It was a ghost in the machine that first caught the attention of operators at the water utility– its location undisclosed for security reasons. Without command, valves began opening and closing, processing glitches were identified, and chemical treatments inconsistent with standard protocols were occurring in the utility’s treatment facilities. Although no customers had been endangered, responding to the problems was becoming time-consuming, and the inexplicable nature of the events was starting to frighten facility managers and engineers.
After two months, the operators were at their wits’ end. Someone suggested a security review of the utility’s AS400-controlled SCADA (Supervisory Control and Data Acquisition) system, which ran all the remote logic controllers. A Verizon RISK (Research, Investigations, Solutions and Knowledge) Team was brought in to investigate.
What they found was chilling. Someone had been in the control systems… and had slowly been teaching themselves how to manipulate the amount of chemicals being put into the water supply. IP addresses found in the logs pointed back to a Syrian hacktivist group, although no one ever took credit for the penetration.
Once the cause of the unusual occurrences was understood, Verizon’s cybersecurity engineering team jumped into action. They quickly shut down the web-based account management front-end that allowed the attackers into the system. They used firewall rules to block further Internet-originating access points to the AS400 controller. They then rebuilt the AS400 and other compromised systems from known-good base images, eliminating any potential back doors the hackers may have left in the system.
Security engineering teams perform the gritty, detail-oriented work on the front lines of information assurance efforts in companies and government organizations around the world. In many cases, their skills, training, and education are all that stands between us and future attacks like the one on the water utility. The weight of responsibility they carry for engineering systems designed to be all but impervious to intrusion puts them at the top of the hierarchy in cybersecurity teams and has made having a graduate degree virtually standard for IT jobs that involve security engineering.
As Cybersecurity Engineering Struggles to Define Itself, the Role is Still Ambiguous
Professionals working in cybersecurity engineering go by a number of different titles:
- Application/Web security engineer
- Cybersecurity engineer
- Data security engineer
- IA/IT security engineer
However, whatever variation of the title an employer uses to describe the position, it may not do much to explain what the role actually involves in terms of job functions and daily tasks. As a relatively new field, information assurance engineering is still defining the specific role it will play in information security. Until employers arrive at a universal definition of what that role is, information assurance engineering remains a bit ambiguous.
A recent SANS Institute white paper discusses some of the various ways the role is defined and what they have in common from industry to industry and organization to organization. It also discusses how the term “engineering” is sometimes used loosely to describe a position that involves very few if any tasks traditionally associated with engineering.
This makes most information assurance engineer roles flexible in terms of expectations and daily activities. In instances were the employer hasn’t clearly defined the role, new hires will likely have an opportunity to practice a wide variety of skills that will define the role in broad terms. Still, many organizations have a more constrained definition of the role that has been established internally in terms of only certain role-specific tasks.
In terms of the Platonic ideal of the IA/security position, it should be viewed as a hands-on role that involves developing, designing, and deploying security systems or security-related subsystems.
In different companies, or even different departments of the same company, job responsibilities can vary widely, but it is safe to say they generally include:
- Working with other departments to define security protocols and to secure IT systems
- Directly examining computer code bases to eliminate common coding vulnerabilities
- Installing and configuring security appliances and applications
- Engineering security hardware to protect systems and installations
The Hands-on Direct Action Job Duties of Cybersecurity Engineers
It’s difficult to completely cover the full scope of duties expected of cybersecurity engineers given the fact that the role is defined so differently from one organization to the next.
One job description outlined duties that include:
- Managing and leading security incident response efforts
- Configuration of Windows and Linux host-based security as well as network and cloud-based security systems
- Assisting with the installation and configuration of network security architectures, including firewalls, Demilitarized Zones (DMZ), router ACLs (Access Control Lists), and web content filters
- Monitoring and responding to Intrusion Detection System (IDS) cues and anti-virus alerts
At the same time, another position, with the same title, dealt exclusively with monitoring a FireEye HX Endpoint Security Tool, a very specific network monitoring and threat intelligence tool.
Other common tools that may be found in the cybersecurity engineer’s arsenal can include:
- Nessus vulnerability scanning software
- Watchguard Firebox firewalls
- Intrusion detection software such as Snort
A day in the life of a cybersecurity engineer can differ widely depending on the organization and the engineer’s portfolio of expertise. One thing that all IA/security engineers will find, however, is that their tasks are typically hands-on: working directly with machines, users, and code to secure against attack.
Because of that direct action role, cybersecurity engineers are expected to stay abreast of current developments in the field. This includes:
- Maintaining current knowledge of technology capabilities and trends
- Monitoring types and techniques of hacking attacks in the wild
- Accumulating operational intelligence and maintaining threat profiles of likely attackers
This makes continuing education and light research a standard part of the job for all security engineers: A review of the Internet Storm Center website is likely to be part of the daily routine. Signing up on the CERT (Computer Emergency Readiness Team) alerts mailing list is also common among cybersecurity engineers. And without question, there will be no shortage of security engineers in attendance at the annual DEFCON hacker conference keeping an eye on the state of the art the competition is using.
Qualifications to Become a Cybersecurity Engineer
Qualifications for cybersecurity engineering positions are as varied as the typical job duties.
It is not uncommon to see job vacancy announcements calling for candidates with as many as three years of experience with the duties and technologies the organization assigns to its security engineers. This may include:
- OWASP (Open Web Application Security Project) Top Ten Risk Factors
- Understanding of the OSI (Open Systems Interconnection) model and well-known ports and services
- Relevant low-level networking experience with the TCP/IP (Transmission Control Protocol/Internet Protocol) stack
- One of five possible security-related certifications
- Ability to obtain a Public Trust security clearance
Another job vacancy with a government subcontractor showed a litany of requirements that included:
- A current Top Secret clearance and ability to obtain a Sensitive Compartmentalized Information (SCI) clearance
- Possession of one of a variety of Information Assurance Technical certifications
- Expert enterprise-level security strategic planning experience
- Knowledge of DoD (Department of Defense) 8500 series Risk Management Framework (RMF) processes
Even entry-level IA/security engineer jobs are starting to require a bachelor’s degree at minimum in areas like engineering, computer science, or information assurance and cybersecurity. As the information security needs of industry and public sector organizations evolve, it is becoming increasingly common to see information assurance engineers with graduate degrees in cybersecurity.
As the field matures, specific knowledge related to tools and techniques is becoming increasingly important for security teams. Although on-the-job experience was once sufficient for candidates hoping to enter a security engineering role, new depth in the field is beginning to make lateral entry infeasible without additional education.
Certifications, running the gamut from ISC’s Certified Information Systems Security Professional (CISSP) to the EC-Council’s Certified Ethical Hacker (CEH) credential might be required or encouraged, depending on the specific position.
Experience, however, remains an important qualification for more senior IA/security engineering jobs. No amount of classroom experience can compare to handling security programs and hardware in the real world or facing actual attacks in the wild.
Finally, considering that many cybersecurity engineers have access to sensitive data in the normal course of their job duties, some type of background check or security clearance may be required to qualify for the position. This is particularly true for cybersecurity engineers working for government agencies, but many contractors also require government security clearances, ranging from Top Secret to SCI levels and beyond. Even if an official security clearance is not mandatory, private sector employers will sometimes perform background checks on applicants and sometimes require periodic drug testing.