Getting Started in ICS/OT Cyber Security - 20+ Hours - Part 1 (Course Introduction)

hello and welcome to getting started

with industrial icot cyber security I

appreciate you taking the time to check

the video out and and hopefully you'll

find uh some good information resources

that you're looking for maybe some

answers to your questions about

literally how to get started in

industrial cyber security so my name is

Mike hul and uh again I appreciate you

for uh wanting to come check out the uh

class so real quickly a couple of

disclaimers so the information that I'm

going to be sharing is informational

purposes only and that all the

information that you are going to learn

is expected to be used for the forces of

good and not for the the forces of evil

you know ideally we're going to be

talking about things like different

cyber security attacks against

industrial control and it environments

and how to conduct those different types

of attacks so we learn this information

we share this information to make

ourselves better cyber security

Defenders and that's the really the main

goal of this course so not to use that

information to become an attacker so

hopefully everybody gets the the idea

there and then all the information I

discussed in the course is really my own

opinions it's not necessarily affiliated

with my day job or any of the other

organizations that or clients that I'm

affiliated with

so so I did include this slide that I

usually keep this in or use this slide

when I'm doing this class live and so

we've had I think about a thousand

people come through this this course

live uh over the last year so there

which is really exciting U and also

wanted to get it out on on YouTube for

those that that couldn't make the the

classes but uh and we'll be talking

about uh robly probably a lot throughout

the course and you Robble if you're not

familiar so Rob Le is the CEO and

founder of

dragos and they are the world leader in

industrial control cyber security and

that's really because Rob Lee is

considered the the true thought leader

at the the global level in industrial

control cyber security his mentor

Michael Assante who had passed away

unfortunately a couple years ago but he

really was seen as the person that

really started the field of industrial

cyber security so this incredible

lineage that uh between Michael Asante

and and and many others that we're going

to be talking about through through the

course but Rob's probably the the one

person we'll mention most uh as as we go

along and I have a lot of you know share

stories that he shared um that that I'm

able to you know share with everyone if

if it's something that he shared like in

a class or in a speech um you it's

definitely there's other things that he

shared in the past that are only for you

know for it's not my place to share

those things but but definitely the the

ones that that I'm able to I think it

helps really bring a lot of light and

character into some of the the shadows

of of ICS cyber security and he really

does an incredible job of demystifying

IC cyber security which I've always

appreciated it trying to make it simple

and practical for people to understand

and that's really one of my goals as

well so uh so in larger groups when you

have a couple hundred people in Discord

we like to say you do you just don't be

a a jerk you know so so be uh be uh be

nice to everyone but again I just so I

just kept it in there just to really

introduce robly that again we'll be

talking about him more than a few times

I'm sure as we go throughout the

course so what we're going to be

covering uh in this first section so

we're going to talk about uh a little

bit give you a little bit volume my

background so maybe understand why you

should or maybe shouldn't listen to me

uh we'll talk about you know the purpose

of the course why I put it together the

goals of ultimately what you're going to

look at getting out of the course we

going to have some references and course

materials that that we'll be looking at

uh we'll go over the different units or

modules that make up the course and then

we'll wrap up with a discussion on cyber

security certifications for icot cuz

that's one of the most common questions

that I get so we want to put that in

this introduction section because it

really doesn't fit in any of the other

modules and then we'll also talk about

some additional resources like

conferences and podcasts that that you

can either attend or or listen to to get

a lot of great

information on Industrial control cyber

security so for those of you that don't

know me my name is Mike hul I'm the

floor fellow for cyber security so I

work at a company called floor we're one

of the world's largest engineering and

construction companies in the world so

we build and sometimes operate some of

the world's largest industrial control

environments and I get to work with some

of the best engineers in the world which

which is

really um fascinating position to be in

because I can learn so much from from so

many different people and from all over

the world and all different types of

companies in all different sectors so be

talking about I'll share as much of that

experience as as I can throughout the

course as well I am also the global lead

for the floor icot cyber security

perspect uh program or practice if you

want so we'll talk a little bit more as

we're going throughout the course and

what that really means from a practical

experience also run a couple of uh local

cyber security groups so I run the the

local Issa chapter which is more

associated with it cyber security I've

been doing that for

almost 20 years at this point and also

the local version of uh bsides that we

have here in Greenville so we'll also be

talking about those as we go uh

throughout the course uh I also wrote

and taught all of the six cyber security

courses that make up the local technical

colleges cyber security program uh which

I was really proud of because there are

a lot of really handson you know true

like practical experience Hands-On Labs

that they put in the the courses so I

was really really excited and and proud

of that work I have a lot of cyber

security certifications I've been in it

cyber security for a little over 25

years and I've been you working into

getting into OT cyber security since

2010 so not as long but uh uh for about

what 13 years when I started it was

really I didn't get really a lot of

