Lesley Carhart's Cybersecurity Blog

I get asked about where to start learning OT cybersecurity as a student a lot. I fully realize that attention spans are short and people are busy, so without further ado let’s get to my top five recommendations:

1. Focus more on processes and systems of systems than hacking individual devices or protocols. The hardest thing for IT people to grasp in OT is what really matters and how adversaries can intentionally or unintentionally cause physical consequences. One single device rarely causes these consequences. Industrial processes are complicated and full of failsafes and redundancies. Spend all the time you can in industrial environments asking questions and understanding how the process and all its digital and analog devices fit together. Understand what a bad day actually looks like – it’s likely not anything to do with malware or a domain controller being hacked. Most individual industrial protocols and devices are insecure by design. Adversaries spend a lot of time doing recon not to learn to hack into the PLCs, but to understand how to tamper with complex and resilient systems of systems. Often, they don’t even do traditional exploitation or use traditional malware.
2. Focus on just one process when first learning. OT is a huge space and unless you’re getting a whole degree in mechatronics or electrical engineering you probably won’t be an expert in the specifics of even one process and its technologies. You might choose a process you have physical access to learn in due to work, friends, or family. Or you might just pick one that interests you enough to spend months studying it in intense detail. But pick one and explore it from the top down – general chemical, electrical, and mechanical processes, what can go wrong, key components and mitigating safety controls, control systems layout, and then exploration of the specific digital systems and protocols in play and their topology. If you learn one process you can learn others to that level of understanding.
3. If you’re not firstly thinking about safety and process continuity as you learn, you’re doing something very wrong. We do cybersecurity in critical infrastructure and process environments to keep the process running safely and within industrial regulatory standards, period. There are occasionally secondary concerns about industrial espionage. That’s about it. If you’re going on tangents about worm infections or audits, you’re probably missing something really important. While there are regulatory standards for cybersecurity in some industries, they exist to keep critical processes defended against disruptions and life and safety impacts.
4. Get really comfortable with old computers. A lot of young people today didn’t build their own PCs or code their own applications or websites. The uncomfortable truth is that even a Computer Science degree might not have taught you essential foundations to understand computers from the 1980s, 1990s, or aughts. These computers and their associated network protocols are still ubiquitous in OT, and will be for the foreseeable future. One of the key things we screen young OT candidates on is their knowledge of older hardware, Windows, and Linux. We have to because those foundations are learned over a long time and we need hires to hit the ground running. Tools are much easier to teach.
5. Take advantage of free learning resources. This is a space that requires a lot of self study and tangential work experience. Professionals in OT cybersecurity all have odd origin stories – there are very few credible university programs on the field, and the few credible certifications are relatively expensive. Beyond my own blog, I highly recommend my friends Mike Holcomb’s videos on ICS cybersecurity, and Rob Lee’s blog list of ICS learning resources. SANS Institute has a bunch of free learning resources on ICS as well, which I sometimes contribute to. Idaho National Laboratories has training that is free for people with certain email TLDs.

I hope this gives you a few more ideas! Happy new year!