Derek Harp is happy to welcome Pascal Ackerman as his guest for today’s podcast!

Pascal is a security professional, focused on industrial control systems and he's currently the Sr Security Consultant for Operational Technology - Threat & Attack Simulation at GuidePoint Security. He has a Master’s of Science degree in Electrical Engineering (MSEE/CE). He has had 18 years of experience in industrial Ethernet design and support, information and network security, risk assessments, pen-testing, forensics, and threat hunting, WAN/LAN/Internet and Wireless Technologies, Windows Environments, Unix, Linux, IIS, and Apache.

He specialized in the architecture, engineering, and securing of plant-wide Ethernet networks using Purdue-model design strategies, IDS/IPS sensors, network monitoring, Security Information, and Event Management (SIEM) solutions, next-gen firewalls, MS domain services, WSUS servers, MS SQL server clusters, etc.

Pascal was born and raised in the Netherlands. Right after leaving high school, he was put behind a POC by a company that sent him out across the world installing prototype machinery for filling machines. He is an engineer, programmer, gamer, hacker, traveler, tinkerer, pen-tester, and father. 

In this episode of the (CS)²AI Podcast, he shares his superhero backstory and discusses his certifications, his education, and his career path. He also offers advice for those who would like to get into the field of cybersecurity and people thinking about writing a book.

If you are considering a career in cybersecurity or if you are an engineer and want to specialize in cyber security, you will gain a lot from this podcast! Stay tuned for more!

Show highlights:

• After leaving college, Pascal stayed with the company where he did his internship. The company got him to set up a software simulation to test their POC programs and later put him on their commissioning team. (6:51)
• Pascal talks about what he did while working as a controls engineer. (8:08)
• How Pascal got invited to move to the US to continue with his work. (9:50)
• Pascal explains how many doors opened for him after presenting his first report in 2005. (12:27)
• Pascal talks about how security measures first intersected with his work in 2008-2009. (14:07)
• Pascal pinpoints the moment when he decided to change his career path. (16:00)
• Pascal offers advice for traditional engineers who want to improve what they do and join the cyber security workforce. (17:35)
• A Network Plus certification will help controls engineers understand the fundamentals of networking. (18:19) 
• Pascal explains why he got hired as a commercial engineer in Network and Security at Rockwell. (21:16)
• Pascal talks about his book, Industrial Cybersecurity. (23:39)
• The book Hacking Exposed by Clint Bodungen inspired Pascal to write his first book. (27:50)
• How Threat GEN became a company based around a game Pascal developed. (29:10)
• Pascal offers advice on where people in IT who want to know more about safety, reliability, resiliency, and POCs can start. (32:36)
• The most successful companies have a combined IT and OT team with knowledgeable people on both sides. (36:43)
• Why do you need to figure out what you like the most and focus on that technology? (37:58)
• Architecture will be the next big step for monitoring everything. (45:06)
• Pascal discusses the process of writing his books and offers advice for those who would like to write a book. (45:49)

Links:

(CS)²AI

Pascal Ackerman on LinkedIn

Industrial Cybersecurity by Pascal Ackerman

Books mentioned:

Hacking Exposed by Clint Bodungen

Today, we've got a special episode to highlight a really neat initiative that’s been in the works for awhile. My guests are Bryson Bort and Tom VanNorman.

Bryson is the Founder of SCYTHE, a start-up building a next generation attack emulation platform, and GRIMM, a cybersecurity consultancy, and Co-Founder of the ICS Village, a non-profit advancing awareness of industrial control system security. He is a Senior Fellow with the Atlantic Council’s Cyber Statecraft Initiative, the National Security Institute, and an Advisor to the Army Cyber Institute. As a U.S. Army Officer, he served as a Battle Captain and Brigade Engineering Officer in support of Operation Iraqi Freedom before leaving the Army as a Captain. He was recognized as one of the Top 50 in Cyber in 2020 by Business Insider.

Tom leads the CyPhy Product group at GRIMM, where his primary focus is securing Industrial Control Systems and the networking of such systems. Tom brings an unparalleled level of operational knowledge and experience, as he has been working in the Operational Technology (OT) field for almost three decades. He also has considerable knowledge in constructing Cyber Physical testing environments for OT systems.