traction till about 10 years ago into

the field so that's another reason why

put this course together to to help

people that want to make that transition

whether it's from it cyber security or

if you're an OT today and and want to

learn more about cyber security so so

we'll be talking about some of those

certifications I'm actually finishing up

my Master's Degree right now I'm writing

my thesis on kind of PLC cyber security

uh which those are programmable logic

controllers if you don't know what that

means yet you will after the next

section or two so don't worry about that

uh so uh but we'll talk a little bit

about that and the thesis and and uh and

then I do some outside training and

Consulting outside of the floor world as

well so I've worked with a couple

manufacturing entities now and some

other uh really small well more medium

to large size environments so that uh

I've been really fortunate and lucky to

to work with yeah so I'm really really

happy about getting to do uh all those

different projects I just like going

into new environment and working with

people and and helping them become

secure so uh in my my floor world in the

OT or the operational technology or

industrial control side uh so you can

see in the upper left that was actually

my first project I actually got to go on

site for it was a large traditional

power plants actually uses natural gas

to to generate electricity so we're

going to actually be talking about uh

that uh project as an example of how a

overall industrial site comes together

using the the power plant example so I

worked on the new New York Bridge not

not a lot of control systems on Bridges

there's there's some but uh so still

exciting project that's north of New

York City and a bridge that goes over to

the Jersey side so uh we run the Subways

in in several big cities in the United

States uh one that I recently L have

worked with is in Denver Colorado so

those of you're not familiar Denver is

kind of right in the middle of the

United States so uh that was uh that was

their their picture there and then in

the kind of the lower left is our

largest project that were building for

Shell which is called shell lngc it's a

LG uh Port facility so we bring in uh

natural gas liquefy it and load it onto

container ships and it's actually

Shell's largest project is well it's a

$50 billion project just to kind of get

an idea of size and scope and when you

look at that picture the idea is it

doesn't maybe look that big but really

say it's kind of like a small City it's

really more like a mediumsized city the

the LG storage tank which you can kind

of see in the bottom still has the

cranes around it as they are building it

but and I remember talking about this as

part of the risk assessment and we'll

get into that later in the course but

talk about the the storage tank that is

aligned with sensors because you have to

monitor over time because natural gas

can become unstable and and could

explode and when you look at the tank

itself it's actually the size of a large

Sports stadium so it's a little hard to

tell maybe from the scale of the picture

but that then starts to you can really

maybe start to get an idea of how large

that that project actually is so but

that gives you a little bit of

background I work on some other projects

of course as well and a few we'll talk

about uh anything that's publicly

available uh that you know I'm

definitely free and and open to to talk

about so so that's a little bit about me

and uh real quickly uh if you haven't

seen most people find me through

Linkedin so definitely feel free to

reach out you can follow you can reach

out and connect send send me a message

if you have questions on the course

material usually LinkedIn is the best

way to get a hold of me so so you can

find me there I'm always I'm always

there so so that's the one place that's

better than email even uh or my cell

phone probably that to get a hold of me

uh you can also see in the little banner

I did write two different little ebooks

that are free and about getting started

in industrial cyber security and one is

actually written for those of you that

are coming from an IT cyber security

background and if you're coming from an

OT uh automation background then there's

a a version that's written for you so so

probably about 80% of the content is

about the same it's just the the first

15 20% of the content where depending on

which world you come from the steps that

you're going to take first to get into

cyber security industrial controls is is

different and

so the books really can help you walk

through that process and and just

provide a lot of resources and kind of

thoughts on on how best to go about

getting into industrial cyber security

and for for me in 2010 when stet first

came out and we'll talk more about that

later on that was really what started

getting me down that path into

industrial cyber security the problem

was nobody wanted to talk about it back

then there really weren't any books

there was very little information on the

internet so it it's a very uh you know

black magic that nobody knew you know

how it actually worked and and sometimes

it can be like that even today

thankfully especially over the last

couple of years and and a lot of the

work by people like Michael Asante and

Rob Lee you know the community has

really opened up over the the last

couple of years and and there's still a

lot of great information out there but

it can still also be overwhelming again

that's a big part of why I put those

books together and why I put this class

together so ultimately

why the class though and why am I in

industrial cyber security and and why

today so and right now I'm recording

this it's November of

2023 so 2024 is coming very quickly the

industrial control cyber security

landscape has changed

dramatically over the last couple of

years especially the last couple years

and and even the last couple of months

whereas prior to really 20 what

21 that really not much had changed for

years for decades and so it's a really

exciting space to be in right now

because things things are really

starting to change and for us as

Defenders not not in a good way

unfortunately because we are seeing the

number of attacks are going up every

year they're doubling they're tripling

against our OT or industrial control

environments and in some more sensitive

environments like if you're in the

