Self-Development for Cyber Warriors

Because of my 15+ years in cyber security and roles in cyber security management I am often asked about career development and ideas on ways to advance their positions to CISO-level jobs.  I often suggest looking at certifications and experience as being the best starting points; however, I recently came across a really useful document from the Small Wars Journal written by Gregory Conti, James Caroland, Thomas cook and Howard Taylor.

http://smallwarsjournal.com/sites/default/files/893-conti.pdf

In 2011, Conti, et al wrote Self-Development for Cyber Warriors (screen shot above).  You can download the full article at http://smallwarsjournal.com/sites/default/files/893-conti.pdf .

Although this is intended for current military personnel advancing in the US Cyber Command there are many good -- no, EXCELLENT -- ideas written down to guide someone to becoming a smarter and more valuable cyber security professional.

Some key elements of this 34-page document include:

• Key Categories of Cyber Expertise
• Professional Reading (Books, Sci-fi)
• Technology News, Magazines and Blogs
• Cyber Warfare Journal and Magazine Articles
• Doctrine and Policy
• Professional Societies and Local Gatherings
• Academic, Military, Government and Hacker Conferences
• Videos and Podcasts
• Movies
• Training, Education, Certification and Self-Study

Starting on page 26 the authors provide five different "Self-Development Roadmaps" for military officers and NCOs in different stages of their cyber careers.  Regardless of the focus on the military career elements, the Roadmaps offer some great ideas for the new cyber student up to the more seasoned cyber expert.  You may want to look over the Roadmaps for ideas and then build your own.

Lastly, Table 12 offers a "heat map" if you will of various topics and based on which Cyber Workforce you are in (or want to be in) you can gauge the importance of various sectors and areas of specialization.  An excerpt of the table is included below:

Overall, I wish I had this resource when I was just starting out in the field.  And, even though this was written in 2011, the guidance is timeless and can provide a super foundation for your and your cyber-co-workers' career growth.

Well done to Messrs. Conti, Caroland, Cook and Taylor!  Thanks for the contribution to the cyber society!

###

Fundamental Skills for Any Security Practitioner

As a consultant, teacher and author I am often asked about the key knowledge, skills and certifications required to be a "successful" CISO or security professional.  The questions are usually around such issues as "Should I get my CISSP or CISM?" etc.

My usual response is often focused on having the "fundamentals" down pat such as understanding the business and having strong communication skills -- especially with upper management and the groups you are supporting.

This past quarter in my Masters of Infrastructure Planning and Management at the University of Washington one of our assigned readings was in my Comprehensive Emergency Planning course (IPM501).  The reading was entitled, "Report of the 2013 Disciplinary Purview Focus Group: Scholarship and Research to Ground the Emerging Discipline of Emergency Management."

Sounds dull, doesn't it?

The report was written by a group of scholars studying the field of emergency management.  Their focus "...was to identify the body of scholarship and research related to emergency management's purview that could ground the discipline, particularly as it relates to the education of students."

The report had some interesting perspectives on the subject; however, my key takeaway -- and worthy of me spending time on this blog -- is Appendix J: Skills Emergency Management Students Should be Able to Demonstrate upon Graduation.

This Appendix lists the following skills -- of which I think any security professional should also have competence:

• Verbal Communication
• Written Communication
• Interpersonal Communication
• Group Communication
• Network Building and Stakeholder Engagement
• Analytical Thinking
• Application of Research in Practice
• Problem Solving
• Decision Making
• Leadership

So, to my friends, students and colleagues who ask me "What skills do I need to possess to be successful in the security field?"  The list to follow is above.....then work on your technical skills such as a CISSP, etc.

Thanks to my professor, Robert Schneider Ed. D. and Director of Emergency Management for Grant County, Washington for this reading requirement...Appendix J made it worth the read.

###

A Month-Long View of Industrial Controls Security Training

For the past four weeks I have been immersed in Industrial Controls Systems (ICS ) security training.  My journey began on March 12th where I spent five days in the SANS ICS training in Orlando followed by about 15 hours of web-based ICS training from ICS-CERT then two days in Burbank, California attending the ISA training on the ANSI/ISA-62443 Standards.  (By the way, the 62443 standard used to be called the ISA99 standard.)

What I'd like to do is offer a view of these different training options to give you a sense of why some professionals will need this training and how the ICS-CERT training can be especially helpful for managers and supervisors overseeing work on ICS.  Also, I'll let you know about free training that does not require travel or substantial resources.

Why am I Taking These Classes?

Right now my employer -- Securicon -- is focusing on industrial control security and the SANS certification program -- GICSP - discussed later -- may be a key cert to have in the company for future work at some select global energy/oil/gas companies.  Secondly, one vendor we work with has asked us to complete the ISA training on the ISA-62443 standards.  Therefore, I'm the designated player for the company and have been sent to these courses - not that I'm complaining!  I love this stuff and I'm up for another security certification in this domain.

