SCADA / cyber security advice

[tim.just.tim]

Good morning,

I am seeking a bit of advice from a career / education perspective. I'm a Process Control Engineer, working at a public utility. I work in SCADA systems, PLC's, and DCS's (Distributed Control Systems). Sorry for all the acronyms, but I figure you folks are used to them, with all the certs floating around out there.

I am very interested in focusing my career on the SCADA / cyber security side of things. My background is in Chemical Engineering, not IT, however; and right now, I sort of feel like I'm trying to take a sip of water from a fire hose.

With my work experience in SCADA systems, I've had to tinker around in Domain Controllers, firewalls, DMZ's, DCOM, SQL, etc... I know just enough to be able to troubleshoot some minor problems, but by no means am I an expert. I definitely can't explain the "why's" at this point.

So I've decided to apply to a Master's program in Information Security. I want to focus on the SCADA side of things, and how they are segregated from business networks. The protocols I typically work with would be TCP/IP and Modbus / Modbus+. And OPC (is that a protocol? See, I've got so much to learn...).

There are four pre-requisites required before acceptance into the program that I am interested in. I'll be taking these, starting in the Fall. They are:

• Fall semester: 1) discrete / logical structures; 2) JAVA programming
• Spring semester: 3) computer org / assembly; 4) program design & data structures

So those are the official requirements, but given my non-IT background, I feel that I ought to beef up a bit more before actually entering the program. That's really where I'm seeking advice, and with that in mind, I'm considering the following:

• Currently, I'm doing "independent study" of the Network+ exam. I am not sure whether I'll actually take the cert, but it is definitely providing me with good foundations, so I'm going to cover all of the material.
• I plan to take a C++ course over the summer, based on the recommendation of a friend that is in a Computer Forensics program at the university I'll be attending.
• While I'm taking care of the InfoSec pre-reqs, I was thinking I might enroll roll in a CISCO Network Academy on the side, and try to get a CCNA. (My supervisor at work is thinking about building CCNP into one of our career ladders. I explained to him that CCNA comes before CCNP.)

After I started the Info Sec program, I think that I'd continue to take some courses on the side...

• C
• SQL
• ...?

I'm also on the market for a laptop that would get me through the program. I've noticed that a lot of the students are using MacBook Pros. I have a MacBook myself, but I was surprised to see so many students using the Mac OSX as opposed to Windows. Could anyone offer me some insight as to why this might be the case?

My Crypto friend recommended a MacBook Pro, with VMWare installed so that I could install a Virtual Machine of a Windows OS as needed... any recommendations as to which OS I'd want -- XP, Vista, or 7?

I've also seen a LOT of discussions here about Linux / Unix. Would I want to install that in VMWare, as well? I do have a --little-- bit of experience in Ubuntu, from setting up a TikiWiki server for my former employer. I am by no means an expert.

Finally, if anyone has a similar background in SCADA, I'd love to develop a relationship with a mentor. (Would that make me a mentoree or mentee? I'm not clear on the proper term here.)

Kind regards

[cd1zz]

I work in energy and am also involved with DCS/PLCs etc. However, I come in from the IT side of the field, not the engineering side. I've also done a bit of work on Smart Grid problems in my masters thesis.

I am extremely interested in SCADA vulns and the potential problems the energy sector is going to face. I do a bit of vulnerability research on these applications mostly because its easy picking - there are standard buffer overflows that you don't see as often anymore in other mainstream software but that are quite common in energy apps.

There is an interesting researcher, Luigi Auriemma who found over 30 SCADA bugs with zero experience in this stuff, that should give you an idea of how far behind this industry is in regards to software security. Google him, pretty cool stuff.

From a career perspective, I think you've got a niche, assuming you can pick up the IT portion of the business. I cannot stress how important networking fundamentals are and how often they come into play. I'd also recommend programming as much as you can if you want to become an exploit developer/researcher.

