SANS: How did you start working with the security of Industrial Control Systems?
I started working with operational technology (OT) companies in 2010 when utilities were trying to get a handle on Smart Grid technologies. I researched hardware and radio attacks to help utilities understand how criminals, customers, hackers, and researchers could access information on publicly accessible devices (such as smart meters) and try to use those attacks against servers and applications on the internal network. This ultimately resulted in the release of the first publicly available tool to communicate with smart meter infrared ports and generated talks at Black Hat USA and Defcon. Since then I have assisted with the assessment information security programs and penetration testing for companies in multiple OT sectors including military, food and beverage, utility, and distribution sectors.
SANS: What courses do you teach?
I teach the SANS ICS410 class. This class provides a baseline of terms and concepts relating to information security and operational technologies. The goal is to introduce OT team members with security concepts and to introduce IT and IT Security team members with OT concepts. This provides a starting point for teams and builds relationships.
At different SANS ICS events, I also teach the ControlThings.io hosted class titled Assessing and Exploiting Control Systems. This course teaches individuals the methodology for conducting security assessments and research within OT environments. It covers the core techniques relating to information gathering, industrial technologies (equipment and protocols), and the manipulation of field devices through hardware hacking techniques.
SANS: Why do you teach, research and practice cyber defense in Industrial Control Systems?
I teach because I like to ensure that I have a foundation of the basics for any specific topic. I try to relay this importance to my students and encourage them to research topics and dive deep into how a technology is implemented to understand it and the attack surface. I also try to facilitate conversation during the class. No security professional can be deeply knowledgeable about every topic. So, student involvement helps the class understand that they need to develop relationships with other information security professionals.
I have found it extremely difficult to conduct research in the OT security field. Every time I do not successfully interact with a technology, I felt like I had failed. It took me a while to realize my failures are the learning process rather than actually failures. I am not an Electrical Engineer, radio operator, embedded device developer, or a system / network administrator. I have also never worked in an organization that has OT processes and challenges. Thus, I have had to develop the patience that is required to research and understand technologies I have never interacted with before. I have had to learn methodologies to overcome these challenges and be successful through failures and successes. I want to pass this understanding onto my students to help them get through this barrier as quickly as possible so they can provide a positive impact to their organization and the information security community.
SANS: What made you choose to work in security?
I got my first computer in 1999, at the age of 31, as I was transitioning out of the United States Marine Corps. When I heard about criminals remotely accessing computers over the internet, I felt like it was entering someone's garage and stealing tools, bikes, etc. But, I realized, tools and bikes are physical objects and hard to miss when they are gone. Digital documents and passwords being virtual, you might not even know that they are gone. This made me very angry knowing that criminals were preying on other people and most people would not even know they had been attacked or violated. I wanted to do something about it. So, I decided to concentrate on information security. At first, I defended businesses, but then I realized that I needed to understand how attackers were attacking technologies. Thus, I began attacking networks and conducting security research to help myself understand how to defend them better.
SANS: What was your first SANS course and GIAC Certification?
According to the GIAC Certified Professionals page, I took the SANS SEC401 course in 2003 and achieved my first certification, the GIAC GSEC, soon after. I quickly followed up with the SANS AUD507 course (it was a different course number back then) to earn my GIAC GSNA certification. I solidly believe that a lot of my success in this industry is related to that audit course and the GIAC GSNA certification. It helped me understand how the concepts from SEC401 applied to a business. It formed an excellent foundation to my information security education.
SANS: What tips can you provide newcomers to ICS cyber security and defense?
Information security has become an extremely complex challenge, and it is compounded by OT technologies and their purpose. There are so many technologies involved with any organization it can be extremely difficult to be an expert in everything. This is very overwhelming for most people. Newcomers and students need to understand that they are not responsible for being an expert in everything. They are responsible for knowing how to quickly research a topic to understand its capabilities and attack surface. This will help them understand how to detect and defend attacks. I try to help every newcomer and student understand this and to develop relationships with other information security professionals to expand their knowledge and give them a place to turn to when they have questions. Seasoned information security professionals all have questions. They just know to research before asking, try to do the thing on their own, ask questions when they need help, and verify what they have been told through implementation.
SANS: Who has influenced your information security career?
USMC – set me up with the G.I. Bill, and then let me fend for myself.
Jon Squire – convinced me to try my hand at LostboY 1057’s (@1o57) Mystery Challenge at Defcon, and then he let me fend for myself.
Harlan Carvey – got me hired to the IBM Emergency Response Team to do incident response, and then he left me to fend for myself.
Ed Skoudis and Matt Carpenter – brought me to InGuardians to do penetration testing and security research, and then they left me to fend for myself.
Tom Liston – I went to work at Warner Bros. to work with him, to defend a product, and to lead a team, and then he left me to fend for myself.
Tim Medin, John Strand, Justin Searle, John Sawyer – All encouraged me to start my own company. Which made me realize, this community rocks and I’m not actually fending for myself.
SANS: What do you want people to know about you?
In the words of one of my close friends: “Marine, martial arts, family, colorful sleeves, you painted your office island blue and your wife nearly had a heart attack. You love the beach with your boys, you’re really a giant teddy bear, no matter how well you get to know someone you will always use ma’am and sir, you’re humble as can be, a learner and a doer. Shall I go on?”
SANS: Favorite quotes?
- “Three points of contact at all times.” – climber rule I taught my sons when they started climbing things.
- “The most dangerous phrase in [any] language is, “We've always done it this way.”” – paraphrased quote from Admiral Grace Hopper.
- Brazilian Jiu-Jitsu
- Knife Hands
SANS: Tell us about things you love that people may not expect.
- Brazilian Jiu-Jitsu
- Knife Hands