April 2000 was my introduction to ICS. A water organization with a canal found the Digital Bond website, and asked if we could do a cybersecurity security assessment of their SCADA system. Being a consultant and owner of a struggling start-up, of course the answer was yes. This started me on my 20-year journey in ICS security.
I was fortunate that this SCADA system did not require 24/7 operations. They could go days without needing SCADA, and wouldn’t even send people out if it was down for less than two hours. They wanted to know what an attacker could do and weren’t really worried if we caused something to crash. In fact they wanted to know if we could make something crash. It was a gentle introduction.
As you can imagine back in 2000, this SCADA system had almost every security issue imaginable. There was no perimeter between SCADA and the enterprise, had old underpowered computers (*nix) and applications that had never been touched since install, ancient switches, no logins used, … although they did have an asset inventory.
To their great credit, the water organization was far ahead in looking at ICS security. I’m incredibly proud of what they have accomplished in the intervening 20 years, particularly in the 2000 – 2010 decade when few were doing much, particularly in water. And I owe them a huge debt of gratitude in introducing me to ICS.
I loved “SCADA”, as we called it back then, from the start for three reasons.
- With so many issues, it was an interesting challenge to figure out what to do in what order and to convince the asset owner to implement the program.
- Huge improvements in risk reduction were possible in those early years with minimal resources.
- Getting out in the field to see those physical systems was fascinating to me. I’ll never be an engineer or understand the process in detail, and yet it still is my favorite part of ICS security consulting.
I’ve been to lots of pipelines, every type of power plant and substation, pet food factories, glass factories, dams, chemical plants, water treatment and wastewater, and so many more physical processes that rely on ICS. My two favorites were a chocolate factory due to the level of automation of the line making, wrapping and boxing the candy bars, and an offshore oil platform to see the lifestyle.
Over the last 5 years my time in the field has decreased substantially. I’ve invested a lot more of my time in S4 Events (actually well over half my time), and I find that working with Executives and Boards is an enjoyable challenge, especially since I can have a bigger impact than I can helping Ops with a single plant or system. Even with the shift in focus, I can’t imagine not getting out to see ICS in action at least a few times every year and continuing to be impressed at what engineers and automation professionals can do. If you get a chance to do this, take it.