I would also recommend doing things thoroughly rather than "a mile wide and an inch deep." Don't bite off more than you can chew, but always keep pushing your development. There is a fine line. I think what you'll come to find out is that the really good security folks know A LOT about A LOT of stuff.

Definitely begin to familiarize yourself with all operating systems. I personally run an Ubuntu box with Vmware and multiple guest OSs and my wife has a Mac so I've covered most of my basis. To be an expert, you need to know it all.

Hope this helps, feel free to ping me offline if you want.

-C

[tim.just.tim]

More than a year later, and I look at my original post and ... wow.

I got accepted into a masters program for Information Security and Assurance after successfully passing the foundational courses in Computer Science; and I've taken a job with another company that is more of a cyber security role for SCADA systems. And I now understand that there's so much to learn.

I'm probably MORE confused now than I was a year ago on the best cert's to get. I finished up the coursework for CCNA, and while the material was interesting enough, I think that other, security-centric certs might be more beneficial in the long run. 

Anyway, cd1zz: You were right -- mile wide and an inch deep isn't the way to go. I appreciate your insight.

[dbest]

Hey there..
A person with your background will be in demand these days.

If you consider a more managerial cert, you can look at CISM or CISSP.
If you consider a technical cert, you could try OSCP.
If your company will sponsor your training, attend the SANS 560 course for penetration testing.

If you are more interested in SCADA security and are in the US, you can try the INL SCADA advanced security course:
http://www.inl.gov/scada/training/

[tim.just.tim]

That does help, thank you. I have heard of, and hope to take, CISSP and the INL SCADA advanced security course at some point. I will probably defer both until after the first year of the grad degree, so that I have a broader foundation.

I've only heard a little about OSCP, but the website is quite intriguing. I had been planning to look into hackingdojo; I took the Novice course last summer and really enjoyed it. It's hard to tell how hackingdojo's content maps to OSCP; any thoughts?

(BTW, I'm a US citizen in the NOVA/DC area.)

[cd1zz]

There are lots of reviews and posts on this forum. Here was a review I did  while back http://www.networkadminsecrets.com/2010/12/offensive-security-certified.html

[UNIX]

There is also a course available from InfoSec Institute which prepares for the Certified SCADA Security Architect (CSSA) certification. However, I haven't heard much about it and it seems, there are hardly any reviews available and it's not really seeked by employers.

However, SCADA systems aren't any different from other software from a security perspective, so it shouldn't be a problem to apply things learned from other courses (such as PWB/OSCP).

[cd1zz]

I'd stay away from InfoSec Institute in lieu of all their recent "issues."

The difference between SCADA/ICS and a regular enterprise, which Tim probably already knows, is that they're much more delicate. In fact, its not uncommon to not be allowed to pen test. More often then not, they simply want VA's. I've been fortunate enough to be able to PT these environments but every time we've been allowed, is because they're in an outage.

You will also come across other protocols that you wouldn't normally see in a regular enterprise environment like OPC, DNP etc. Having control system experience is huge in this area which is where your real value will come in Tim...

[tim.just.tim]

Hopefully you're right, cd1zz. 

My experience to date has primarily been with the Modbus family of protocols; I'm starting to dig into BACnet for a potential client. The most interesting project for me, at this time, is designing a SCADA lab for pen-testing a couple of PLC's. I tend to agree with you: I may not have an opportunity to do such a thing on a running system, so it will be nice to be able to do such a thing in a lab. The easy part for the lab has been specifying the PLC hardware, programming enviornment, HMI, etc. Hard part has been designing the InfoSec / Pentesting "side", as I have little practical experience to date.

I hired Red Tiger Security to come onsite and present their SCADA Security training material. It was a great class. I believe that Jonathan will be presenting similar material at this year's Black Hat. If anyone has the money, I can't recommend it highly enough.
 
I am hopeful that the coming year, with a new job that is security centric, and further coursework, will make me stronger in the long run. I just don't have the confidence from a pen testing or vulnerability assessment perspective yet. Mid-year resolution: keep reading this board and start studying one of the aforementioned courses.

Thanks, all.