The first children’s book to address SCADA/ICS security (Supervisory Control and Data Acquisition/Industrial Control Systems) has caught the attention of both industry and government, and may turn out to be one of the more influential articulations on the subject of protecting systems that govern critical infrastructure.
I was given an advance pre-publication copy of the manuscript (hence, some of the illustrations here are not colored in yet), and at first glance SCADA and Me is simply the story of a child named Little Bobby who has been asked to protect SCADA/ICS, but he’s not sure what it is.
The slightly older character Matt offers to help teach Little Bobby about SCADA/ICS systems, the locations in which you can find them, and some basic tips on how to protect them.
Reading a little deeper into this simple story, it is obvious that this book is not necessarily directed at just young readers. It is a powerful critique of the state of SCADA/ICS security, and a resounding call to action for policy makers.
Author Robert M. Lee (@RobertMLee) is the Founder and Director of hackINT, a 501(3) non-profit organization that teaches free basic level cybersecurity classes in the subjects of hacking, forensics, intelligence, and defense. Additionally, he is an active-duty US Air Force Cyberspace Operations Officer working under the Air Force Intelligence, Surveillance, and Reconnaissance Agency where he leads a national level cyber defense team.
Lee is also an Adjunct Professor at Utica College where he teaches graduate level classes in digital forensics in the M.S. Cybersecurity program. He received his B.S. from the United States Air Force Academy, his M.S. in Cybersecurity – Digital Forensics from Utica College, and is currently working on his PhD in War Studies at Kings College London where he is researching control systems cyber security.
The inspiration for the book came after Lee was asked to brief a team on SCADA/ICS security by assembling a presentation designed to explain important aspects of system security.
“By the end of the briefing they let me know that they thought it was all very interesting, but that they wanted me to come back with a non-technical version. It didn’t sit well with me at the time because this group should have known the basics already, so I went home pretty frustrated,” Lee said.
As a retort, Lee rewrote the presentation in the most simple of terms, and what materialized was a children’s book talking about the very basics of SCADA/ICS security.
“The plan was to give it to that team the next time I briefed them as prerequisite reading. Once I finished it though, I realized that it could actually be educational for anyone interested in the subject, and might inspire some kids to get involved in control engineering or cyber security,” Lee continued. “I think that is probably the most important aspect of the book.”
However, Lee says he wrote it for management just as much as for children, and particularly for the front line engineers and security folks that deal with topics such as SCADA/ICS everyday. Nonetheless, the satirical tone is evident, and actually makes the book an entertaining read for those in-the-know.
“It can be difficult not to get a bit frustrated or cynical when you see people using a field you love to further their own causes – whether that is financial, political, or career based. The people that don’t have a true interest in the field get a lot wrong about it and then try to educate people with incorrect concepts,” Lee said. “The goal was to give them a book to express their frustration in a positive way that can also educate and generate some laughs at the same time.”
Lee had approached Richard Stiennon (@stiennon), chief research scientist at IT-Harvest and publisher at IT-Harvest Press, about writing a chapter on the history of cyberwar for another book he is putting together, and decided to show him the manuscript for SCADA and Me.
“Rob broached the subject of our publishing his children’s book concept. I was intrigued because it took me away from the model I had chosen for IT-Harvest Press: non-fiction books by acknowledged experts,: Stiennon said. “This was different and fun. Rob pitched it as an educational tool for managers and policy makers disguised as a children’s book.
“I think Richard’s preference was for me to write something about forensics or intrusion analysis which is more aligned with my expertise, but since I had already written SCADA and Me and was in the process of having Jeff Haas illustrate it, I figured I’d go ahead and pitch it to him,” Lee said.
“I let him know I had a book for him and explained the topic; I don’t think he really believed me at first, but once he saw what I had he loved it. It was probably an easier decision for me to work with IT-Harvest Press than for Richard to decide to use his publishing house for a children’s book,” Lee quipped.
Lee has written articles on control system cyber security, the direction of the cyberspace domain, and advanced digital threats for publications such as Control Global, SC Magazine, Australia Security Magazine, Hong Kong Security Magazine, Cyber Conflict Studies Association, and Air and Space Power Journal, but this was his first try at producing a book.
“I’ve written journal and magazine articles before but never a book, though I am working on several now, but I knew I didn’t wanted my first book to be too serious,” Lee said. “My attitude and personality is often focused on being playful, and so I am happy to have published a children’s book for policy makers as my first title.”
The book was illustrated by Jeff Haas, who Lee reached out to after seeing some of his artwork and being impressed not only with his style, but also with his passion for working with kids.
