Listen to this Post
Introduction:
The journey into Operational Technology (OT) and Industrial Control Systems (ICS) cybersecurity is rarely a straight line. Unlike the structured certifications of IT security, OT/ICS requires a hybrid operator—someone who understands packet captures and physical machinery equally. Mike Holcomb’s career trajectory, spanning movie theater usher to bowling alley mechanic to OT Fellow, illustrates the exact cross-domain pattern that industry leaders now realize is essential for securing critical infrastructure, where safety and uptime trump confidentiality.
Learning Objectives:
- Understand the importance of cross-disciplinary experience (IT, mechanical, electrical) in OT/ICS security.
- Identify the key differences between IT and OT security priorities (Safety vs. Confidentiality).
- Analyze how real-world “hands-on” skills translate directly into modern industrial defense strategies.
- Explore the historical context of OT attacks (Stuxnet) and current threats (Salt Typhoon).
You Should Know:
1. The “Grease-Stained Boots” Theory of OT Security
Mike’s time as a bowling alley mechanic, complete with electrocutions and wiring lessons, is not a detour from cybersecurity—it is the foundation. In OT/ICS, understanding Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and electrical relays requires a tactile knowledge of how machinery fails. A purely theoretical IT security professional might patch a server but miss the physical safety implications of a compromised pressure valve.
Step‑by‑step guide: Understanding the OT Landscape
To bridge the IT/OT gap, security professionals should perform a basic physical audit of a facility:
1. Inventory Physical Assets: Walk the floor. Identify motors, conveyors, and breakers. Note their manufacturer and model (e.g., Siemens S7, Allen-Bradley).
2. Map to Network Topology: Use tools like `Nmap` or `GRASSMARLIN` to compare the physical assets against the network diagram.
– Linux Command: `sudo nmap -sU -p 102,502
– Windows Command: `Test-NetConnection
3. Document Failure Modes: For each asset, note the physical result of a failure—does it stop a production line? Does it vent gas? This moves security from “data protection” to “risk mitigation.”
- The ISP Perspective: Seeing the Attackers’ Point of View
Holcomb’s role in an IT SOC for a large telecommunications company provided a unique vantage point. He mentions, “ISPs have very little cybersecurity,” referencing the “Salt Typhoon” intrusions. From an ISP backbone, defenders can observe reconnaissance scanning, DDoS campaigns, and lateral movement across vast swathes of the internet.
Step‑by‑step guide: ISP-Level Threat Hunting (Simulated)
While you may not have ISP backbone access, you can analyze border traffic to spot “theaters of operation.”
1. Capture NetFlow Data: Use tools like `nfdump` or `SiLK` to analyze traffic flows entering your network.
2. Identify Scanning Behavior: Look for a single internal IP communicating with thousands of external IPs on a single port (e.g., 445/TCP for SMB).
– Linux Command (Parsing logs): `sudo tcpdump -i eth0 -n ‘tcp[bash] & 2 != 0’` (To catch SYN packets from scanners).
3. Correlate with Threat Intelligence: If you see a surge of traffic to a specific country or subnet during off-hours, cross-reference with CISA alerts regarding state-sponsored activity (e.g., Volt Typhoon, Salt Typhoon).
3. Teaching to Learn: The Power of Instruction
Transitioning from Network Administrator to IT Instructor forced Holcomb to master fundamentals. Teaching networking fundamentals, NT 4.0, and Active Directory builds an irreplaceable depth of knowledge. In cybersecurity, you don’t truly know a protocol until you have to explain it to someone else.
Step‑by‑step guide: Explaining Subnetting (The “ISP Way”)
Holcomb notes that subnetting finally made sense at the ISP level. Here is a practical breakdown:
1. Visualize the Supernet: Instead of seeing `/24` networks, see them as blocks of `/23` or /22.
2. Calculate Summarization: To block a range of malicious IPs efficiently at the ISP router, you must summarize.
– Example: Blocking 192.168.1.0, 192.168.2.0, 192.168.3.0.
– Command (Cisco): `access-list 100 deny ip 192.168.0.0 0.0.3.255 any` (This wildcard mask covers the 4-network block).
