The world around me and how Industrial Control Systems interact with it, fascinate me!
Where it all began
When I started high school, we started using a graphical calculator; a TI-83 Plus. It was a calculator with a big screen, the ability to plot graphs and support for programs in an assembly-like language.
The first program I wrote was to plot hyperbola/parabola and perform all relevant calculations needed for exams. Soon after I figured out that it was possible to allocate very large matrices in memory to consume all working memory, leaving the calculator unable to perform even basic calculations. It was a program (malware?), which I happily shared with some of my classmates before exams.
Where it went to from there
In my Embedded Systems bachelor, I continued enjoying programming small microcontrollers and designing hardware using low-level languages, such as C, C++ and VHDL. During my second year, I accidentally bricked a small microcontroller using a buffer overflow and my curiosity for breaking was sparked.
I continued my studies at the Technical University of Eindhoven (TU/e) in Information Security Technology. I always added Embedded System courses to every semester. For my master’s thesis, I found a field, on the intersection of Cyber Security and Embedded Systems: Industrial Control System (ICS) security.
At Deloitte, I found guidance for my master’s thesis about malware for ICS and after graduating I started working in the pentest team and the ICS team. Initially, I developed a (Siemens S7) ICS demo environment where trains are controlled and performed a lot of Web App & infrastructure pentests. After two years, I got more challenging tests, projects abroad and ICS assessments. When I became the technical lead of the ICS team, I created trainings, shared knowledge, improved the technical client-proposition and integrated Red Teaming approaches into ICS assessments. I even flew out for an ICS Incident Response project helping a multinational client securely restore production of one of their sites back to normal.
After almost 7 years, hacking 20+ industrial facilities on 4 continents and hundreds of IT networks and applications, I felt that I was ready for the next step in my career and joined Outflank.
My coolest project ever
My coolest projects have one thing in common: They were all huge industrial facilities. I’ve hacked some of the largest complex refineries, chemical and metal production facilities on the continent/world. I always found it fascinating to experience the beauty, immense size and complexity of these ICS sites. Learning about the network, processes and controls while hacking them was like a dream.