SCADA Infosec

f0rgiv3nf0rgiv3n Connection OverlordMember Posts: 598 ■■■■□□□□□□
I might have an opportunity to start going down the SCADA (Process Control Networks) security path at my current job. I'm wondering if this is a growing need out there that anyone is aware of? I don't ever want to pigeon hole my self and not be marketable.

Anyone out there deal with infosec on PCNs?

Comments

  • AlexNguyenAlexNguyen Member Posts: 359
    SCADA security is over the news because of recent critical infrastructure attacks. SCADA systems have a lot of security holes. Most of them are running for decades. You don't want to modify the source code. What you can do is implementing compensatory measures only. The devices in the field are made to last at least 50 years.

    My job field is related to regulations compliance, e.g. NERC CIP. We hired some NERC compliance consultants that are with us for many years now. Their job is to write policies and procedures to comply with the regulations. They taught us how to answer in front of the NERC auditors. They helped us to do self assessment audit.

    As you can see, it's not a technical job. It's more a GRC (Governance, Risk, Compliance) job. In Canada, we don't have a lot of job opportunities in NERC compliance sector. Most of the electric utilities companies are owned by the provincial government. So you have only one possible employer per province (state).

    I took a SCADA security boot camp last month in Dulles, VA. There are some IT consultants in the class that do SCADA pen testing jobs and risk assessment for the US government and Boeing.
    Knowledge has no value if it is not shared.
    Knowledge can cure ignorance, but intelligence cannot cure stupidity.
  • f0rgiv3nf0rgiv3n Connection Overlord Member Posts: 598 ■■■■□□□□□□
    Hmm interesting, thank you very much for your valuable input. The situation I have is whether or not I'm "interested" in a SANS SCADA bootcamp or not. How did you like the security boot camp that you went to? Do you feel that it was worth it?
  • AlexNguyenAlexNguyen Member Posts: 359
    I did not go to the SANS SCADA bootcamp. It's too expensive. I went to the InfoSec Institute instead and you have an exam at the last day which will give you a certification. SANS doesn't have a SCADA certification yet.

    The bootcamp doesn't talk about SCADA much. It's essentially about IT security concepts. It's like a mini CISSP bootcamp.

    I took that bootcamp in preparation for the "Advanced SCADA Security Red/Blue Team" course. It's a FREE 5-day course paid by the Department of Homeland Security. You need only to pay for the hotel and transportation. They do a background check and make sure that you work for a company that deal with critical infrastructure, before approving your registration. They accept international students. You can find more details here: Idaho National Laboratory - National SCADA Test Bed Program

    I need to get some skills and practice in pen testing before attending that course next year.

    If you need to know more about SCADA security, there are some free docs:

    NIST - Guide to Industrial Control Systems Security: http://csrc.nist.gov/publications/nistpubs/800-82/SP800-82-final.pdf
    INL - Control Systems Cyber Security for Managers and Operators: http://www.inl.gov/scada/training/d/4hr_introductory_scada_security.pdf
    INL - Hands-on Control System Cyber Security Training: http://www.inl.gov/scada/training/d/8hr_intermediate_handson_hstb.pdf
    Knowledge has no value if it is not shared.
    Knowledge can cure ignorance, but intelligence cannot cure stupidity.
  • f0rgiv3nf0rgiv3n Connection Overlord Member Posts: 598 ■■■■□□□□□□
    Wow, i never knew about the Red/Blue bootcamp... Funny, I live in Idaho :D . Thanks again for those links, that's some good stuff right there!
  • astorrsastorrs Member Posts: 3,139 ■■■■■■□□□□
    I worked on control systems upgrades from 1999-2004 and I'll echo what AlexNguyen said. While there's definitely a lot more awareness of the vulnerabilities that exist in these systems nowadays, they're still not easy to remediate. It's more about securing the perimeter, access control, and implementing processes to ensure compliance.

    With that said, I was relatively junior when I started back then and some of the skills I learned during that time have been immensely beneficial to my career (things look different when a decision/mistake can result in losses measured by dollars per second, damages in the tens or hundreds of millions, and/or the deaths of one or more people).

    I wouldn't trade the experience for anything, but at the same time I never want to work in that field again. Not sure what that says exactly... icon_confused.gif
Sign In or Register to comment.