You Built An ICS… Out Of A Delorean?

The Industrials & Infrastructure team had a chance to sit down with Certified ICS Instructor Dean Parsons – Critical Infrastructure & ICS Cybersecurity Leader and OT Cyber Security Officer.

SANS: Why do you teach, research and practice cyber defense in Industrial Control Systems?

Dean: I am a practitioner in the field. I grew up ethically hacking computer systems of all types using my custom compiled Linux systems and custom C coded hacking tools. On any given day I could be dissecting packets from an industrial plant, working on a NERC-CIP security program, or presenting to a board of directors on ICS cyber risk and mitigation strategies.

I focus on Industrial Control Systems because our modern society relies daily on access to systems and critical infrastructure to power our lives, our families and businesses. Our critical infrastructure – power grid systems, oil & gas facilities, manufacturing plants and water management systems, etc., are targeted by motivated and supported adversaries that have the intent to cause those systems and us, harm – by ways of industrial disruption, safety impacts and in some cases physical damage to critical systems. But “Defense Is Doable!”

Every ICS class I teach I empower every student to ask questions and get involved in the always up-to-date conversation. This approach, and sharing my experiences from the field creates memorable moments to effectively deliver the course content. It prepares students for SANS GIAC certifications while simultaneously helping them retain critical knowledge long after the class ends – this is super important. Reenforcing practical use of the material as soon as they get back to the office or ICS facility.

SANS: What made you choose to work in security?

Dean: I can’t recall ever sitting down thinking about which career path to take. Security has always been a passion of mine. Starting in high school I wrote security tools such as password crackers, host-based intrusion detection systems (IDS), network sniffing tools, intelligent port scanners, kernel modules and exploits. I found security because there was always need to understand what’s happening behind the scenes and to defend against the forces of the darkside. That need hasn’t changed. In fact the need for defense has grown where we need more focus on it given the increase in volume and sophistication of threats, specifically targeting ICS facilities.

SANS: What was your first SANS course?

Dean: Ok, going to date myself, but here goes… My first SANS course was so long ago it was when they were called Tracks. It was 2003 Track 3: Intrusion Detection In-Depth. While the content has drastically been updated over the years, and is updated several times a year, the core concepts are still very applicable to modern cybersecurity defense. Track 3 is now known as SEC503: Intrusion Detection In-Depth.

SANS: What song is missing from the NetWars playlist? What would you add?

Dean: For ICS NetWars definitely John Williams’ Star Wars score – Dual of the Fates. A masterpiece that underpins a quintessential battle between good and evil as seen through a Lightsaber dual on Naboo. If I could suggest another song it would be Night Runner – Nuclear Countdown. An amazing 80s inspired song that pumps for 7 minutes of 80s synth awesomeness that drive the listener to active defense. These are amazing tracks for ICS NetWars and for any defender’s track-list at the office (some restrictions may apply – see your corporate policy on music and/or headphones in the cyber defense room) :).

SANS: How has security changed in your industry?

Dean: Safety. Globally, the last 5-10 years the adversary has taken brazen steps at increasing attack sophistication against industrial control systems such as oil & gas pipelines and power grids. 2010 marked the first time a cyber weapon destroyed physical equipment in the real world. In 2015, through a coordinated campaign, attackers targeted power grids and were successful in causing significant power disruptions across large regions. In 2016 evidence indicates intentions by the adversary to cause physically damage in electricity protection equipment. 2017 brought an attack on industrial safety systems — those systems are designed to keep people and plants safe.

SANS: What tips can you provide new comers to ICS cyber security and defense?