- The Pentester Mindset: Attacking to Defend the Plant
Moving into penetration testing allowed Holcomb to validate defenses. In OT, pentesting is high-risk; a failed exploit can cause physical damage. Modern OT pentesters must use specific, safe methodologies to test ICS resilience.
Step‑by‑step guide: Safe OT Vulnerability Scanning
Disclaimer: Do not run these commands against live production equipment without a maintenance window and signed authorization.
1. Passive Reconnaissance: Use `Wireshark` to listen to the OT network for 24 hours to understand normal traffic baselines.
– Filter: `modbus || s7comm || cip` (To capture industrial protocols).
2. Active, Non-Intrusive Scanning: Use tools that avoid crashing PLCs.
– Nmap Safe Scan: `sudo nmap -Pn -sT –max-retries 1 –min-rate 10
3. Fingerprinting: Once open ports are found, identify the exact firmware.
– Tool: Use `PLCinScan` or `ModbusCli` to read device ID registers without altering coil states.
5. IT vs. OT: The Great Divide
Holcomb observed that IT folks didn’t appreciate OT security at first, but engineers did. This highlights a core conflict: IT focuses on the CIA Triad (Confidentiality, Integrity, Availability) in that order, while OT focuses on Safety and Availability. A BlueKeep exploit in IT is a patch; in OT, patching might require shutting down a power grid.
Step‑by‑step guide: Hardening the Air Gap (or Weak Gap)
1. DMZ Implementation: Ensure all communication between the IT and OT networks passes through a industrial DMZ.
2. Application Allow-listing: On Windows-based Human-Machine Interfaces (HMIs), implement strict application control.
– Windows Command (AppLocker): Use `secpol.msc` -> Application Control Policies -> AppLocker to create rules allowing only specific industrial software (e.g., Wonderware, Cimplicity) to execute.
3. Protocol Sanitization: Use a “diode” or deep packet inspection firewall to strip malicious commands from traffic crossing the boundary.
6. The Legacy of Stuxnet: Finding Your People
Holcomb transitioned to OT just after Stuxnet (2010). Stuxnet was the watershed moment that proved cyberattacks could cause physical destruction (ruining centrifuges). It validated the career path for those who understood code and physics.
Step‑by‑step guide: Detecting Anomalous Code Injection (Post-Stuxnet)
- PLC Ladder Logic Comparison: Regularly back up the ladder logic from PLCs.
- Hashing: Generate a hash of the known-good logic.
– Linux Command: `sha256sum /path/to/PLC_backup.v5`
3. Audit for “Man-in-the-Middle”: Check for rogue engineering workstations. Use network monitoring to detect `Step 7` or `RSLogix` engineering traffic originating from unexpected IPs.
– Wireshark Rule: `siemens && (ip.src != 10.10.10.0/24)` (Alert if engineering software is used outside the authorized engineer subnet).
What Undercode Say:
- The “Blue Collar” Coder Wins: The most effective OT defenders are those who aren’t afraid to get their hands dirty. Cybersecurity in industrial settings is not just about code; it is about physics, wiring, and mechanical load. Professionals who, like Holcomb, have fixed a machine and configured a firewall possess an intuition that pure IT analysts lack.
- Pattern Recognition Over Credentials: Holcomb’s path shows that a collection of specific experiences—QA testing, theater ushering (people skills), mechanics (hardware), and SOC analysis—creates a pattern recognition capability. This allows a defender to intuit an attack (like Salt Typhoon) not just from logs, but from the behavior of the network and the rhythm of the plant floor.
Prediction:
The next major breach of critical infrastructure will not be stopped by an AI tool or a next-gen firewall. It will be detected by a former mechanic or electrician who notices that a PLC is responding 50 milliseconds slower than usual because of encrypted C2 beaconing—someone who understands the physical “rhythm” of the machines. As threats like Salt Typhoon prove that ISPs and nation-states are vulnerable, the demand for “cross-domain operators” will skyrocket, forcing HR departments to finally value practical experience over rigid degree requirements.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Mikeholcomb My – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