Tom co-founded the ICS Village, a non-profit organization focused on Control System security and awareness. He is also retired from the Air National Guard, where he worked in Cyber Warfare Operations.

ICS Village is holding Def Con 29, a 100% virtual event that takes place Aug 6th-8th. There are sessions and workshops covering all aspects of ICS. 

Show Highlights:

• How ICS Village was started
• The original 2 events - RSA and DefCon
• GRIMM and their involvement in ICS Village
• Why no one was thinking about Industrial control systems before ICS Village
• The artwork that started it all
• All of the events that ICS Village has throughout the year
• How the pandemic changed DefCon and the other ICS Village events
• The birth of Hack the Plant Podcast
• Capture the Flag and what we can learn from it
• Highlights of Def Con Table Talks and other sessions

Links:

CS2AI.org

ICS Village

DefCon Event happening Aug 6-8

Derek Harp is happy to have Wanda Lenkewich, the Founder and CEO of Chinook Systems joining him on the podcast today!

Wanda Lenkewich harnesses her subject matter expertise in engineering and construction, lifecycle commissioning, and facility management to advance the security and resiliency of critical infrastructure. She is the CEO of Chinook Systems Inc., leading an interdisciplinary team dedicated to commissioning, building systems and controls upgrades and replacements, and cybersecurity for facility-related control systems. Lenkewich has a passion for digital transformation and continues to innovate and advance technology that will protect and extend the life of buildings. That includes the full integration of cybersecurity into Chinook’s commissioning technology; Chinook's CyberCxTM program. Lenkewich is an industry advocate and founding fellow of the Control System Cyber Security Association International - (CS)²AI.

Wanda is an excellent example of a great set of career path choices! She is a well-rounded individual who brings a fresh perspective and experience to what she does today! She is an entrepreneur, a speaker, and a mechanical-minded engineer with a well-developed creative side! She is a painter, musician, horse enthusiast, and cook. 

In this episode of the (CS)²AI Podcast, Wanda tells her story, talks about her career journey, and shares some great nuggets of information about opportunities within the cyber security space.

You will not want to miss this episode if you are thinking about embarking on a career in cyber security or considering starting a company of your own! Stay tuned for more!

Show highlights:

• Technology first came into Wanda’s life at a trade show she attended while working at her first job. It fascinated her, and she fell in love with it immediately! (4:21)
• Wanda talks about the first job she did after graduating as a Mechanical Engineer at the Northern Alberta Institute of Technology. (6:15)
• Wanda talks about her satisfying experience when she first got into digital controls. (9:17)
• Wanda started building commissioning in 1991. It was all about the validation of control systems, and it was where she fell in love with databases. (12:16)
• Wanda discusses the catalyst that prompted her to leave the government and start her first company. (13:55)
• Wanda experienced a lot of frustration with the industry because it was slow to adopt new practices. She believes that things are changing, however. (17:45)
• Wanda talks about what happened in the period between the first and the second companies she founded. (18:36)
• The impact that Y2K had on her career path. (23:09)
• Wanda talks about being invited to the Pentagon to help launch their renovation project. She has had a constant and consistent relationship with the Pentagon via Chinook ever since. (29:14)
• Wanda talks about the challenges she faced while moving her business operation from Canada to the US. (32:09)
• When cyber security first intersected with Chinook. (35:33)
• The challenges with new construction and with existing buildings. (39:01)
• Wanda shares some advice based on her years of experience for people entering the field of cyber security. (45:14)
• It takes a lot of skill sets to build a strong cyber team in the OT world. (53:29)

Links:

(CS)²AI

Wanda Lenkewich on LinkedIn

Chinook Systems

Derek Harp would like to invite you, the listener, to next week’s (CS)²AI Online Symposium on Secure Control Systems for Smart Manufacturing. Manufacturing is a critical sector that forms a large portion of the American economy. It has over twelve-million workers and currently has 2.3 trillion dollars of output in the US alone! 

The symposium will be in two parts: Part 1 will take place on Wednesday, May the 25th, 2022, at 1 pm EST. Some great prizes will be given to the participants in the question process, including some valuable industry books! Part 2 will happen in August 2022. More topics on manufacturing will be covered in the second part by some additional speakers.

