Photos courtesy of the Department of Education
Reliability Compliance Management Specialist Al Slucher graduated from the Federal Cybersecurity Reskilling Academy on July 15.
Slucher was selected to participate in the inaugural cohort of the FCRA, designed to help federal employees outside of IT build foundational skills in the field of cyber defense analysis. Acceptance was extremely competitive with 2,500 applicants.
“In December of last year an email came through my inbox from our cyber information security officer with a link to the academy’s website,” Slucher said. “I clicked on the link as fast as I could and not once did I even think it could potentially be a phishing attack!”
Slucher started thinking about the many ways an opportunity such as this one would help him in his career.
Slucher retired as first sergeant from the Arizona Army National Guard after 21 years, with 15 of those being active duty. At WAPA, his responsibilities include monitoring Desert Southwest’s compliance program to maintain and ensure compliance with North American Electric Reliability Corporation standards.
This includes understanding and working with NERC enforcement through the Western Electricity Coordinating Council, participating in regional audits and assisting in the development of regional and WAPA-wide solutions for current and new standards.
“I immediately called my boss and told him that I was interested in applying and wanted to know his thoughts,” remembered Slucher. “I’m paraphrasing, but in short he said, ‘That’s a lot of relevant, quality training and WAPA only has to pay for travel. Do it, and you’d better get in.’”
The FCRA admission process required the submittal of a resume, the completion of a 45-minute aptitude test, the writing of a 500-word essay and an interview.
“Each step in the process was designed by the FCRA to whittle down applicants,” Slucher said.
Fortunately, though, he was accepted, and experienced a variety of emotions when he learned the news. “I was extremely excited and nervous at the same time,” he said. “Mostly I was proud that I was selected.”
Knowledge is power
At the start of the experience, Slucher decided not to waste any of this opportunity. He was going to learn as much as he could and, of course, pass his certification exams.
“The program offered boot camp-style cybersecurity classes with follow-on certification exams,” he said. “I was not sure what to expect as far as classroom and study material, but I was surprised at the depth of the instruction and the amount of material covered that would be testable as part of the certification process.”
Slucher quickly learned how easily a cybersecurity vulnerability can be exploited, which became an instructional moment.
“I went in thinking that it must be difficult to do, but left knowing that it’s extremely easy,” he said. “I know this because I used the tools available to bad actors day in and day out—in a test environment—for three months to hone my skills to pass my exams. I gradually changed my mindset from if you have been compromised to when. And not the future tense of when, but the past.”
He also learned how vigilant one must be to protect against and discover compromises.
“The little things that you do or don’t do can either aid in protecting you or invite compromise,” he said. “This is true whether you are at home or work. Stay current with all security patches for your phones, computers and other devices, and change your passwords frequently. The threat is real and a vulnerability compromise is extremely easy.”
The experience also had a notable, positive impact on his understanding of Critical Infrastructure Protection standards.
“I used to look at it from a requirement and evidence-based approach,” he explained. “In other words, ‘What specifically does the requirement state and do we have the supporting evidence to show compliance?’ Now my approach is threefold: the intent of the standard; the methods available to meet the intent with appropriate evidence; and the risks associated with compliance and noncompliance.”
Slucher finished the course and completed his Global Information Assurance Certification exams. He passed the GIAC Security Essentials Certification exam with a score of 93% and the GIAC Certified Incident Handler exam with 87%.
“Based on my test scores I was offered a spot on the GIAC Advisory Board,” he said. “I was also selected by my peers to give a speech at our graduation.”
Slucher attributes his strong showing to the support of his family and his WAPA colleagues.
“Without their support I would not have been as successful in the course,” he said. “I never worried about their support. It was given without any questions.”
His expanded understanding of CIP has already allowed Slucher to train personnel more effectively and provide stronger insights into potential cyber controls to protect the bulk electric system. He is also excited to put his education to use every day in support of WAPA’s mission.
“My first week back to work was busy, and right out of the gate I used the knowledge I was armed with from the courses,” said Slucher. “WAPA has to map out how we will meet compliance on standards that require electrical utility organizations to have procedures to validate software integrity and authenticity before applying those updates or patches to cyber assets. Without the course and the knowledge I have gained, I would have not been able to speak to possible compliant solutions for WAPA.”
Note: Reed is a technical writer who works under the Wyandotte Technology contract.