Ukraine that you they're seeing you

anywhere from 10 to 100 fold increases

depending on the the day of the week

just you know insane amounts of

increases of attacks against things like

critical

infrastructure what we really saw was a

big shift and this go about two and a

half years ago with the colonial

pipeline breach which we're going to

talk talk a lot more about and in course

and you'll hear me mention it a lot as

really this kind of demarcation point

for in control system cyber security

because before Colonial pipeline about 2

and a half years ago not everybody in

OT really worried about cyber security

because they were just worried about

nation state attackers but Colonial

pipeline wasn't taken off line because

of a nation state attacker like Russia

or China or the United States it was a

ransomware group and we normally

associate ransomware groups with you

know General

it and now we see ransomware as the

number one threat against both it and OT

environment so there's a lot we're going

to unpack there so I don't want to jump

too far ahead but another problem that

we see is that more and more

and this is just increasing every day

that the types of systems we have in it

like windows-based systems are moving

more and more into OT which makes it

easier for us to run and manage

facilities but it also makes it that

much easier for attackers so not only

are we seeing more attacks and more

attackers but we're also seeing more

systems that are easy for the attackers

to break

into we're also allowing a a lot of my

opinion too much communication between

the it networks and the the OT networks

at a at a

location and so if you're at let's say a

power plant you have an IT side of the

house and you have an OT side of the

house and you want to keep those as

separated as possible but it's not

always as easy just to say they're

completely you know cut off from each

other that that doesn't work so we do

allow some communication but we have to

do that as secure as possible so we're

going to be talking about that we have

an entire section dedicated to that

later

on we also look at so we're going to

talk about owners and operators in the

OT space so owners are it's a company

that owns say like a power plant so the

the power plant I was mentioning earlier

that was owned by Dominion Energy now

the people that run the power plant that

keep it up and running generating

electricity for the public that could be

the same company it could be Dominion

Energy employees or they could Dominion

Energy could pay someone another company

to run the power plant for them so

sometimes owners and operators can be

different companies or like I believe

with the the Dominion Energy power plant

they're the owners and they also operate

the facility as well but we still see a

lot of owners and operators even in 2023

don't think that their OT environments

are targets

uh which to me is probably one of the

most

concerning uh problems that we have

today so big part of what I work on is

really in a lot of respects security

awareness and helping owners and

operators understand that that they are

targets of attack and it's again it's

not just nation state attackers we're

worried about

anymore and then ultimately why cyber

security especially in critical

infrastructure is so important is what

happens with that power plant if the

power plant goes down for a couple of

hours yeah not the end of the world

right as long as our iPhones and laptop

laptops have a couple hours on their

battery you know we'll we'll all survive

but what if it's a couple of days or a

couple of weeks or and then you get into

really worst case right months or year

without power I mean that's where you

get into Walking Dead territory right

and and the degradation of society and

that's obviously not what any of us

wants so in in the IT world I always

focus on I don't want the company

compromise because if

anything the company loses money people

are going to lose their

jobs in OT or industrial control cyber

security there's even greater Stakes

when you talk about how we support the

world around us and that's a big Focus

for me it's really I don't say it

lightly I say yeah we're here literally

to save the world or at least to protect

the world sometimes from itself we want

to make sure that especially with

critical infrastructure Power Water a

lot of these things that people take for

granted I I know I do right that that

are protected and and stay safe so

telecommunications um which plays into

you know the internet right large data

centers that provide services

manufacturing think especially like with

Pharmaceuticals

so there's a lot that comes into play so

we'll we'll be talking a lot about that

as we go throughout the

course now the course itself you can see

that yeah when I put this together it

was really designed as this highlevel

overview of cyber security when it comes

to Industrial control environments like

power plants or manufacturing or we talk

about mining or rail or and the list

goes on and on so we'll talk about a lot

of different types of environments

that's another thing I'm very fortunate

about working at floors I get to work in

so many types of of environments there's

very few different types of sectors we

actually don't don't work in and and we

work in just about every country on six

continents used to be on Seven

Continents so uh so we've you know been

a little bit all over uh so again I get

to bring in a lot of experiences

and and knowledge from over the years to

be able to share so it's this is not of

course this is just a over over overview

uh and then like just like in in general

it cyber security right we're kind of

scratching the surface and then there's

different areas that you can dive deeper

into and hopefully as you're going

throughout this course you'll find those

different areas that you're probably

even more interested in and and you can

definitely take a a deeper look at at

those so uh if you're you know just even

interested in in learning a little bit

about industrial control cyber security

right it's a great great uh great course

and I think with videos on YouTube you

could just kind of flip through it as

much as you want if you're not you know

if you're not trying to really you know

deep dig in and learn and you just kind

of want to get a look and feel right

perfectly fine and then it really

ultimately then it's also about

helping people understand how do we

