At ENCS we’re proud of the work we do protecting Europe’s energy grids. But we also take pride in building a fantastic team and a great place to work. In this blog, penetration tester Can Kurnaz lifts the curtain on what life is like at ENCS.

What do you do at ENCS?

As a penetration tester, I conduct security tests on a variety of operational technology (OT) devices both back at ENCS’ test lab and on-site with utilities around Europe. One day it can be smart meters, the next, electric vehicle charging points and ICS/SCADA systems – there’s a lot of variety.

It’s really rewarding for me as I can find vulnerabilities that vendors may overlook and share my expertise. I’m also playing a significant role in delivering the RTBT [Red Team/Blue Team] training programme, which is another great chance for me to deliver insights on how to secure critical infrastructure.

What is your background and what attracted you to ENCS?

I studied computer engineering and cyber-security for my undergraduate and master’s degrees before working at an IT cyber-security company for three years. I was looking for a new challenge though, and was attracted to ENCS by the chance to work with both IT and OT systems and where they intersect. I joined last summer in 2017 and I’ve been enjoying it ever since.

It’s a big jump moving from IT to OT as you’re dealing with completely different protocols and vulnerabilities, but there’s a real sense of satisfaction when you’re working to secure devices in something as important to society as the energy sector.

What’s your favourite part about working at ENCS?

We’re a non-profit company, meaning we can fully focus on our mission to boost cyber-security measures in the energy sector, which is something I’m passionate about. We focus on critical infrastructure so it’s not just one company that benefits from our work – the whole of Europe does too, which makes it more meaningful.

We’ve also got a lot of stakeholders across the continent so it’s a privilege to help build the expertise of a wide range of different companies through our training. My hope is that we’ll be able to expand this beyond Europe in the future.

What is the working environment like at ENCS?

It’s really collaborative and you’re encouraged to ask questions, which makes it a lot easier to settle in at the start. This is especially helpful if you’re less familiar with the OT side of things to begin with.

We also have a lot of experts and really experienced security consultants and they’re always willing to work with you even when they’re busy. It’s a great team to work with.

Have you been working on anything exciting recently?

We’ve recently been testing electric vehicle charging points and discovered new vulnerabilities that would allow an attacker unauthorised access to do all sorts of things. It’s always a plus when you’re able to anticipate threats to the latest technology – and maybe even better when you get to replicate this on a practical level.

Our RTBT training is always great fun for me. Days one and two are about teaching the participants, and I deliver lectures as part of this stage. The real fun starts with the live simulation on day three though. My role is to help the red team – the attackers – to hack the blue team and take down the grid. I think it’s this realism that really hits home for all of our attendees and they go back to their offices with a new attitude towards cyber-security.

What would you say to someone considering a cyber security career in the energy sector?

Understand the fundamentals and try to think outside the box. Whether it’s network security or handling embedded device security projects, knowing the technology basics is so key for building up your security skills, especially if you’re looking to get into OT security. You need to learn the relevant protocols as they’re totally different from the IT side (as I’m discovering!). Also, a good mentor is very important as it’s hard to learn this all by yourself.