As a society, we take much of what gets produced within the manufacturing sector for granted, yet cyber threat actors take advantage of every vertical within that sector. Today, Colin Dunn, one of the (CS)²AI sponsors and the CEO of Fend Incorporated, and Isiah Jones, a (CS)²AI Founding Fellow and a well-known cyber security researcher and practitioner, join Derek to share their thoughts on the importance of cyber security for manufacturing. Stay tuned for more!

Show highlights:

• Isiah saw the kind of problems that happen under normal circumstances with manufacturing baby food years ago when he was with Jacobs Engineering. 
• Messing with manufacturing and the supply chain is sure to disrupt any society. 
• Supply chains have many vulnerable parts and do not need any additional stress like cyber-attacks right now.
• There are ways to keep cyber attackers out. The symposium is a way to explore some of those options. 
• All sectors, especially manufacturing, need to start spending more money on employing trained safety staff.
• One of the assets the manufacturing sector has is the safety culture.
• Thinking about cyber security as key to safety will help it get taken more seriously within the manufacturing sector.
• More attention needs to be paid to problems like ransom threats, the manipulation of logic, and intellectual property theft within the manufacturing sector.
• Much more action needs to be taken around security issues in the manufacturing sector. 

Links:

(CS)²AI

(CS)²AI Online Symposium Secure Control Systems for Smart Manufacturing

Colin Dunn on LinkedIn

Fend Incorporated

Isiah Jones on LinkedIn

Derek Harp is excited to have Vivek Ponnada, the Regional Sales Director for Nozomi Networks, joining him for another episode in the series on security leaders! Vivek was also a long-time contributor at GE.

Vivek Ponnada has over 23 years of experience in Industrial Control Systems. He currently serves customers in Western Canada for Nozomi Networks with market-leading OT and IoT Security & Visibility solutions. 

He started his career in ICS as an Instrumentation Technician and then became a Controls Engineer and commissioned Gas Turbine Controls systems in Europe, Middle-East, Africa, and South-East Asia. During his career, Vivek has held multiple roles including Sales, Marketing & Business Development, and Services covering Control systems & Cybersecurity solutions for Critical Infrastructure (Power, Oil & Gas, Water, and Mining) industries at GE and ICI Electrical Engineering in North America. He is a co-lead for the Top 20 Secure PLC Coding Practices Project and his recent talks and contributions include ICS Village (DefCon 29), Industrial Security Conference in Copenhagen & several BSides. 

Vivek has a bachelor's degree in Electrical Engineering from I.E. India, an MBA from The University of Texas at Austin, and GICSP certification from GIAC. He is an active member of the Infosec community in Vancouver, BC as a Board Member for Mainland Advanced Research Society, Volunteers for ISACA, and is a member of the ISA.

Vivek is a thoughtful and fun individual! He is an engineer, analyst, and finance guy! He is also a motorcycle enthusiast, an intermediate skier, and a husband! 

In this episode of the (CS)²AI Podcast, Vivek shares his backstory, discusses his education, and talks about his career trajectory. He also offers gold nuggets of advice for engineers with an interest in cyber security.

This is one show you will not want to miss- particularly if you are an engineer considering moving into the field of cyber security. Stay tuned for more!

Show highlights:

• Vivek grew up in South India. He became an engineer and developed skills in control systems long before he became a cybersecurity guy. (1:50)
• The first job Vivek remembers doing was helping someone with gardening when he was seven or eight years old. (2:98)
• When Vivek graduated from high school, he was in a technical program. So he was already in an electronics and communication phase. (4:10)
• Vivek studied his engineering undergrad part-time because he was also working full-time. It all worked out well because the work he was doing and his studies were all connected. (4:43)
• He enjoyed learning how to connect his work-life with his education organically. (6:25)
• Vivek discusses his twenty-year history with GE. (7:10)
• Security is a discipline that is a constant learning process. (12:26)
• Some helpful advice for engineers who have an interest in cyber security, but don’t know where to start or how to break into the field. (14:52)
• Vivek talks about the career challenges he faced at GE and how he navigated them. (19:00)
• Two things that most engineers tend to struggle with. (21:01)
• Vivek jumped around in his career path, so he never had a mentor. He had some excellent coaches and managers, however. (23:17)
• People in the cybersecurity community are always open to advising and helping one another. (25:14)
• How sales came into Vivek’s career journey. (27:09)
• Vivek talks about the Top 20 Secure PLC Coding Practices Project to which he is contributing. (30:40)
• It is always good to have a plan for the next few years. (32:57)
• Vivek shares his recommendations for career choices in the field of cyber security. (39:13)

Links:

(CS)²AI

Vivek Ponnada on LinkedIn

Nozomi Networks

Top 20 Secure PLC Coding Practices Project

The S4 Conference is one of the pinnacle events of the year for anyone interested in hearing deep subject matter experts speak. It is definitely worth attending if you are not formally part of the (CS)²AI community.

