We took a short pause on back-to-back training this summer, while courses have still taken place the lure of a vacation in the sun has reduced attendance. September always reminds me of going back to school after a long summer break, even through the years have passed, the cold damp air in the morning and the smell of autumn takes me back in time with thoughts of education, learning and the first day of a new academic year at school.
Today is similar but slightly different, instead of going to school, I get to see dates for the delivery of courses that I’ll be teaching coming into my inbox. I wonder sometimes, how did I get here and more importantly why am I teaching a cyber security course for OT engineers?
Design, Fate, or Destiny
Teaching was never a career which interested me, in fact I always had the utmost respect and admiration for those who could stand up in front of a class and impart knowledge and induce learning. I have never been one to keep my knowledge close to my chest, totally the opposite in fact, I will share my experience and mentor anyone who take an interest in topics I can assist with.
Working for a system integrator quickly taught me not every engineer had the same level of skill or experience, and those who also had strong enterprise IT skills, design, networking, hardware and especially security are thin on the ground and in strong demand.
Recipe and Ingredients
There is a level of repetition in security, despite what may be portrayed by many security professionals or consultants, that’s not to say that you can use the same approach for everything! There is a cookie cutter approach that can be taken if you know what you want to achieve and also what works for OT.
Understanding and accepting that OT systems may not be patched, are possibly working on unsupported operating systems or without meaningful endpoint security, some IT people would say you are trying to catch rainwater with a cullender! However, there are ways to make headway and significant improvements if you have the right recipe and ingredients.
Acknowledging limitations and weaknesses is a strength, taking time to understand how system are exploited by adversaries, red teams, pen testers or disgruntled employees allows you to compensate for elements that may be present within the deployed architecture which are within your sphere of influence or control.
If elements such as patching cannot be addressed, take these off the table and focus on what can be achieved with the resources and access levels available to you. Just because you cannot plug every leak, doesn’t mean that you can’t stem the flow!
In the classroom the course focuses on what can be realistically achieved and how to use the building blocks to deliver defence in depth. Starting with Governance, we explore what is required from key frameworks such as IEC 62443 and map out how this actually translates into your operation. Likewise, we explore the NCSC Cyber Assessment Framework (CAF) for those customers who operate in regulated industries and how both can influence system design.
Networking is often not fully understood by many IT techs, never mind OT engineers, so we take a few hours to explore how this work from first principals … we know engineers like to ‘know how stuff works under the hood’!
Exploring how ‘pen testers’ do their magic allows for defences to be applied which would normally go uncovered, there are several weaknesses in default settings that are often exploited. Addressing these and other common approaches provides strong foundational base.
Debloating Windows, applying security which is consistent and approved by industry and exploring the hidden but built-in functions that exist in a modern operating system may avoid the need for many 3rd party application, especially if you are only looking for foundational security.
Bake in the Oven
We take all this knowledge and much more, explain how to unpack this into designs and guide the delegates to test and try this in the lab environments. There are 10 virtual machines that we deploy in our training per delegate, so you get to try skills first and on a variety of standalone system as well as Active Directory integrated.
Delivery of the course is undertaken by experience cyber security professionals who are time served and who can answer questions specific to your environment and configurations. The course is highly interactive and by day three over 50% of time is hand’s on in labs for the duration of the course.
Applied Cyber Security for OT is a classroom based course, what has been communicated back to us from previous delivery is the value of sharing experience with others while having direct access to highly experienced professionals to address questions directly without having to refer. The context of the course delivery is tailored to the audience, with examples often presented to those who are from that exact vertical. Material is constructed to allow those who absorb and process information quicker to proceed at their own pace, with optional labs to complete.
Update January 2023 - NCSC Assured Training
While the course is our own design, we have been asked by several candidates if this could be validated by an external body. Good news is that we are NCSC Assured, this means the content of the training, the full delivery of the training and the QMS for the training to be approved.
Applied Cyber Security For OT Engineers has been approved by APMG using the NCSC certified training scheme criteria for content. The courseware used on this training has been approved by APMG in accordance with the NCSC criteria for course content. This does not imply that the courseware is NCSC certified.
The course is classified as an application level course and is listed on the NCSC website as assured training.
There is also an official certification and exam which outlines the skills and competencies gained which aids workforce assurance of applied skills and knowledge
SolutionsPT delivers the course from its office in Cheadle where we have a dedicated training room which has latest technology including 34” widescreen monitors, making the training a truly enjoyable experience. The course can also be delivered directly at your place of work through Bring You Own Device (BYOD) which connects to our virtual training centre.
All you need is a laptop with Wi-Fi and Microsoft Report Desktop client ... we’ll bring the rest! Dates of the next course delivery can be found at our website below.
If you would like to know more or request a quote for training delivery please reach out to Helen Fogg. Email: firstname.lastname@example.org