“Haas and his wife do some awesome things from producing educational materials to working at a children’s museum. He’s one of those people I feel very fortunate to work with and I couldn’t be happier that this book has given a wide audience an opportunity to see his talented artistic skills and passion for education,” Lee said.
Reaction from the Security Community and Beyond
Sales of the book have taken off, driving it up the best sellers list on Amazon, and Lee was a little surprised by the fact that the security community has responded so positively to the book, saying he has been absolutely humbled by the reactions he has received thus far.
“I’ve had people in different communities give me great feedback, and I think my favorite was from a person who told me that at one security conference my book was being held up and quoted during presentations as if it was the SCADA Bible,” Lee said with a chuckle.
That person was Patrick Miller (@PatrickCMiller), managing partner at the Anfield Group, founder of EnergySec, and a Principal Investigator for the National Electric Sector Cybersecurity Organization (NESCO), who says the SCADA/ICS security community simply loves the book.
“It was a huge hit at the recent EnergySec Summit, and it was mentioned no less than five times in the recent North American CISO Forum meetings, so I’d say it is resonating with senior management as well. Next on my agenda is getting it in front of Congressional staffers to help bring them up to speed,” Miller said.
“The book is balanced enough to raise some issues without polarizing the community, and I expect it to be useful for all of the SCADA/ICS security types as a foundational element – as in, Here… Read this, and then we’ll talk.” Miller continued. “Simply put, it simplifies a hard to describe thing, it’s short enough and easy enough to digest that it will be useful in ramping anyone up on the topic.”
Stiennon agrees, saying that within the SCADA/ICS community, the response has been fantastic. “Somehow SCADA and ME was passed around at EnergySec and started to get a lot of favorable reviews both on Amazon and in blogs,” Stiennon said.
“At this rate I expect SCADA and ME to have a much bigger impact than we originally anticipated. Short term, there will be a lot of copies making the rounds of IT departments – even the halls of government – so the conversation about SCADA/ICS security will accelerate, and long term I suspect there will be many more kids growing up wanting to be power and industrial controls engineers,” Stiennon predicted.
Miller says from experience that the book is probably still a step above children, but very close to the mark. “I tried it on my own kids ages 5 and 7 years old. They still needed much additional explanation, but I must admit, it was probably the first time they actually understood what their Dad does for a living.”
“Best part is having a visual aid for kids, as the pictures help further the discussion. The light sarcasm clearly aimed at the adult readers is disguised well, and made it entertaining for me, while the kids came away with a sense that Dad’s job is to help protect something very important, and that it needs people to protect it because it can’t protect itself,” Miller said.
Lee says there has also been a lot of great feedback from people who were never interested in this particular field before, or even in security for that matter. “Some people just thought it was neat and were happy to learn something new, and others have used it as a motivation to get involved, which is amazing.”
To top it all off, Toomas Ilves, the President of Estonia, even sent out a Tweet saying that he instructed his staff to read SCADA and Me.
“I was just very honored that he had read it and enjoyed it, as he is someone I have an incredible amount of respect for because he’s an inspirational leader dedicated to securing Estonia’s infrastructure, educating children, and protecting his citizenry’s privacy,” Lee said.
The State of SCADA/ICS Security
Lee says one serious problem with SCADA/ICS security is that too many tout themselves as experts in the field either to get a job, land a massive contract, or to push some personal agenda, making it difficult to find authentic and passionate experts.
“And beyond the fake experts, the biggest problem is everyone is buying into the media hype. Everyone has heard the word ‘Stuxnet’ more times than they can count, and likely much more than they would like,” Lee said.
While there are a lot of lessons to be learned from the malware that took down centrifuges in Iran, Lee says it is not a common threat and should not be the main impetus for action.
“It took a nation-state or two to create Stuxnet, utilizing some of the best engineers and analysts in the world, and the community has never seen anything like that before or since, yet defeating that type of threat is what most people are concerned with,” Lee said.
“If the only way our networks and control systems could be compromised is if a nation-state funds a massive and multi-year operation to get inside, then we are absolutely winning, but that’s not the case,” Lee said.
“We as a community need to raise the bar on security to the point where attackers cannot get into these critical systems with simple attacks like SQL Injections and reused exploits, or through poorly configured networks.”
- NERC CIP: It Gets Worse Before it Gets Better
- Introducing the Complete NERC Solution Suite
- Preparing for NERC CIP v4 and v5
- SecureCheq Uncovers Critical Configuration Vulnerabilities
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock