Digital Bond was born on October 5, 1998. We turn 25 this month. In this article I’ll crow a bit about successes and joy. Last week I covered failures and lessons learned.
Most of the first 15 years were spent trying to grow a ICS security consulting practice. We had 29 consultants over that time. I gave each employee a copy of Tom Peters’ book Brand You 50 and encouraged them to find a path to be known as best in world at something in ICS security. It was not difficult then, and it is still achievable now with a plan and two to three years of focused work.
The employees had opportunities to do work on a variety of client systems and had time to do bleeding edge research, and were encouraged to write and speak and build their brand. We provided the canvas, and they did the work and deserve the credit. Everyone left the Digital Bond team with more options, more connections and visibility, and higher pay.
The Digital Bond alumni have gone on in the careers and have done some astounding things. They are now spread out over the community, and fortunately S4 is also a sort of a homecoming event.
Helping Asset Owners
It was true in 2000, and it’s true now. There are many asset owners early in their ICS security journey, and it’s possible to achieve massive risk reduction in a short time early in the journey. We have worked with a few clients off and on for two decades with an efficient risk reduction approach, and I’m amazed at what they’ve accomplished.
Progress succeeded when the client was willing and we communicated well. I’d estimate 50% of the projects were wildly successful with the asset owner client achieving most of the 0-6 month and 7-18 month objectives (admittedly often with an extended timeframe). 40% of the projects were ok, meh. The asset owner client was happy, they did the easiest actions, often with some large risk reduction. They didn’t really invest or commit to the program. These were the engagements that I worried the most about because I felt if we could communicate better there could be a breakthrough.
That left 10% that were little more than money. There was a project with a deliverable. We did the work, and the client put the report in a drawer. Oddly enough, this 10% would typically invite us back the next year. They didn’t care about the results and were checking off a to do. We would come back once, but if we couldn’t drive change after the second time we would refer them to others who could hopefully help them better than we could.
Digital Bond has a long list of firsts in ICS security. Mostly in the research area.
2003: First ICS Security blog
2004: First IDS Signatures for ICS (Modbus TCP and DNP3)
2006: First Nessus ICS Plugins (Modbus and ICCP)
2006: First ICS Honeypot (mimicked a Modicon Quantum PLC, Charles Perine)
2007: First ICS Vulnerability disclosed through a CERT (ICCP, Matt Franz)
2007: First ICS Compliance Auditing (Bandolier using Nessus, Jason Holcomb)
2008: First sending of ICS data, from PI Server, to SIEM for correlation and attack detection.
2009: First IDS Preprocessors for ICS (DNP3 and EtherNet/IP with Daniel Peck)
2012: First ICS Security Podcast – Unsolicited Response
2014: First ICS Village at S4x14
2015: First ICS Capture The Flag Competition at S4x15 (Stephen Hilt and Michael Toecker)
There are a couple of things I wish we could have pushed further (such as the Bandolier audit files) or been more consistent (early years of the podcast).
SCADA Security Scientific Symposium (S4)
We started S4 in 2007 when Matt Franz publicly disclosed the first ICS vulnerability, some nasty issues in ICCP protocol stacks. Matt said there was no place he could present the research where the audience would understand ICS and cybersecurity. We created S4 to provide a place and to help grow the community. 40 people were at the first S4, S4x07, and Whit Diffie was our keynote. Whit was selected to talk about how he helped grow the crypto community.
I could write many words on S4 as it has grown to a 3-day, 3-stage, sold out event that draws 1,100 of the best in world in OT cybersecurity and cyber risk management. In short, S4
- Helped build the OT security community
- Highlighted a lot of fresh, relatively unknown talent in the OT security community
- Brought attention to great work and new ideas
- And gave me the opportunity to see the best in world work and meet the best in world talent
I now spend about 2/3rds of my time working on our annual S4 conference and love it.
Crafting A Life
One of the things I’m happiest about is Digital Bond has allowed me to craft my life. Many of the decisions I’ve made haven’t worked out, but they were my decisions. Living where I want. Picking the projects I want to work on and passing on many others. Being able to say and write what I want without restriction, although this has cost me money.
Some of the Digital Bond alumni, the one’s that most embraced the Brand You approach, have also been able to do this. I hope that you will have the opportunity to make decisions and craft your life.