SANS ICS410 ICS/SCADA Security Essentials (~$4,395 + $599 for GICSP test)

This course is offered in a classroom (and now as an online option) by SANS.  I was privileged to be in a class in Orlando with about 57 other students from literally around the globe.  The instructor was Mr. Justin Searle who is by far one of the best IT security instructors I have ever experienced as either a student or co-instructor.

The course runs for five consecutive days with class beginning at 9 AM and ending at 5 PM with breaks and a lunch in between.  The days were broken down into the following:

• Day 1 - Industrial Control Systems (ICS) Overview
• Day 2 - ICS Attack Surface
• Day 3 - Defending ICS Servers and Workstations
• Day 4 - Defending ICS Networks and Devices
• Day 5 - ICS Governance and Resources 

Each day some hands-on exercises were included.  

At the end of the training you receive a certificate of completion; however, the true goal for myself and many others is to pass the Global Industrial Controls Security Professional (GICSP) certification from SANS.

The GICSP certification involves a separate test which requires the student pass with a minimum passing score of 69%.  I hope to take this test before the end of April.

For more details on the GICSP and the class please go to these links:  GICSP, ICS410, SANS ICS Security.

ISA - Using the ANSI/ISA-62443 Standards to Secure Your Control System (~$1,510)

I just finished this course on April 2nd in Burbank, CA.  The class is a two-day event and this recent course was taught by Mr. John Cusimano -- again, another very good and knowledgeable instructor.  The class size was very conducive to open dialogue with the instructor and other students.

The focus of these two days was on the following key topics:

Day 1:

• Introduction to Control Systems Security and ISA/IEC62443 Standards
• Terminology, Concepts, Models and Metrics
• Networking Basics (Do you know your OSI Model??)
• Network Security Basics

Day 2:

• Creating an ICS Security Management Program
• Designing/Validating Secure Systems
• Developing Secure Products and Systems

And like the SANS Course, some hands-on exercises were included using tools such as Wireshark and the command line (e.g., Netstat -a).

Upon completion of this test you are eligible to take a proctored test called the ISA99 Exam.  Passing this test will give you the ISA99 certificate from ISA that demonstrates your knowledge and capabilities with the ISA standards used to secure industrial control systems.

For more information you can go the ISA Cybersecurity site.

I hope to take this test before the end of April.

ICS-CERT Online Training -- Excellent Resource! (Free)

Finally, for my "spare time" between the SANS and ISA training I've been working on two courses offered at no charge by the US Department of Homeland Security ICS-CERT organization.

The two courses are both web-based and only require that you register with the Training Portal.

The first class I took was 100W - Operational Security (OPSEC) for Control Systems.  This is a one-hour on-line class that is focused on ways to protect your industrial control systems by being cautious about releasing network information outside the company or to those who don't have a need to know.  The course also addresses phishing attacks, etc.  You get a certificate "...suitable for framing..." at the end of the course.

The second course -- which I highly recommend to executives, managers, supervisors and engineers interested in learning more about ICS security -- was 210W - Cybersecurity for Industrial Control Systems.  This course was excellent and took about 15-20 hours to complete.  

There are 10 separate modules that are listed below:

• Differences in Deployments of ICS
• Influence of Common IT Components on ICS
• Common ICS Components
• Cybersecurity within IT and ICS Domains
• Cybersecurity Risk
• Current Trends (Threats)
• Current Trends (Vulnerabilities)
• Determining the Impacts of a Cybersecurity Incident
• Attack Methodologies in IT and ICS
• Mapping IT Defense-in-Depth Security Solutions for ICS (longest but best module!)

Again, this training does not require any money but only requires your time to take the modules (which you can stagger over time).

Conclusion

ICS security continues to get focus from the industry and government.  That is why SANS, ISA and ICS-CERT are continuing to bring in training modules for a broad range of players from journeymen electricians to utility executives.  Take advantage of the training -- at least the free classes -- so you better understand how to best defend your Industrial Control systems.

###

New Certification Targeting Critical Infrastructure - GICSP

Info Security Magazine (not to be confused with my friends at Information Security Magazine published by  SearchSecurity and TechTarget) recently posted an article regarding a new certification entitled the Global Industrial Cyber Security Professional (GICSP).  Supposedly this new certification will be developed by a "...new industry collaborative..." in conjunction with the GIAC or Global Information Assurance Certification.

According to the article:

The objective of the certification is to help organizations which design, deploy, operate and maintain industrial automation and control system infrastructure to ensure best practices, starting with individual skills and knowledge. The GICSP will be available to candidates in late November 2013.

The community initiative plans to establish an open body of knowledge for process control design and information technology security as well. When it comes to ICT security, system vendors, project engineering contractors, process operators, IT service providers and maintenance/support personnel all require a blended set of IT, engineering and cybersecurity competencies.

For a closer look at the details regarding the certification, areas covered, exam requirements and frequency of recertification please take a look at the GICSP details link here.

I will be sure to closely follow this certification and other commentary that surfaces.  We all agree that industrial controls security should be substantially improved and maybe this new certification will help raise awareness and performance standards in this critical area.

I would be interested in your opinions on this new certification.

.