems, PLC's, and DCS's (Distributed Control Systems). Sorry for all the acronyms, but I figure you folks are used to them, with all the certs floating around out there.

I am very interested in focusing my career on the SCADA / cyber security side of things. My background is in Chemical Engineering, not IT, however; and right now, I sort of feel like I'm trying to take a sip of water from a fire hose.

With my work experience in SCADA systems, I've had to tinker around in Domain Controllers, firewalls, DMZ's, DCOM, SQL, etc... I know just enough to be able to troubleshoot some minor problems, but by no means am I an expert. I definitely can't explain the "why's" at this point.

So I've decided to apply to a Master's program in Information Security. I want to focus on the SCADA side of things, and how they are segregated from business networks. The protocols I typically work with would be TCP/IP and Modbus / Modbus+. And OPC (is that a protocol? See, I've got so much to learn...).

There are four pre-requisites required before acceptance into the program that I am interested in. I'll be taking these, starting in the Fall. They are:

• Fall semester: 1) discrete / logical structures; 2) JAVA programming
• Spring semester: 3) computer org / assembly; 4) program design & data structures

So those are the official requirements, but given my non-IT background, I feel that I ought to beef up a bit more before actually entering the program. That's really where I'm seeking advice, and with that in mind, I'm considering the following:

• Currently, I'm doing "independent study" of the Network+ exam. I am not sure whether I'll actually take the cert, but it is definitely providing me with good foundations, so I'm going to cover all of the material.
• I plan to take a C++ course over the summer, based on the recommendation of a friend that is in a Computer Forensics program at the university I'll be attending.
• While I'm taking care of the InfoSec pre-reqs, I was thinking I might enroll roll in a CISCO Network Academy on the side, and try to get a CCNA. (My supervisor at work is thinking about building CCNP into one of our career ladders. I explained to him that CCNA comes before CCNP.)

After I started the Info Sec program, I think that I'd continue to take some courses on the side...

• C
• SQL
• ...?

I'm also on the market for a laptop that would get me through the program. I've noticed that a lot of the students are using MacBook Pros. I have a MacBook myself, but I was surprised to see so many students using the Mac OSX as opposed to Windows. Could anyone offer me some insight as to why this might be the case?

My Crypto friend recommended a MacBook Pro, with VMWare installed so that I could install a Virtual Machine of a Windows OS as needed... any recommendations as to which OS I'd want -- XP, Vista, or 7?

I've also seen a LOT of discussions here about Linux / Unix. Would I want to install that in VMWare, as well? I do have a --little-- bit of experience in Ubuntu, from setting up a TikiWiki server for my former employer. I am by no means an expert.

Finally, if anyone has a similar background in SCADA, I'd love to develop a relationship with a mentor. (Would that make me a mentoree or mentee? I'm not clear on the proper term here.)

Kind regards