Table of Contents

• 1. A - Initiate, Validate, Prepare & Plan

• 2. Cybersecurity Reads & News

• 3. My Recent Most Viewed Posts:

  • Getting started in IT & OT Cybersecurity

  • OT-CBPRS

• 4. Securing Things Academy - Updates

• 5. My Asks

Hi Securing Things Community,

In this newsletter edition, we’ll continue to expand on the previous topic “Getting started in IT & OT Cybersecurity”, and we’ll be covering “Phase A and Step 1” and in addition, some recent interesting info from field and some of my recent most viewed social media posts in April 2024.

Dedication:

I dedicate this post to My Father

Thank You for everything! It wouldn’t have been possible where I am today, without (Almighty’s blessings and because of) all your efforts, almost 3 decades of a service, providing to family, self sacrifices of your needs over ours (me / my siblings) and family. There’s nothing I can do to return the favour, except for a little love and prayer. Yours truly!

To all those parents that sacrifices their needs over the needs of their children well being. And also to all those who haven’t done so in a while, it’s a great day to check on your parent(/s) and say thanks.

Happy International Workers’ day holiday!

1. A - Initiate, Validate, Prepare & Plan

In case you’ve missed the 3 phase & 12 steps blueprint is outlined below:

What comes next:

(a) A short intro video on the above framework.

(b) Each of the 12 steps from a perspective of following persona types:

• A recent graduate or learner - interested in getting into cybersecurity.

• An IT security professional - interested in getting started in OT Security.

• An automation professional - interested in getting started in OT security.

• An experienced professional from a non-IT/Security/Automation field - interested in getting started in IT/OT security.

But for now, lets’ outline some bullet points for Phase A and step 1.

Phase A, as the name implies is all about initiating, validating, preparing and plan - doing the preliminary work check before you take a leap of faith on getting started in cybersecurity.

1 – Get to know the Industry, stakeholders, critical infrastructure sectors & the ecosystems – research & get excited!

👉– If you are fresh graduate or entering into the professional field - this is the most critical first step - often missed (this was the case for me - came out from uni without knowing what I’ll be getting into, mostly based on hear-say) - believe primarily because of lack of consolidated guidance.

👉– If you are a professional coming from an lT cybersecurity or Automation background, you’ll probably have some basic to advance idea on the industry itself, stakeholders, sectors and ecosystem. But to my (and probably some of your too) surprise, once you dive into this you’ll for sure say - Damn I didn’t knew this even existed…

👉– If you are professional coming from different background or field of study (not IT/security or automation) - you’ll most likely need to get familiar with areas highlighted per step 1.

👉– Despite the differences in each of the above type of individual personas’/ journey - the information that needs to be learned / gained remains the same.

👉– From an industry perspective - almost every business depends upon digital or cyber and physical systems, hence therefore, the need to have some level of cyber physical security literacy for all types of industry/businesses. However certain industry sectors would have more critical reliance on security vs. others. So be sure to keep that in mind.

👉– You’ll end up working in a role with one of the following stakeholders (but not limited to):

• Asset Owners (term used in industrial sector) / End user organizations

• Product manufacturers / OEM vendors

• Certification Bodies

• System Integrators

• Managed Service Providers

• Professional / Consulting Businesses

• Regulatory Bodies (Govt. / sector specific)

• Government.

👉– Most of 196 countries (approx. 100+>) have defined critical infrastructure sectors (Yes, surprisingly there are many countries, where they have not officially defined sectors considered critical infrastructure). Getting to know some of these sectors at a very high level would always be beneficial to gauge your interests.

👉– Working for each type of stakeholders, listed above, would require individuals to have a base/common securing things body of knowledge (STBOK) and some specific specialised knowledge that each of the stakeholder’s role play in the industry ecosystem.

STBOK; yes just coining that :-) - one thing that professional industry is good at, is coming up with short forms / acronyms, that may require some familiarity. So start getting use to the lols and gtgs etc..

👉– Just like any other industry, in cybersecurity, certain industry and cybersecurity roles and expertise, there’s saturation and for other there’s a lack of available skill sets - so keep this in mind as we move forward within the framework.

Note: Though you’ll always read or hear that we have thousands of people short in this industry - but at the same time you’ll have lots of people struggling to find breakthroughs (both fresh to highly experienced).

👉 – Start looking at the industry, stakeholders, CIIs & ecosystem from a local perspective and or from the geographical location you want to target. E.g. if based in EU or US or APAC, within X country, start from there.

👉– Again as suggested in previous step, remember, not to stress yourself out, as you are not at a decision point, rather having a better understanding in later part of crafting your journey to know which role you’d like to be part of and hence what industry/entities to target…

Once this is done, move to step 3 (coming soon). You shouldn’t be spending too much time on this, but at the same time you shouldn’t be skipping this step as well, as eventually you’ll have to explore and understand these basics any way.

📢More on these steps in detail in future posts/videos.📢

What other important steps you’d recommend? comment below.

2. Cybersecurity Reads & News

Following is a list of few interesting reads and news:

• Online Introductory Courses Available for NIST SP 800-53, SP 800-53A, and SP 800-53B - NIST made the following 3 courses available for public for free.

  • Security and Privacy Controls Introductory Course

  • Assessing Security and Privacy Controls Introductory Course

  • Control Baselines Introductory Course.

• Account for Complexities Introduced by Hybrid - An NSA Cybersecurity Information Sheet released. Addresses the complications that may arise when implementing hybrid cloud and multi-cloud environments due to increased complexity and solutions to mitigate them.