secure these control system environments

how do we protect our power plants and

our water water treatment facilities and

our Railways and our mines and our

manufacturing environments and so on and

so

forth a couple of the other goals a

couple things that we'll highlight as we

go throughout is we talk about how you

with people coming from an IT background

which we already started to mention it

comes into control system cyber security

differently than somebody from the

control system world so people like

people doing Engineers or technicians at

a sight maybe they're doing operations

and maintenance or uh doing things like

PLC programming or work in a a control

room but we'll be looking at you know

how do people come from the IT world how

do people come from the OT world but

ultimately it's not only how do we come

from these different worlds like I came

from a traditional it cyber security

background but how do I get to work with

people on the engineering and the

maintenance side of the house and the

automation groups right because it takes

both sides of the house to work together

because it's not just the it side it's

not just the OT side of the house we

have to work together as if it's a bad

marriage where we're either fighting all

the time or we're just not even

communicating and everybody's just shut

down nothing's getting done and

the only people that win are the

attackers and that's the the biggest

concern so one of the the areas that I

highlight that's most important for us

to work in in industrial cyber security

is how do we get OT and it people to

work together and sometimes the best way

to do that is to get them in the same

class and we'll be talking I have some

great examples of that from from over

the years that we'll be talking about as

as we go on

so there's some course materials that

we'll be referencing as we go along I do

have review questions for each of the

the modules and and then some additional

modules that we're not covering in in

this course because they're now

dedicated to their own courses like

penetration testing in in industrial

control environments right that's not

something that you can just cover in an

hour or two right that's a whole 40

hours of content and of of itself you

know so that idea but there's review

questions I have some quick start

reference guides so we'll talk about

primarily tools like showan and and and

map as well so I have some quick start

reference guid you can find those in my

GitHub repository the link is in the end

of this video so don't worry about

that and then I always recommend that

everybody at least read sandor by by

Andy Greenberg uh which is a great it's

great novel uh that talks about really

the buildup of cyber security in the

industrial control World kind of starts

off with stucked and and builds up until

I think that it was published up to a

couple years ago so also talks about

really the leadup to the current Russian

invasion of the Ukraine because Russia

has

always um not been shy about leveraging

control system cyber security attacks

against the ukrainians like when they

turned out the power they created two

blackouts one in 2015 and 2016 also one

allegedly in 2017 and then it was just

revealed last week that they also did it

in 2022 so we've had three if not four

blackouts in the Ukraine caused uh by

the Russians you know using computers

right it's that you know from that cyber

perspective so sandworm does an

excellent job of really walking us

through kind of history of control

system cyber security and it even talks

about robly in the book and some others

like uh John was hillquist I believe

it's how you say his last name over at

mandiant and some others that that are

some you know well recognized names in

in the field

so back doors and breaches is a also a

car game created by Black Hills

information security and there's a

digital online version that you can use

for free and there's an IC version that

black hills had put together with dros

Rob Le's company and so we're actually

going to look at that when we get into

the last module talking about incident

detection response because it's a great

tool especially when it's free and

online to be able to learn different

types of attacks and not just that but

how do we respond to those different

types of attacks in control system

environments so we're going to be

looking at that in the the last module

of the course so So speaking of the

different modules or the different units

so of course we're here in unit one so

we're just going over the introduction

even though I put a lot of content into

the introduction so uh we we still have

a little ways to go uh especially you

know just trying to get a lot of those

resources that that I want everybody to

be aware

of in unit two we're actually going to

then get into really what is this world

of control system cyber security and why

it's important we're going to dig into

you know the different types of attacks

and attackers and some of the history

behind control system cyber security

especially over the last you know

roughly still 20

years when we look at unit three this is

where we're going to if you're not

familiar with the different types of

control systems so when we think say

things like plc's and hmis and rtus and

IC versus scada and the list can go on

and on but we're going to talk about

what are those different types of

controls

systems and then we're going to look at

we also have specific types of protocols

in control system environments so things

like modbus and S7 and dmp3 and backnet

and there's also Wireless protocols like

zigby which I find the the most fun to

say um you know Wi-Fi just like we have

in our houses and uh apartments and and

offices right you can also find in

industrial control environments and so

you also find all the same same

vulnerabilities and security issues

there as well so there's a lot we're

going to talk about in that section and

then once we get through that I think

we're all at that point on this Level

Playing Field whether you come from it

or OT and then we can start talk about

well how do we

secure our critical infrastructure how

do we secure our OT environments so the

first place we're going to start is with

secure network architecture so how do we

allow it and OT networks to talk with

each other but hopefully in a limited

manner but still wrap security around

that to do it as securely as

possible unit five we're going to talk

about asset registers which is really

just if you're coming from an IT

background it's just a fancy way of

saying asset inventory so we want to

make sure that we have a list of our

hardware and software and firmware that

we have running in a control system

environment so we know we have or we

know what we have in the environment to

protect

the asset register is is very critical

to a lot of control system environments

so they should already have one even

though that's not always the case so

also talk about how to build one which

isn't necessarily easy and depending on

the environment you're working in it's

not safe potentially as well but it's

very critical to have a asset register

as complete as possible because then

that L lends itself to when we talk into

unit six about threaten vulnerability

management right understanding what

vulnerabilities do we have in the

environment and how do we need to

address

those how do we address them and and do

we even need to address them so so it's

definitely a lot to talk about in in

unit six unit s we take a little bit of

a s track so this is where we we're

talking almost a little bit of

penetration testing and using tools like

show in and other ENT or open- Source

intelligence gathering tools out on the

internet to see uh especially do we have

have any control system environments or

systems that are connected or exposed

directly to the internet because if

they're exposed to the internet they

they're exposed to everybody including

the attackers and the attackers will

find them and they will find them very

quickly to to Target them and and take

control over those and then use them as

a foothold into the rest of the OT or or

the it environment which they can then

use to get into the the OT Network so

we're going to spend some time uh there

and then after that that's when we'll

get into our last unit talking about

incident detection and response so when

we look at network security monitoring

how do we detect if there's an attacker

on the network right we can deploy

different tools to alert us well how do

we investigate those alerts to determine

is something malicious or not there's

some alerts that I I know if I had first

seen them when I came into OT for the

first time especially 10 years ago I

would have said ooh that's malicious

activity it's like well no that's just

normal plant plant operations so so

there's definitely a couple of things

that we want to look at there and how do

we respond response at high level works

very similar in it and OT we just have

different focuses for that response

that's what we're going to talk about

later especially the main thing to just

keep in mind not to jump too far ahead

is just in control system environments

in OT right the the main concern is

safety right making sure the people at

the side and in the the the general

public are safe and then we also worry

about the safety of the

environment and then we can talk about

the availability of the plant but that's

very different than the IT world where

we're worried about confidentiality of

data most importantly right we don't

want attackers to come in and steal our

information and that's that's still

important but that's not at the top of

the list when it comes to OT cyber

security it's the ultimate priority

Second To None is physical safety making

sure everybody on site goes home at the

end of the day to their family making

sure that if there's the general public

in in the vicinity of that plant or

wherever we're operating think of if

we're operating a you know Subway for

moving people from point A to point

right we have to make sure everybody

stays safe that is our primary concern

above and beyond anything

else so that's what we're going to be

talking about in those eight different

units for this

course now I did want to include you

know a talk a little bit or a section

around cyber security certifications

again they don't really fit in any of

the

other

modules but but it's one of the most

commonly asked questions questions that

I get and it makes sense right and I

have a lot of these cyber security uh

certification so I've taken the entire

series that of the ISA 62443 I've taken

the three s courses and and three

certifications they have a couple other

courses but they don't have uh

certifications for those in in the

control systems and then next year

they're going to debut a pen testing

course which I'm I'm excited I'm going

to go take that one and and then there

are some other certifications out there

from other companies like EXA and I

believe it's to reinland from from uh

Germany I just don't have any experience

with those I know people that have taken

those courses uh so we'll mention that

um but uh I just don't have any personal

experience with those so so the most

popular route I see people taking today

is ISA 62443 so

Isa so Isa and IEC are two organizations

that think of them kind of as sister or

brother entities they um IEC is more

internationally recognized Isa is based

out of the United States so it just

depends on what part of the world you're

you're from where you how you'll

reference it and so Isa 62443 though is

really considered the gold standard of a

literal standard of how do we create a

cyber security program for a control

system environment right it's it's a

great framework or standard in doing

that and we're going to be talking about

that a lot as we go throughout the the

course so they put together four

different

courses and if you you do have to take

the courses to take the associated

certification exams and you can see

there's the first one starts with the

fundamental fundamental specialist

That's

like kind kind of like Security Plus

from the IT world world if you're

familiar and then you can see there's

there's three additional kind of more

specialist type of rol so one for uh

maintenance the cyber security secure

network design risk assessment which

we're going to talk about risk

assessments which is a very key

component or Cornerstone of a 62443

program and then if you get all four of

those certification exams you become

what they call a Isa I 62443 cyber

security expert it does not make you an

expert in anything I hate the name right

it takes you what 10,000 Plus hours to

truly become an expert in anything you

know this is

maybe I think these are you know two to

three days average a course I think most

of them are two days so you're not going

