Joel Langill, aka the SCADAHacker, joined me on the Unsolicited Response podcast to discuss ICSsec training and workforce development. Joel is the Director of ICS Cybersecurity at AECOM, see He also runs the popular ICS security website , and details on the training he describes in the podcast is available at that site.

Subscribe to the Unsolicited Response Podcast in iTunes

Loyal followers of Digital Bond content know that Joel and I don’t agree (some may say vehemently disagree)  on a number of ICS and ICS security issues. Rather than rehash those arguments, I had two main goals in this episode. First, to dig into Joel’s background pre-ICS security because context is so important. We have the classic issue of a lot of heated disagreements in the ICSsec space that I believe are largely due to admirable passion and a lack of understanding of the others context.

Second, and what most of the episode is about, to get Joel’s thoughts on ICS security training and workforce development. How many people need to be trained, what type of training, lessons learned from his ~10 years of training, …

Here are some highlights and structure for the episode.

2:15 – Joel’s background in ICS/automation prior to getting involved in security.

13:05 – How Joel’s background has informed his approach to security.

16:50 – Started discussing ICSsec workforce development.

18:50 – What would be the ideal training for an ICS security professional?

23:25 – Using a pharma company as an example, how many people in that company would require ICSsec training. What type of training for what roles? .

26:05 – Where should the ICS security talent be located in a company?

27:40 – How to scale training, online training, and how he structures his online training

29:55 – Joel’s belief that an online class is more effective than an in person course and a discussion of the course Labs.

32:10 – What has Joel learned in training 500+ students.

35:20 – If 40 hours is not enough to get you where you need to be as an ICSsec professional, how do you or the market address the need for additional training? Joel notes most students did not meet the criteria/skill set to fully benefit from the class.

38:40 – The benefits of a hands on assessment to determine current skill level and needs to select required training.

41:20 How Joel’s joining AECOM will affect the SCADAhacker training.