In my last interview, I spoke with Jen Fox. She’s a Senior Security Consultant who specializes in compliance.
This time, I had the pleasure of speaking with Valerie Thomas. She has a lot of expertise in both penetration testing and industrial cybersecurity.
Kim Crawley: Please tell me about your cybersecurity role and how you got there.
Valerie Thomas: My current role is an Executive Consultant with Securicon, which equates to the lead technical consultant of the penetration testing group. The majority of my time is spent performing penetration testing and vulnerability assessments of various software and hardware, also known as hacking all the things. Securicon is heavily involved in industrial control systems (ICS) and supervisory control and acquisition (SCADA) spaces, so I spend a lot of time in power plants and other critical infrastructure facilities. My niches are physical penetration testing and social engineering, which means that I get paid to break into buildings.
I wasn’t aware that ethical hacking was a career option until my senior year of college after reading The Art of Deception by Kevin Mitnick. I graduated with a Bachelors Degree in Electronic Engineering and immediately began seeking a network security position. However, this was in the early 2000’s before cybersecurity was a mainstream career field, so a lot of knowledge was obtained by knowing someone who could teach you about ethical hacking and vulnerability assessment. I entered into a Department of Defense internship program for network engineering and basically sought out those who could educate me.
KC: ICS and SCADA security is very niche and poorly understood. And yet, we’re all directly affected by it. We all use electricity and water, for instance.
What are some of the challenges that are specific to keeping ICS and SCADA secure?
VT: Many of the systems used to support critical infrastructures, such as electricity and water, are extremely outdated and lack effective security controls. However, the systems in question are not easily upgraded or replaced. While isolating the network from the rest of the world sounds like a solution, misconfigurations and inexperienced staff can potentially expose the equipment to the internet. Although regulatory standards exist, they are only applicable to the utilities and not the vendors who supply them with equipment. Often the utilities are at the mercy of the vendor to provide them with a secure and compliant solution. The combination of unique operating environment, limited technology, inadequate employee education, and vendor accountability make these environments difficult to secure without impacting operation.
KC: How quickly is IoT being implemented in the SCADA space, and what are the related security issues with that?
VT: Although IoT is useful in many implementations, it isn’t a direct replacement for SCADA systems. Therefore, it is used in supporting roles, such as IP-enabled security cameras to monitor the physical security of remote facilities. If IoT devices, such as security cameras, are exposed to the Internet without proper security controls, an attacker could potentially infect the cameras and prevent the owner from accessing them. However, the attacker would not be able to access SCADA systems directly from the infected cameras. Depending on the configuration of the networks, the attacker would need to perform multiple attacks to potentially reach the SCADA systems.
KC: Considering that IoT introduces an internet attack surface to industrial systems, is it really necessary in that sector?
VT: All sectors require physical security systems, such as video cameras. If a utility plans to introduce IoT devices into their environment, they should ensure that they reside on a network that does not connect with critical assets.
KC: As a woman who works in cybersecurity, how do you think we can encourage more young girls to consider careers in our field?
VT: Early exposure and education play an important role in encouraging young girls to consider careers in the cybersecurity field. There appear to be many programs for elementary and middle school students, but I believe that it’s also essential to keep the momentum going with high school and collegiate level programs as girls at those ages can feel isolated and/or discouraged when the material becomes challenging.
KC: What are some misconceptions people have about what you do?
VT: The most common misconception about what I do is that it’s exotic and doesn’t take much time. In reality, hacking can be tedious and time-consuming. When attempting to use technology for unattended purposes, you are going to fail many times over. If you are not ok with failure, then ethical hacking is probably not for you. The true payoff comes when the exploit that you’ve been working on (and failing at) finally works.
KC: Excellent! Is there anything else you’d like to add before we go?
VT: If I had to give advice to someone who is interested in cybersecurity, it would be to never underestimate the power of saying “I don’t know.” People in this industry tend to think that they should know everything about everything, and it simply isn’t possible. So don’t be afraid to answer with “I don’t know” as long as it is followed with “but I’m going to find out.”
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.