to become an expert in anything in you

know8 nine or 10 days so I think the the

name is a little misleading and really

the courses are mostly written for

teaching cyber security like it cyber

security Basics to OT

professionals and it they course they

talk about the 62443 standard as well

that's probably about 25 maybe 30% of

the

course courses right but again it's just

try to level set expectations but it is

the one that most people gravitate to

think because it's the most widely

recognized internationally as well as

like here in the United States and it's

probably the most cost effective cuz

these classes if you're an Isa member

which is like aund I think what $25 or

so to sign up for again in US dollars

but um the courses themselves I think

all four put together is like $7,000 or

I think they're like

$1,600 each um which might sound like a

lot and and I get it still is is a lot

of

money but compared to the Sans courses

the sand courses now are are about

$10,000 to take each class and the

corresponding certification exam and

they go up about 10% every year so uh

they could be a lot more by the time you

know somebody's listening to this video

down the road I hate to say but the

gicsp is kind their entry level into the

control system uh world I took that

about 10 years ago it was great course

with Justin surl and great class though

and the best thing actually for me

really wasn't even necessarily the

content it was just I the room was had

about 100 people in Las Vegas 50 of us

were from it and 50 of us were from

OT and so the best part of that class

really was getting a getting to talk

with different people from working on

all these environments and I remember

there was a gentleman in the front row

that asked this question you the first

morning it's just a really basic

networking question and I was kind of

like wow I can answer that I I felt so

smart but then I realized it was just

the way he asked the question it just

was a completely different way of

looking at

something and I realized then it was wow

it and OT like we're we're looking at

the same thing it's just we look at it

very very differently so if you're

coming from it we have to you learn to

think like engineers and learn to look

at things from the OT perspective or or

vice versa if you're coming from OT and

then learning how to look at things from

that it perspective and then we can meet

in the middle and that's where we can do

that or over time we have people like I

like to think of myself that now kind of

have one foot in both World worlds

and can be kind of a over kind of

a a overall you know cyber security

practitioner you know from from both

worlds and that's where we need to get

to to truly protect

our OT environments because remember the

OT environments are always talking with

it

environments and almost every it

environment is talking with the internet

so there's a lot of risk so again this

is what we're going to be talking about

in this course is how do we protect

those

environments the grid course to me is

the best course you could ever take to

learn how to protect OT environments

that's actually the class that Rob Lee

actually wrote and he still teaches it a

couple times a year so he literally is

in class still teaching it I took it um

in 2017 and when I was in class with him

it was when the tcis incident was

happening and that was actually one of

those big events in the industrial

control world so it was really

fascinating that you know some of us

would go to dinner at night or have

conversations on the side and he would

be sharing with us thing a little play

byplay um you behind the scenes as what

was going on so there would be some

things we can uh can share as as we go

along but uh and even that class at

$10,000 just if if it's something that

you could afford I strongly suggest you

make every every um effort to go take

that class with Rob in person because to

again really to sit in the room with the

world thought leader in industrial

control cyber security and be able to

ask him questions is it's Priceless so

I'm think about just retaking it because

it's been it's been a while since I've

taken it and it's they've changed the

course they've just changed the labs and

again just to be able to

to work with him and ask questions to

have that I mean it's just still an

amazing opportunity and nothing against

the other people that that teach the

class as well I

just 10,000 is a lot of money so uh Gip

I actually took that as part of my s's

Masters course that's it covers the nerk

sip uh

certification uh standard so if you work

in power transmission or generation in

North America and Canada then you your

facilities have to be nerk sip certified

and so the course really teaches about

nerk siip and it's mostly I hate to say

it and I love Tim Conway who wrote the

course um does a lot of of work in power

and help investigate do and the the

power outages in in the Ukraine um so

it's a very important course for those

that work in power the CL the the test

itself though is it was really a test

about auditing the the certification so

not necessarily my my favorite but um

you know Tim's definitely one of my my

uh favorite control system folks for

sure and just like raw just really great

great people so so those are the three

courses again if you get the opportunity

to take the course with Roby you it's

still worth the $10,000 if if you have

it to spend um and then there's the

gicsp which is an introduction there a

lot of people um don't necessarily go

that because I think at this point in

time there's a lot of content out there

they might feel like like this course

maybe you don't need to go take the

gicsp if you can get you know at least

some of that at this course again we're

we're only doing 20ish hours uh we're

not covering the 40 plus that you get

out of the gicsp but it's it's a start

and it's free compared to the $10,000 so

and then Gip again is is for if you work

in nerk zip environments power

generation and transmission in in the US

and in

Canada again there's a couple other

certifications out there I don't have

any personal experience with these but

there's Exodus we have Engineers that at

the office that have some of these

certifications so um they're lower cost

they're more along the lines of the ISA

IEC courses and I've heard um you good

things about the content it's it's like

the ISA 62443 classes as well there's

you know they're two or three days so

they're not teaching you everything you

know as compared to when you go to Sans

because Sans courses are usually five

six days and they they can run like 12

hours a day so you with exent two

varland it's they're more affordable and

for the information you get what has

been explained to me is it's good

information again it's not a super ton

ton of information but it's it's really

solid information and it's more cost

effective than some of the other

Solutions so two of Ryland since they're

based out of Germany you see this a lot

more uh certification for people in

Europe where I think EXA is a little bit

more us-based so that's usually what I

typically will see but and then just

other training so cisa the cyber

security and infrastructure Security

Agency which is based out of the United

States they also work heavily with Idaho

National Labs so anything IC cyber

security related kind of in the US

typically comes out of

inl but they actually have free courses

online so there's not a necessarily A

certification goes with them but they do

a lot of free training and they used to

have to do in person I think you might

have even had to be a US citizen but I

think with Co they changed a lot of that

so they just opened it up PR to anybody

to to be able to take the courses so

also take advantage of of those classes

as well so you can go to cisa.gov and

and find all the the online

courses so the rest of this section as

we wind down we're going to talk about

just some additional resources and and

we'll be referencing a lot of these as

as we go throughout the other courses

but I did want to get them out uh ahead

you know in the beginning of the class

cuz mandatory reading I tell everybody

if you're working especially in OT cyber

security well one you have to look at

the Verizon data breach investigations

report the the one on the left hand

every year that's where Verizon now this

is it based they look at all the it

networks and all the incidents and

breaches from the previous year and look

at patterns and looking for metrics to

understand what's going on in that

previous year so how can we be better

cyber security Defenders remember most

it or most attackers that get into OT

networks come through the it Network so

it's important to understand as OT cyber

security Defenders what's going on in

the IT

world and then we also definitely need

to understand what's going on in in OT

specifically and so that's where dros

comes in so every year they do their

year in review report so same same thing

like Verizon for it but dros does

specifically for

OT

and so that's where we'll see with uh

specific to OT networks it's great

information we'll be talking about some

of that as as we go throughout so where

you look at I think they you some of the

the content they mentioned if it's just

off the top of my head but I remember

something like uh for all their pin

testing engagements like 70% of the time

it's really easy for the pin testers to

break into the OT network from from the

it side of the house right which is

which is concerning or that uh roughly

about 50% of the networks that they went

into didn't have proper network security

monitoring set up which is also very

concerning because if you don't have

proper network security monitoring set

up whether it's you have it at all or if

it's set up but it's not done

effectively then how are you going to

know if an attacker is in the

environment you're

not so you get a lot of interesting

fascinating information out there that

you can use from practical

perspective they say oh we're not doing

this today but but we need to

be so a couple other resources so

there's some great podcasts out there

that I listen to um I'm actually now

shifting myself over to the right

because I started listening like control

loop from dros it's becoming a little

bit more marketing these days though so

not as practical which is a little

little disappointing so hopefully it

changes but um there's the UNS IED

response from Dale Peterson who he runs

the sort conferences that we'll talk

about um so he's always thinking about

the future of control system cyber

security so what's coming next what's

coming down you know 3 four five years

down the road so I'll probably never be

on his podcast because I'm I'm about

protecting the here and now so sure it's

great to understand what's coming but I

I want to get the job done today not

necessarily three or four or five years

down the road so uh the c toay or you

see the it's control system cyber

security Association that's run by Derek

harp uh they have a great podcast they

always have different practitioners from

the field come in and and talk um every

week so you can learn something about

different sectors so it's really really

great show that's kind of the same

format that the other ones um follow so

waterfall um or sponsors the industrial

cyber security podcast that's hosted by

uh and gter and so I've listened to that

one for that's the one I've listened to

for the the longest and bring in

different um uh guests to talk I

actually recorded my episode with Andrew

uh last week which was really exciting

so I'm going to be the first guest of

2024 uh when they release the the

podcast that was really exciting um and

then I was just on the protect OT cyber

security podcast as well from Industrial

Defender with Aaron Crow uh and and that

was another great conversation talked

about how to get into get into iot cyber

security Aaron has a a background kind

of little bit of it and he worked in

power his dad had worked in power PL

plants uh so it was kind of part part of

his you know in the in his DNA but uh

there a lot of similarities in in kind

of our our backgrounds and can kind of

build off of that like shared experience

but different at the same time so so a

lot of great like I said I'm leaning

more towards now the protect OT and

Industrial security and then the the CSA

ones just cuz I like to hear from all

the different practitioners because

they're just bringing Real World

experience and understanding like here's

the Practical tips of how you do the job

right that's what I'm always looking for

so I think that's what I I typically

gravitate

to uh there's some great people to

follow on LinkedIn and there's other

social media I get I just do LinkedIn

now um I say you robly which you

mentioned Tim Conway who wrote nerk and

he's he's you know huge in power uh also

you know Works kind of leads the IC

program at s with with raw mentioned

Dale Peterson at S4 he's you the guy

that always thinking about what's coming

in the future you and people need to do

that for sure you know um Derek harp who

runs C TOA and then Leslie carart they

are uh lead instant response at least

now I think in North America for dragos

so so that's where they work the the one

thing I was starting to think of is that

some of these folks that which are great

you know knowledgeable experts in the

field they don't they're not very

necessarily active on LinkedIn though so

I also put together a link or a list of

people who are on very active on on

LinkedIn so I'm not going to read these

to everybody and I kept Rob on there and

you can see Derek's still on the the

list um so you can see you know who's on

both list and kind of follow them uh but

I think there was a great representation

from people you know all around the

world men and women and so I think

there's a really great diverse group

here from all different types of

backgrounds uh like Don Capelli runs Ott

for dragos which is a open Initiative

for for especially mostly focused for

small mediumsized uh OT environments to

come get free free

help um so a lot of great information

out there um you Tony Turner who I've

met through LinkedIn but through I

remember when I went to

S4 this year finally for the first time

and in the forums where people just were

talking about all these different you

know topics and questions before the

conference he was in there answering

everybody's questions like an every form

so I was really impressed and you'll see

if you look him up like on LinkedIn he

really is a a very knowledgeable expert

in the community that just wants to help

people like it like everybody else here

so uh definitely uh check them out if if

you're on

LinkedIn uh conferences we wanted to

mention real quickly so the one

conference that I go to every year by

far is the Sans IC Summit I think it's

in March may or may March April time

frame now these days it's just two days

plus you can do the training as well so

like for another five days but um the

two days is just um going in for

presentations Rob and Tim Conway are

co-chair and you see of course all the

other Sans IC instructors and other

people in the community I think this

last year was 5 600 people probably

maybe a little bit more than that um I

think for me the big moment probably for

most people was they brought the the

ceso or the CIO actually from ukro which

is the power company in the Ukraine and

he he actually flew out to talk to you

know these 6 7 800 people that are

hanging out at a conference literally at

Disney World and and then he was getting

back on a plane to go back to the war

the the next day it was pretty pretty

awe inspiring so I you can probably tell

I get a little choked up every time I

think about it so uh S4 um definitely is

a great conference to see I think

there's about 12 13,400 people that go

there it's probably one of the larger

you know cyber security uh conferences

for Control Systems uh and that's in

Miami every year in now I think uh the

next one is in March early March so uh

I'll definitely be there I already got

my ticket so uh CS 4ca I actually set on

The Advisory board for them and so I'm

really excited to get to go that's going

to be in I think Austin in or Houston in

uh March 2024 so really excited about

that and the ICS Village they do a lot

of different conferences so they're at

like Defcon and blackhead and and some

others I'm trying to work with them to

get them at our local bids hopefully for

next year cuz we're going to have a a

track or an entire day dedicated for

icot cyber security uh dros disc I went

to dros that's their one-day conference

it's mostly for clients and partners so

uh and they they present all of their

research which is really really great so

it was really great and and gets the a

lot of people get see a lot of people

I've met on LinkedIn for the first time

in in in real life so that was a lot of

fun so the local bides conferences they

pop up everywhere like said I mentioned

I run the the local Greenville one so a

lot of I talk at Green besides Augusta

in Georgia not not long ago uh on as you

might imagine industrial control cyber

security so you can find those types of

events everywhere so cyber Senate are

smaller events run by um Jameson his

last name is blanking on me he but um

but you know you get 50 60 people but

really quality events and the people

that are there are just absolutely

amazing some of the best talks I've had

with people um at conferences ever so

I've been really excited about those um

and then hack the capital which kind of

goes along with the IC Village folks uh

where that's their um dedicated cyber

security conference

in DC so and there there's some others

definitely out there but those are the

big ones for me and I'm definitely

always at the Sans IC Summit and S4 now

and Cs forca and then try to get to as

many of the other ones as as possible so

and then finally we'll get to the end uh

if you are looking for other resources

that I put together so I have my h.com

that's kind of the main clearing house I

guess you can go to now for all the

different links I have a GitHub

repository that's where you can find all

the references that we talk about in the

the course and then also the well

YouTube channel which you're obviously

watching right now so I don't

necessarily know if I need to list that

out but you usually if I'm teaching this

for other groups it probably makes sense

so and the last slide I also have a

Weekly Newsletter if you want to sign up

you can find the link on my website or

or on my my LinkedIn profile and it just

comes out on Sunday since real quick

practical like three quick things about

here's my top post from the week here's

my uh here's a maybe a top podcast I

listen to or article I you know read

that I thought was really useful and and

that's it

nothing nothing crazy so just things to

to help people so so that's it to

finally wrap up the entire introduction

so like said I kind of throw try to

throw everything in the kitchen sink in

the very end but I wanted to make sure

to highlight those resources before then

we jump into the the rest of the course

and start learning about securing

industrial control environments so thank

you again for tuning in and uh I'll see

you

in unit

two