• What’s new in CycloneDX 1.6 - by Tony Turner. On April 9, 2024, the OWASP CycloneDX project announced the release of version 1.6 of bill of materials specification as well as several new or updated best practices documents for practitioners. CycloneDX 1.6 continues to expand support for a wide range of supply chain risk management activities beyond only software bill of materials (SBOM).

• U.S. Federal Agencies Ordered to Hunt for Signs of Microsoft Breach and Mitigate Risks - CISA issued an emergency directive (ED 24-02) urging federal agencies to hunt for signs of compromise and enact preventive measures following the recent compromise of Microsoft's systems that led to the theft of email correspondence with the company. The attack, has been attributed to a group tracked as Midnight Blizzard (aka APT29 or Cozy Bear). Last month, Microsoft revealed that the adversary managed to access some of its source code repositories but noted that there is no evidence of a breach of customer-facing systems.

• Security Above All, Microsoft CEO Vows - Secure Future Initiative that the company launched last fall, and then making a pledge. “We are doubling down on this very important work, putting security above all else — before all other features and investments,” Nadella said Thursday afternoon, after the company’s fiscal third-quarter earnings report.

• Copilot for Security by Microsoft - GitHub page for security Co-pilot.

• ICS Malware - Fuxnet - Ukraine Allegedly Deploys Destructive ICS Malware 'Fuxnet' Against Russian Infrastructure. A hacker group by name of Blackjack believed to be affiliated with Ukraine’s security services, claimed to have disabled 87,000 sensors, wiped database, email, internal monitoring and data storage servers. Note: Allegedly - nothing’s confirmed.

• SMB1001: Multi-tiered cyber security standard for SMBs - by CSCAU - is a prescriptive dynamic standard which allows all organisations to start and monitor their journey towards resilience against evolving cyber threats.

3. My Recent Most Viewed Posts:

In case you’ve missed - here are few of my recent most viewed posts.

Getting started in IT & OT Cybersecurity

👉 Do share, comment and add your experience and insights - as this may help someone bring some clarity and make right choices in their career decisions and or progression. Our world needs more cybersecurity professionals.

👉 I hope to make a difference & help at-least 100/> people in 2024 (ideally 1K/>) (am not making a bold claim of million or something) to give back to the community. 

A hacker's movie guide book - A list of hacker, cybercrime, cyber threats related movies, series, shows etc. For now, all newbies / professionals / experts - let's just get excited! What’s your favourite top 10/12? list in comments below.

OT-CBPRS

SMB / SME manufacturers - to jump start your OT cybersecurity journey: 📚"OT/ICS Cybersecurity Best Practices Requirements Specification" or "OT-CBPRS" 📚Toolkit 📖

The📚OTCBPRS toolkit📚 comes with the following:
➡ 1 checklist tracker in excel & a word document.📖
➡ In-line with international industry best practices.
➡ Free toolkit awareness & limited IT-OT CySEAT training (Q2 2024).
➡ 2 Options to consider:

✅ Standard (as-is, no customization/consulting & fixed price)
✅ Custom (Per scope, for specific environment needs).

➡ See more details ➡ https://lnkd.in/gt7ewKxb

Get a head start to your OT cybersecurity program and register your interest here ➡form (or drop a DM with your official email address only)

4. Securing Things Academy - Updates

Though slower than expected, however there’s some progress made. I’ve plans to create the following 5 trainings and or more mini courses:

As a reminder, those who’ve not seen this, do checkout #CySEAT intro below.

Please DM or reach out to me if you are an asset owner and interested to participate in the discounted beta offer coming soon. Or know any asset owners that may be planning (starting or struggling with) OT Cybersecurity program journey and or simply looking to uplift staff skills sets?, without breaking the budget, please share this post, it’ll be of an enormous help.

Other services

Security Awareness Training & Phishing Awareness Portal for SMBs - visit https://start.securingthings.io/training & register your interest.

Whenever you are ready - I can help you/your organization with the all items highlighted in this edition - reach out at info[at]securingthings[dot].com.

5. My Asks

1. Do share, comment and add your experience and insights - as as this may help someone for bringing some clarity and choices in their career decisions and or progression. Our world needs more cybersecurity professionals.

2. Do submit the poll in section 3 above.

   provide valuable input to help me decide on few things:

   • Are the courses / topics ideas above resonates with you? which one you’d prefer? (or if you an expert, do they align with market needs)?

   • Course / certification name suggestions or cert name suggestion, per above list. Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a course giveaway.

   • Or rather prefer Mini courses on similar topics?

3. Join forces with Securing Things - I’d welcome experts/instructors from the field, if you have an interesting course ideas on IT, OT, IOT, IIOT cybersecurity topics, labs exercise and want to host a course later in 2024. Also, am looking for people to help with suggestions / work on creating relevant exercises / labs also.

4. Also, I invite #SecuringThings community to share their insights, feedback, and wish list for the year on:

• any industry specific pain points & potential resolutions of keen interest?

• what did you like about this and or previous editions?

• what could be improved?

• what you’d like to see in future editions?

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer digital future. Thank you for your trust and continued support.

Thanks for reading - until next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal.

Follow: #securingthings on LinkedIn | @securingthings on X/Twitter & YouTube.

Learn how to make AI work for you.

How do you stay up-to-date with the insane pace of AI? Join The Rundown – the world’s fastest-growing AI newsletter with over 500,000+ readers learning how to become more productive using AI every morning.

1. Our team spends all day researching and talking with industry experts.

2. We send you updates on the latest AI news and how to apply it in 5 minutes a day.

3. You learn how to become 2x more productive by leveraging AI.

Sign up with one click.