Dean: ICS cybersecurity starts with safety, fully understanding the nuances of how to do defence in an industry environment. There is a difference in how to effectively apply security in traditional IT (Information Technology), vs. in ICS (Industrial Control Systems) or “OT” (Operational Technology) environments. Industrial control systems assets are often compared to traditional Information Technology assets. However, traditional IT assets and related processes focus on business data at rest or business data in transit, whereas industrial control systems are engineering assets that focus on input from real-time systems and control outputs for physical actions in the real world. It is this primary difference between IT and ICS (or OT) that drive differing cybersecurity design, strategy and cyber incident response policies and tactical practices. ICS cybersecurity involves protecting physical processes, engineering assets in the field and in plants. In the electric sector for example, proper ICS cyber defense protects the safety and reliability of operations, and the people in the plants who operator and work with the physical processes to safely generate, transmit and distribute electricity across a power grid and into our homes.

SANS: What do you want people to know about you?

Dean: I bring 20 years combined experience in IT, Industrial Control System cyber defense across the telecommunications to critical infrastructure sectors, and lead an active ICS Cybersecurity Program for an electric utility in Canada across facilities in generation (hydro, thermal, gas turbine), transmission and distribution. I am an ambassador for ICS active cyber defense and advocate for the safety, reliability and resilience of our critical infrastructure. Yet everyday is school day – we are forever learning, understanding and adding value to the community.
When I’m not teaching or in ICS Active Cyber Defense mode you can find me exploring the coast of Newfoundland on my jet ski, playing piano or riding motorcycles, even in intense Newfoundland winters. An accomplished motorcycle instructor and rider, he published some adventures in his travel book “The Evergreen Rider – Newfoundland By Motorcycle. Through All Seasons, All Weather” (
Favourite quote: “Do. Or do not. There is no try.” – Yoda
I love the 80s.

SANS: Where does an ICS facility start in defense and how could they improve their strategy?

Dean: Through the ICS Active Cyber Defense Cycle (ACDC). It all starts with proper architecture (supply chain security, proper network segmentation, patching and/or enabling compensating controls). For example, proper separation of ICS assets and operational plant networks from the main vectors of compromises we see today, such as user networks and business email. Business networks should remain completely segmented from industrial controls. Similarly, safety systems that protect industrial control operations should also be on further separated networks.
Beyond ensuring basic architecture and passive defences (firewalls, packet inspection, AV whitelisting, etc.), ICS defense teams should already be deploying active defense technologies for “plant floor” network visibility with trained ICS defenders hunting in the network and proper ICS incident response practices.
Facilities also need to consider physical security to detect and prevent potential physical-cyber attacks.

SANS: How do you stay up-to-date with the latest ICS defense information? Who are your influencers?

Dean: News headlines, while having their place, are not threat intelligence. Consuming several accurate ICS cyber threat intelligence feeds, (and contributing back to them) is an effective want to ensure up to date, accurate, timely and relevant intel on the ICS threat landscape. Leveraging these sources for TTPs (Tactics, Techniques & Procedures), and IOCs (Indicators of Compromise) allows defenders to make informed pro-active decisions on infrastructure changes and protection. Webcasts, training from trusted sources and networking with peers in the community – either virtually or at conferences when possible is also critical.

Influencers – Rob M. Lee, Tim Conway, Ted Gutierrez, and of course Mike Assante’s significant contribution he’s brought the ICS world.
Other Influencers – Marty Mcfly and Dr. Emmett Brown – as operators and engineers of the coolest ICS ever – the Back To The Future Delorean Time Machine :). But they really should have been using their PPE (Personal Protective Equipment) more ;).

Thanks, Dean, for taking the time to share more about your background and your role as a ICS and Operational Technology Cyber Security Officer at an energy utility in Canada, and Certified SANS ICS Instructor.

Dean will be teaching ICS515 via SANS San Antonio 2020 CyberCast in May – San Antonio, TX | Sun, May 17 – Fri, May 22, 2020 and the live conference at SANS San Francisco Summer 2020 – San Francisco, CA Mon, Aug 24 – Sat, Aug 29, 2020

To learn more about Dean and where you can take his next course – visit his SANS bio page.

*** This is a Security Bloggers Network syndicated blog from SANS Blog authored by SANS Blog. Read the original post at: