One of the most common questions I get asked by aspiring (and current) cybersecurity professionals is what my odd niche of the universe in critical infrastructure incident response is really like, day to day. So let me give a brief overview of what my work life is like.
The first thing one needs to understand is the nature of DFIR consulting work as a whole. DFIR is an acronym for “Digital Forensics and Incident Response”. This means that we do two discrete roles in one job – technical forensic analysis of potentially compromised computers, and corporate crisis management. DFIR professionals must be excellent, seasoned analysts of disk, memory, network packet, and log data, and great computer detectives. We must also be able to triage crisis situations and deal with the human elements of a breach or hack. The combination of those two challenging skill sets is why DFIR is generally not considered an entry level cybersecurity role. Most DFIR professionals spend some time in some sort of security analyst or threat hunting role prior to making the move.
My job adds even more complexity to both halves of DFIR. Instead of working in a standard enterprise environment filled with laptops, PCs, and servers, I deal with process environments. OT environments have real life impacts on life and safety. They include the stack of digital technologies which operate water, gas, electricity, manufacturing, agriculture and transportation systems. When they fail, the consequences can be loss of life and real physical damage or contamination. Very serious, real-life stuff – and adversaries are figuring that out fast.
What that means for the digital forensics side of things is that my cases involve sometimes very strange and very old computing equipment. Legacy is prevalent in OT. I must be able to figure out forensics on computers from the 80s or 90s. I also must be able to work with low level systems like PLCs and embedded computers. I still must create timelines of modern attacks, with corroborated and court-admissible evidence. There’s little EDR, and a lot of our forensics work is quite manual. I have a soldering iron in my bag to deal with non-standard connectors.
The crisis management side of things is challenging, too. I’m dealing with real life / safety scenarios. Sometimes a customer will go out of business if their process isn’t up and running in a few hours. Sometimes there’s a risk of millions of dollars of equipment damage. Tensions and anger are understandably high. I often must act as a “marriage counselor” between teams. Some of the environments I go to are very remote, and somewhat unsafe. I carry an array of PPE. I must take industrial safety courses.
At an organization that provides retainers for multitudes of organization sizes and verticals, my day-to-day varies a lot. Sometimes there are a lot of calls, and we are frantically busy with 24-hour notice deployments to anywhere. Sometimes we have less cases ongoing, and we can work on some preparatory work for customers or research and training. Call load varies a lot based on adversary campaigns, new intel and exploits, and increasing maturity in organizations to be able to detect ongoing compromises. We respond to all sorts of cases, from insider, to commodity, to state. We must be super flexible, and we are often on the road with only a few hours’ notice. It’s definitely a stressful job.
That’s a small peek into my day-to-day life in OT DFIR. If you want to get into this space, the number one thing you must get great at beyond traditional DFIR is your knowledge of holistic industrial processes, and their hazards and mitigations. Industrial processes are not one device, and industrial cyberattacks are not one enterprise exploit. You must spend time really understanding systems-of-systems, and be ready for challenging, stressful, old school work.
It’s needed, though. Adversaries are learning the value of building attack capabilities to reach out and touch industrial systems for both espionage and sabotage, and it bodes poorly for the future.
Hope this helps, and see some of you this week at Cyphercon Milwaukee! It will be my last US conference indefinitely.
Source: Lesley Carhart
Source Link: https://tisiphone.net/2025/03/31/whats-my-daily-life-like-in-ot-dfir/