Becoming an ICS Security Specialist

During one of my recent lectures on ICS Security one of the students asked me where he had to start to become an ICS Security Specialist. Since I couldn’t give a clear answer right away, I put some thought into the subject and tried to gain more insights on the most important requirements and potential career paths.

OT versus IT

For starters, I need to explain the difference between Operational Technology (OT) and Information Technology (IT).

OT refers to computing systems that are used to manage industrial operations. Operational systems include production line management, mining operations control, oil & gas monitoring etc.

IT refers to computing systems that are used for other more administrative tasks. IT systems include e-mail, ERP solutions, office suites, internet access, etc.

It’s important to know the difference, as there are several differences between the tasks and responsibilities of both environments. Which means they have other priorities and concerns.

DIY: Do it yourself

Since there are no real studies combining bot topics, you will have to acquire the necessary skill sets and gain knowledge on the subject yourself. Training courses such as SANS ICS training curriculum, Red Tiger ICS training, Scadahacker ICS trainings can help you along the way.

When you start your career, you will most likely not start as an ICS Specialist. Which means you might end up on either the IT or the OT side of a company. Being an ICS Security Specialist implicates that you are ‘on top’ of both. So you need to get acquainted with ‘the other side’. Make sure to talk to people working in both environments, since they have tons of knowledge and experience to share. Don’t be afraid to ask questions and be eager to learn. Accept that you might have different views on security however.

Personally, I am an IT person who stepped into the OT scene several years ago. My career path led me from being a master in electronics, towards a job as security engineer. Later I became a security consultant and penetration tester (How to become a pentester) until I ended up as an ICS Security Specialist. That would not have been possible without tasting both sides, with an open mind and attitude.
Join the other side

In the past, OT environments used to be island. Today that’s no longer the case, as they get integrated with IT networks. Business requirements and mobile data access are the most common drivers, next to manageability and even security (although that might seem to be counterintuitive). This makes the need for IT/OT security experts more pressing than ever. So if you’re thinking about becoming an ICS Security Specalist, you will not have to worry about finding a job.

Triggered by the IT/OT challenges? Then listen, learn and join ‘the other side’. Let me know what you think is important to become an ICS Security Specialist in the comments.

* DISCLAIMER * This is a copy of my original blogpost posted on the Toreon website while I was still working there