Don C. Weber is in a unique position to see where organizations are struggling—and succeeding—in securing control systems and OT environments.
As a certified SANS Institute instructor, founder of Cutaway Security, a security services provider, and host of the fun CutSec ICS Friday InfoSec Chats show on YouTube, Weber interacts with operators, engineers, and security practitioners of all skill levels and expertise. His students, his clients, his peers often find themselves working in converged IT/OT environments, anchored to legacy equipment, and wondering if and when the next ransomware attack or OT-specific exploit lands at their feet. Part of Weber's mission is to not only secure these systems, but to share his knowledge and experience to ensure the safety of the industrial domain.
"I just try to give back to the community where I can and that's a part of putting yourself out there, having conversations," Weber said.
<iframe width="560" height="315" src="https://www.youtube.com/embed/qqFtwzEvjIk" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>
In this episode of the Aperture podcast, Weber discusses his career path in information security, which began after serving in the U.S. Marine Corps (he had never picked up a computer until he left the service), to building a two-decade-long career that currently focuses on providing security assessments, penetration testing, and training.
"I started when I came out of the Marine Corps; I was already 30 and had never picked up a computer and that was 20 years ago," Weber said. "Learning computers and how to do them well, I always felt like I was pitting myself against people that had been in the industry for 10 years."
Weber explains how he gravitated toward writing blogs, contributing during the early days of podcasts, as avenues for sharing his expertise.
"I just dove into that with the theory that if I'm wrong, people would tell me. If I'm right, maybe people will learn," he said.
Aside from his SANS training course, Weber, known as Cutaway on social media, contributes a number of freely available coding and scripting tools. Most recently, he's developed the NERC CIP Assessment Scripts (NCAS) that generate required baseline outputs to help satisfy the requirements for NERC CIP-010-3.R1.
"I call that the Collector; and that's just so that people can baseline their systems, gather information about installed software, certain security settings that are required to monitor those systems, create a baseline and monitor for changes to ensure those changes are authorized," Weber explained, adding that he also built from that script an advanced forensics tool that collects volatile information as well.
Throughout the discussion, Weber discusses his SANS training classes, observations about where organizations are struggling and succeeding with cybersecurity, and how the Friday InfoSec Chats came about.