Today, Derek Harp shares a short podcast he created after attending the 22nd S4 Conference, held from the 19th to the 21st of April this year.

Dale Peterson is the Founder, Creator, and MC of the S4 Conference. He was on a recent (CS)²AI Podcast episode, talking about how S4 came about. Patrick Miller was also a recent guest on the (CS)²AI Podcast. He “accidentally” founded the informal yet powerful and informative after-hours BEER ISAC part of the S4 event.

The recent S4 Conference was a great opportunity for everyone to get back together, in person after Covid! This year, 800 people attended the event. The speaker line-up was just as amazing as it has always been in the past! Many women were present, and there was also a well-attended Women in ICS social pre-event that took place on the Monday before the main event.

In this episode, we share some comments on the recent S4 event made by Andrew Ginter, VP Industrial Security from Waterfall Security Solutions and Isiah Jones, Principal Security Engineer-ICS Security Integration from Resilience. Stay tuned for more!

Show highlights:

• Andrew’s biggest takeaway from the event was finding out that the industry wants cyber security regulations. 
• The shipping industry is price sensitive. They should spend some money and effort on cyber security but won’t spend a penny unless their competition does the same.
• Andrew explains why he was surprised to learn that the industry wants cyber security regulations.
• Isiah enjoyed the diversity at the event! He was happy to see so many female technical engineers and black people attending the event.  
• Isiah enjoyed seeing many new people interested in the more technical topics.
• Isiah explains why he was happy to see Jen Easterly show up at the event to address the community directly.
• Isiah enjoyed listening to new topics on PLCs, containers, and the latest attackers living off the land.
• Seeing and interacting with everyone at the latest S4 event, and seeing new people get their coins, was good for Isiah’s mental health!

Derek Harp is happy to have Patrick Miller joining him today for another episode in the Security Leaders series! Patrick is a well-known legend in the ICS cyber security space. He is currently the Chief Executive Officer of Ampere Industrial Security. (www.amperesec.com)

Patrick Miller has dedicated his career to the protection and defense of critical infrastructures. As President and CEO of Ampere Industrial Security, he is a trusted independent security and regulatory advisor for industrial control systems worldwide. In addition to his role at Ampere, Mr. Miller is also the founder, director, and president emeritus of EnergySec and US. Coordinator for the Industrial Cybersecurity Center. Patrick's diverse background spans the Energy, Telecommunications, Water, Wastewater, Manufacturing, and Financial Services verticals, including key positions with regulatory agencies, private consulting firms, utility asset owners, and commercial organizations. Patrick was instrumental in the establishment of the NERC CIP standards in the US as a drafting team member and the first CIP auditor in the nation. He currently serves on or contributes to multiple NERC CIP guidance and standards drafting teams. Patrick is also an instructor for the ICS456 NERC CIP course with the SANS Institute.

Patrick loves tech and the outdoors! As well as being a technologist, he is also a chef, a keen kayaker, a father, and a builder of communities! In this episode of the (CS)²AI Podcast, he tells his modern-day superhero origin story, talks about the various milestones in his professional journey, and shares valuable nuggets of advice for people from different backgrounds who would like to get into the cyber security industry. 

You won’t want to miss this episode if you would like to make a career in cyber security, become a better security professional, or start a cybersecurity business of your own. Stay tuned for more!

Show highlights:

• Entrepreneurship is in Patrick’s blood. (3:05)
• Growing up in the early days of technology, Patrick was lucky enough to get the new tech as it came out. (4:15)
• Patrick was using cutting-edge technology to do a senior capstone biology project just before he dropped out of school to do tech. (6:32)
• Any kind of background can be helpful for you as a security professional. (9:00)
• How phone systems have advanced and transformed over the last few decades. (10:30)
• Patrick’s first “hacking job”. (11:29)
• Patrick talks about when he decided to specialize in security and the point when industrial security first intersected with his journey. (13:23)
• Patrick discusses his stint as a regulator for WECC (Western Electricity Coordinating Council.) (17:54)
• Joining standards bodies in the early stage can help people break into the cyber security industry. (24:26)
• What motivated Patrick to start a consulting firm? (26:14)
• The Dawn of Energy Sec (Energy Sector Security Consortium). (32:24)
• Patrick shares his vision for Ampere. (35:15)
• Why good communication skills are essential. (38:40)
• What is ISAC all about, and how did Patrick instigate it? (41:40) 

Derek Harp is thrilled to have Dale Peterson of Digital Bond joining him for another great episode in the series on security leaders! Dale is a legend and leader in the cyber security industry!

For over 15 years, Dale Peterson has been on the leading/bleeding edge helping security-conscious asset owners effectively and efficiently manage risk to their critical assets. He has pioneered numerous ICS security tools and techniques, such as the first intrusion detection signatures for ICS that are now in every commercial product. In 2007 Dale created the S4 Events to showcase the best offensive and defensive work in ICS security and build a community. S4 is now the largest and most advanced ICS event in the world. Dale is constantly pushing and prodding the ICS community to move faster and get better.

Dale is a catalyst in the ICS cyber security space. He is most famous for his S4 Events. (The latest S4 Event will be coming up between the 19th and 21st of April 2022.) He is also an author, former cryptologist, skier, hiker, outdoorsman, well-known speaker, husband, and father. 

In this episode of the (CS)²AI Podcast, Dale shares his origin story and discusses his career trajectory. He explains what led him to start Digital Bond, he talks about how the S4 Events came about, and he also offers some valuable nuggets of advice for people looking to start a business.

You won’t want to miss this episode if you are looking for ways to get into the cyber security industry or if you want to know which moves to make to become a leader within the industry or start a company of your own. Stay tuned for more!

Show highlights:

• The most interesting and influential work that Dale did early on. (3:10)
• What it takes to produce S4 Events. (4:46)
• Dale first worked on computers when he was in junior high school. (6:06)
• After getting a degree in finance, Dale worked for the NSA as a cryptologist and then went on to work for a company selling military encryption equipment before starting his own company. (8:10) 
• Starting a company is not for everyone. (12:48)
• What led to Dale starting Digital Bond? (13:13)
• Dale shares his biggest failure so that others need not make the same mistake. He also offers advice for anyone wanting to start a business. (16:13)
• How the S4 events came about in 2007. (12:53)
• The highlights and the worst moments Dale remembers from doing S4 events. (30:15)
• You need never be afraid to try something new in your business or career. (32:05)
• Dale talks about where he has helped the most as a mentor. (36:54)
• If you are very good at something, you can quickly make yourself known and become the best in the world at it in new sectors. (38:06)
• Where you can start reading and researching to augment your professional knowledge. (42:39)
• You need to understand your mission when you start a conference or an event. (48:42)

Links:

(CS)²AI

Dale Peterson’s website

Dale Peterson on LinkedIn

Books mentioned:

The Brand You 50 by Tom Peters

Derek Harp is excited to welcome Justin Searle as his guest for another episode in the series on security leaders! 

Justin is the Director of ICS Security at InGuardians, specializing in ICS security architecture design and penetration testing. He has taught courses in hacking techniques, forensics, networking, and intrusion detection for multiple universities, corporations, and security conferences. He is currently a Senior Instructor for the SANS Institute and a faculty member at IANS. In addition to electric power industry conferences, he frequently presents at top international security conferences such as Black Hat, DEFCON, OWASP, Nullcon, and AusCERT.

Justin is well-balanced and versatile and a super fascinating person! He was born in Utah and has lived there for most of his life. He has a Bachelor’s Degree in Technology Education with minors in computer science and electrical engineering, and a Master’s Degree in International Business and Information Systems. He is an entrepreneur, researcher, security practitioner, open-source advocate, instructor, teacher, and author. He is an outdoor enthusiast and has some cool hobbies, like scuba diving and rock climbing. He is also a falconer, a helicopter pilot, and a globetrotter. 

In this episode of the (CS)²AI Podcast, he shares his modern-day superhero backstory, and he talks to Derek about how his career journey led to him becoming immersed neck-deep in cyber security for control systems. He also talks about the value of certifications and becoming an instructor. You will gain a lot from this show if you would like to make a career in cyber security or become an instructor in the field. Stay tuned for more!

Show highlights:

• Justin started doing basic programming when he was in elementary school and almost earned an Associate’s Degree in Electronics Engineering in high school. (4:58)
• Justin talks about the certifications he obtained to build credibility and advance his career. (9:40)
• Justin shares his thoughts about certifications. (11:50)
• Getting a certification will help students stand out trying to find an internship. (Justin recommends the CompTIA Security+ Certification because it is an inexpensive option.) (13:22)
• Graduates should consider getting a CISSP Certification. (13:48)
• Justin explains why he shifted to focus on networking technologies, IT technologies, and cyber security in 2000-2001. (18:10)
• Getting into his niche area- penetration testing in industrial control systems. (19:50)
• How can listeners break into becoming teachers or instructors? ( 22:38)
• The pros and cons of joining communities and collaborative groups. (27:08)
• Justin enjoys being an informal mentor to others and providing feedback when people ask questions. (31:04)
• Justin offers advice for maximizing your benefit when you change jobs or your positions within a company. (33:22)
• You will be valued in the field if you get into any area of cyber security. (40:10)

Links:

(CS)²AI

Justin Searle on LinkedIn

In Guardians

CISSP Certification

Today, Derek Harp is excited to interview Rick Kaun for another episode in the security leaders series. Rick is the VP of Solutions at Verve Industrial Protection.  

Rick is a well-versed OT cyber security thought leader, evangelist, advocate, and solution provider with more than 20 years in the identification, development, and provision of all sizes and shapes of security programs. Regardless of the industry, security maturity level, or standard (corporate, regulatory, or best practice) Rick has focused on helping clients to find solutions that are effective, affordable, and manageable. With a special experience in production environments, he has had the pleasure of working around the world with multiple organizations ranging from Power to Oil and Gas, Refining, Mining, Pulp and Paper, discrete manufacturing to corporate and regulatory projects.

Rick is an honest and authentic person. He is a straight talker, known for getting right to the heart of the matter. He is a husband and father and a keen outdoorsman. He is also an ice hockey fan, traveler, boater, and dog lover. 

In this episode of the (CS)²AI Podcast, he tells his story and shares his wisdom. He talks about his career, discusses the decisions he made that led him to where he is today and shares some gold nuggets of career advice.

You won’t want to miss this episode if you are looking for career direction, considering a career in cyber security, or already in the security field and would like to move forward in your career. Stay tuned for more!

Show highlights:

• Rick shares his superhero origin story. (5:28)
• In grade four, Rick became the computer lab administrator for his class. (8:34)
• Rick did not start his career in cyber security with a technical degree. He explains how he went from studying sociology to learning about technology. (11:26)
• Technology is such a complex field, and it has so many opportunities that you can have an entire career and a specialty within it. (12:04)
• There are various technical studies courses that you can do at the Northern Alberta Institute of Technology (NAIT). (13:04)
• Rick believes that security basics should underpin every course that anyone ever does. He would love to have a panel discussion on safety culture! (16:58)
• Rick explains how he jumped into security for control systems at Honeywell twenty-one years ago. (18:53)
• Rick joined Verve about five years ago, and since then, they have doubled twice. (24:23)
• We need meaningful and sustainable risk reduction for the future. (25:19)
• People you know now could become important in the future. That’s why you need to invest in as many quality relationships as possible within the cyber security industry. (25:51)
• Some of the challenges Rick has faced while navigating his career journey. (28:28)
• Rick discusses the importance of collaboration. (34:21)
• With trainees, it is way better to be humble and honest about things you don’t know than to make something up. (41:49)
• Rick feels that mentorship is the key component for anybody to get anywhere. (44:27)
• You need to enjoy the work you do. (47:28)

Links:

(CS)²AI

Rick Kaun on LinkedIn

Verve Industrial Protection

Northern Alberta Institute of Technology (NAIT)