By Mark Jacob for MxD
When Abhishek Ramchandran was just 14 and playing the videogame Warcraft III, he “downloaded a bad mod for the game and just lost all my data.”
He was so angry that he resolved to find the digital vandal. He traced the perpetrator’s IP address to the Philippines, but he stopped there because, after all, he was only 14.
The incident set Ramchandran on his path to a career at Siemens as a penetration tester, a “white-hat hacker” who looks for vulnerabilities in computer systems.
With cybersecurity becoming increasingly vital to American industry, it’s a career that’s attracting a lot of interest—from gamers, reformed hackers and people who just love puzzles.
MxD, the nation’s digital-manufacturing institute, talked to Ramchandran and two of his Siemens colleagues about careers in cybersecurity and the field’s importance in safeguarding industry.
Ramchandran graduated from Manipal University in India, earned a master’s degree in cybersecurity from New York University, and then joined Siemens. He lives and works in Princeton, N.J.
“I love what I do,” the white-hat hacker said. “Finding vulnerabilities is like games. It’s one of my dream jobs that I’ve always wanted to do.”
While Ramchandran earned a graduate degree, he doesn’t think that’s a must for success on the job. But a job trying to break into digital devices does have one major requirement: the ability to think deviously. “You just need to have a more creative and open mind, a devious mind to think like a hacker and somehow make these devices do something that they’re not programmed to do,” he said.
Hackers are always looking for weak spots.
“There are a lot of things that developers and hardware manufacturers don’t look at nowadays,” Ramchandran said. “These are the kinds of things that are picked up by hackers and that they use to somehow circumvent the boundaries…in software and hardware.”
The landscape is constantly shifting.
“Hacking is something that keeps changing almost every day,” he said. “My job is only successful if I can keep up with this evolving state of hacks.”
It’s that constant evolution that makes cybersecurity such a daunting challenge for every sector of the US economy, including manufacturing. Industry’s growing reliance on automation, advanced control systems and remote work is expanding the attack surface—and increasing demand for workers trained in cybersecurity.
“There are so many career opportunities in manufacturing cybersecurity. The demand for talent is much greater than the supply,” said Liz Stuck, who leads engagement and workforce development at MxD. “Some estimates put the US shortage of skilled cybersecurity professionals at almost 500,000.”
“Building this new workforce—this new army—of cyber-experts is everyone’s responsibility,” added Stuck, who pointed to MxD’s cybersecurity Hiring Guide as a roadmap that can help. “We need companies to upskill their workers, schools to rethink their curricula, and policymakers to come through with funding.”
Kyle Graham is another cyber-expert for Siemens; he fights on the front lines as a system analyst in Cincinnati.
“We work in the Cyber Defense Center,” he said, monitoring Siemens’ network of businesses around the world and their approximately 500,000 machines. “We basically watch them for any unusual activity, signs of breaking in and hacking, things like that. We organize responding to those and remediating those kinds of situations.”
Graham’s path toward cybersecurity started even earlier than Ramchandran’s.
“My dad’s been doing IT since I was a kid,” he explained. “I’ve had a computer since I was probably like 5.”
In high school, Graham honed his cybersecurity skills on a website called VulnHub.com, which provides exercises for aspiring hackers. Then he got an undergraduate degree from University of Cincinnati in IT with a focus on cybersecurity.
Graham described a typical issue: “We’re getting an alert that something weird is going on. We go in, we take a look, we look at the surrounding evidence and decide if this is actually a problem or not.”
Among the problems that Graham handles is adware, in which an invasive program injects ads onto the pages that a user is browsing.
Then there are the spear-phishing campaigns in which someone poses as a job recruiter, gets an email recipient to download a resume form, and runs code on their computer that allows an invader to “move laterally” to machines that the person’s machine has access to.
Does Graham think a college degree in cybersecurity is necessary to succeed in the field?
“I would say it’s not required,” he said. “There are plenty of people who have gotten into this field without it.” But, he clarified, usually those people worked in IT or technology for many years and built up the necessary knowledge and experience. “In the perfect world, it would be a mix between my formal education and an apprenticeship or internships to bring someone into the security field."
People who like to keep gaining knowledge and taking on new challenges are the types who might thrive in cybersecurity, Graham said. “It’s one of those fields where there will be constant learning. There are new attacks...new techniques. Everything is adapting always. If you like puzzles, problem solving, things like that, it can be very rewarding.”
One downside, he noted, is that you’re never going to be 100% successful. “Someone’s always going to get in. It’s inevitable. “They only have to be successful once, but you have to win every time. Those odds are never in your favor.”
Tristan Horlamus, who works for Siemens in cybersecurity research and development, agreed that you can never declare victory over hackers and must keep developing new defenses.
“If you stop learning, then you will be stuck behind your enemies,” he said. “Everything is driving toward connectivity, toward the internet, so the attack surface is tremendous.”
Horlamus grew up in Germany and became interested in cybersecurity later than Ramchandran and Graham. The son of a carpenter, “I was never into software before I went to college. I wasn’t expecting to end up in this domain at all."
He earned a bachelor’s degree in electrical engineering at the Technical University of Nuremberg, then joined Siemens as a software developer. Siemens transferred him to Princeton in 2016, and he later moved into cybersecurity development.
He likes the fact that he can work with Siemens’ white-hat hackers. “Talking to colleagues now who are in the penetration testing area, you can get insights into how attackers think, which you as a developer would never have thought of."
Asked about the biggest cybersecurity dangers faced by industry today, Horlamus replied, “The biggest threat is always the human being.”
People can be sloppy or careless, he explained, like when they click on an email that they think is for them but is really a phishing email. “Or maybe someone gets bribed to bring in malware and plug a USB stick or something like that in a system,” Horlamus said.
Horlamus participates in SAFECode, a global industry forum that includes Siemens and other powerhouses like Microsoft and Google. Its mission is to exchange insights and ideas on creating, improving and promoting scalable and effective software security programs. SAFECode’s members are often competitors, but they collaborate on this issue.
“When it comes to cybersecurity and how to secure your products, I wouldn’t call it as much of a competition,” Horlamus said. “It’s really a sharing of best practices. We also, of course, want to learn from our partners in SAFECode on how we can improve our security posture when it comes to product development. Because nobody’s perfect, right?”