Time really does fly. I’ll tell myself I’m going to post something next month, blink, and somehow four months have already passed. So what have I been up to?
I stepped away from the technical side for a bit to focus on some home upgrades. Lots of furniture assembly, running new electrical, and painting. Productive, just in a different way. Although I’ve still been studying, I haven’t been able to dedicate as much time to it as I would have liked.
That said, I knew it was time to get back into more focused, structured learning, so I picked up a couple of new books. Below are my thoughts on some recent reads and related learning material.
Threats: What Every Engineer Should Learn from Star Wars
I was hoping for more Star Wars references woven throughout the book. I expected something lighter , maybe a fun, theme-driven way to explore security concepts. While there were references sprinkled in, the overall feel was more like a high-level cybersecurity course with occasional Star Wars analogies.
Some examples raised in the book include questions like how R2-D2 was able to access the Death Star’s systems to determine where Princess Leia was being held. From a security perspective, how was he able to interface with a critical military system so easily? There should have been proper authentication, authorization, and network segmentation controls in place to prevent an unauthorized device from gaining access to sensitive operational data.
The same theme applies to redundancy and resilience. In Episode I, when Anakin destroys the Droid Control Ship, the Trade Federation immediately loses control of its entire droid army. That represents a massive single point of failure. A secondary command ship, distributed control architecture, or even degraded autonomous operation could have prevented total operational collapse.
Interestingly, later iterations of the droid army appear to move control closer to the edge, embedding autonomy within the droids themselves rather than relying on centralized command. From a systems engineering perspective, that shift improves resilience and reduces the impact of a single catastrophic failure.
Overall the book was interesting and I would recommend it to someone just getting into cybersecurity, or to professionals in engineering or other technical fields who want a broad introduction to security fundamentals without going too deep into technical detail.
Engineering-Grade OT Security: A Manager’s Guide
This one was far more compelling to me.
What makes OT security so interesting for me is the translation of digital compromise into physical consequence. We’ve seen this repeatedly in the real world:
- Stuxnet, which targeted Iran’s nuclear enrichment program by manipulating centrifuge speeds.
- NotPetya, which disrupted global shipping and logistics including Maersk along with energy and transportation companies, ultimately causing an estimated $10 billion in global damages.
- The Colonial Pipeline incident, which many in the U.S. experienced firsthand. That attack was relatively basic compromised remote access without MFA and did not directly impact the pipeline’s ICS environment. Instead, it affected the business-side systems responsible for billing and custody transfer, which forced operations to shut down. The book notes that having an estimated billing capability could have reduced operational disruption.
- There have been multiple cyberattacks against power infrastructure in Europe, including an well-known incident a few months ago in Poland involving a power plant that was impacted.
The book reinforces well-known best practices: logical separation of systems, conducting risk assessments and tabletop exercises, and ensuring appropriate cyber insurance coverage. However, it frames these practices specifically within an Operational Technology context, referencing architectures such as the Purdue Model.
More importantly, it introduced concepts I wasn’t previously familiar with, including:
- The use of unidirectional gateways to protect consequence boundaries — those points where a cyber failure or compromise can transition into real-world physical impact.
- Standards such as IEC 62443, which provide a framework for securing industrial automation and control systems.
- Practical approaches to separating traditional IT environments from control-critical assets like programmable logic controllers (PLCs), remote terminal units (RTUs), and human-machine interfaces (HMIs).
Overall, this book felt grounded in the realities of protecting critical infrastructure and highlighted how quickly “just IT” issues can become operational or even kinetic problems.
To complement the book, I also went through Mike Holcomb’s Getting Started with Industrial (ICS/OT) Cybersecurity course, which is available for free on YouTube. It aligns well with many of the concepts covered in the book and serves as a solid foundation for understanding how cybersecurity principles apply within industrial environments. If you’re already working in cybersecurity, you can probably move quickly through some of the introductory material. However, the course does a good job of reinforcing core OT fundamentals, architectural concepts, and the mindset shift required when moving from traditional IT security into control system environments.
Finally, I decided to fire up a LetsDefend challenge focused on OT systems called ICSFuelStation to get some hands-on experience. This scenario was fairly straightforward: analyze a PCAP containing communications between an external actor and an Automated Tank Gauge (ATG) system.
After reviewing the traffic and referencing external material, the activity closely aligned with prior research published by Rapid7, which identified numerous ATG devices publicly exposed to the internet. In those cases, the issue wasn’t sophisticated exploitation, it was insecure deployment and direct exposure of control interfaces, often without proper authentication or network segmentation.
It was a good reminder that in OT environments, the risk often isn’t advanced zero-days, it’s basic exposure of control-critical systems that were never meant to be internet-facing in the first place.
This is the third book I picked up. I’m still working through it, but so far it’s shaping up to be a strong introductory resource for understanding how AI systems function, how they’re built, how to properly define scope, and the types of risks they introduce into an organization.
Jason Dion is one of the listed authors. I’ve used his training material in the past when preparing for certifications like Security+, PenTest+, and CySA+, so that gave me some added confidence in the structure and delivery of the content.
The book draws heavily from the NIST AI Risk Management Framework, which provides a structured and credible foundation for managing AI-related risk. That alignment makes it especially useful for organizations trying to operationalize AI governance rather than just understand the technology at a high level.
To complement the reading, I’ve also been working through IBM’s free YouTube videos — short, focused segments (typically 5–20 minutes) that break down core AI concepts in a practical way. In addition, I completed ISACA’s Artificial Intelligence Fundamentals online course, which helps bridge the gap between technical AI concepts and governance, risk, and compliance considerations.
Together, these resources have provided a balanced view: foundational understanding of how AI systems work, paired with practical insight into managing the security and risk implications that come with deploying them.
That’s all for now!