Infosec Skills author Matthew Campagnola is forging a new path in ICS security
It’s the summer of 2018, and Matt Campagnola is all of one year removed from being an undergrad student at the University of Delaware. He’s landed a job with the prestigious consulting firm Booz Allen Hamilton, a 27,000-employee behemoth with over $6.5 billion in annual revenue.
His first assignment? Design and build an Industrial Control Systems (ICS) lab from scratch.
Matt laughs as he recounts the story. “They basically said, ‘Here’s a half million dollars. Go start buying stuff.'” So much for kid gloves.
A formative experience in ICS
Despite his age, Campagnola wasn’t a total cybersecurity neophyte. He earned his bachelor’s degree in computer engineering, a minor in cybersecurity and spent a few months working with the university’s IT security analysts after college. But this was a whole different ball game.
Step one? Figure out what an ICS actually is. From there, Matt voraciously consumed every bit of knowledge he could get his hands on, both from his manager and experts in the field. He soon realized that the sector was ripe for growth.
“As we progressed, I started digging in more, realizing how small of an industry it really is. You’d have a lot of companies and papers that are just referencing each other.” This made reviewing relevant literature relatively easy, Matt said, but it also led him to see how small that knowledge base really was. An avid learner, Campagnola eventually completed the project, setting up his team for future success.
From this daunting task came two main realizations. First, he could make an outsized impact compared to many other cybersecurity subdomains. Second, he’d be able to use his lack of experience to his advantage.
“I hadn’t been tarnished by industry yet; hadn’t had a role where I was an automation engineer or an IT cybersecurity analyst. I had all of these relatively fresh backgrounds and was able to meld them into this very unique ICS cybersecurity role.” This allowed Matt to feel comfortable proposing new ideas and solutions, providing further reinforcement that he had chosen his career wisely.
Covering the essentials of ICS/SCADA
Campagnola is now an ICS/SCADA (Supervisory Control and Data Acquisition) Cybersecurity Engineer at Applied Integrated Technologies in Baltimore. In this capacity, he applies his strong theoretical chops to a practical setting, conducting assessments and cybersecurity activities on live systems in the field. Matt considers himself fortunate to work with a strong team that has a combined 150-200 years of cybersecurity experience.
As the author of Infosec’s ICS/SCADA Security Fundamentals Learning Path, he teaches the basics of ICS operation and security. His pedagogic approach focuses on teaching general principles that can be applied in a number of settings. He does the heavy lifting by mastering the topic’s foundational resources and then distilling the key points into widely relevant, highly contemporary contexts.
“I coalesce broad themes that I’ve had to embody over the past couple of years. The course crosses a lot of different areas, and they’re very broad, but that’s deliberate.”
Rather than rattle off endless statistics and facts, Campagnola builds students’ core knowledge in a way that allows them to react quickly and make snap decisions. Learners can then put their skills to the test with an interactive project steeped in MITRE ATT&CK and NIST frameworks. As such, the course is especially relevant for both ICS specialists looking to gain a more generalized cybersecurity understanding, or “jack of all trades” who want to dig deeper into ICS.
The unique role of — and need for — ICS/SCADA expertise
Like all areas of cybersecurity, the private sector ramifications of having poor knowledge and/or practices are of course huge. But as Matt notes, ICS cybersecurity directly impacts every one of us. “This is the bulk electric system, your sewage system, your gas, even your telecommunications. They’re all tied into these larger systems that are automated.”
While not kinetic in the traditional foreign policy meaning, disruption of ICS-dependent systems and its brethren can create hardships for civilian populations on par with many traditional warfare tactics. Denial of infrastructure systems access is undoubtedly one of the core dimensions of modern military conflict. “It definitely gives a weightier feel behind not only the industry, but what you’re essentially protecting. It’s that mindset of defending a national system versus defending a corporate personal system.”
As much as he enjoys being among the emerging leaders in his field, Campagnola is extremely eager for more hard-working folks to join his peer set. There’s a massive discrepancy between existing talent and exponentially-increasing demand, and that pipeline can’t be built overnight. Matt recommends that aspiring ICS/SCADA engineers train hard and network extensively. Also, learn your acronyms.
“If you’re able to speak with the operator in a language they understand, you can get to all the critical information…and faster.”
About Matthew Campagnola
Matt Campagnola is a cybersecurity professional with experience designing secure ICS/SCADA network architectures as well as conducting cybersecurity assessments of critical infrastructure, manufacturing plans and public utilities. In his free time, Matt enjoys participating in ICS/SCADA oriented hacking events on both the offensive and defensive teams.