Sandworm Book Review

I while ago I finished Andy Greenberg’s Sandworm. Here’s my single-sentence review:

Couched within the fascinating journeys of real-world characters striving to understand the implications of our evolving cyber world, no other book provides as rich and accessible a discussion of cybersecurity, threat intelligence, critical infrastructure, and nation-state threat actors as Greenberg’s Sandworm.

I’ve read many of Greenberg’s articles over the years. I admire his breadth of coverage, and ability to take complex topics and prepare them for a popular – though tech literate – audience.

I appreciated that the book represents Greenberg’s personal journey to answer the question “who is Sandworm?”, making an easy journey for the reader as well. While I found myself laughing – and even shouting out loud – in agreement, I also frowned a time or two. As someone who spent a decade of his life dedicated to understanding and explaining the cyber threat to critical infrastructure, things that seemed obvious to me were sometimes revelations to Greenberg; and, several conclusions I thought were plain wrong. But knowing that he was simply (and eloquently) describing his journey encouraged my patience.

Greenberg seems naturally a people person – which contributes to the book’s accessibility. I was surprised and pleased by his effort to paint the personalities of the main cast of characters.

John Hultquist and I worked together on Sandworm-related threat intelligence at iSIGHT Partners (which acquired my firm Critical Intelligence in March 2015) and later FireEye. I ran the Attack team, and Hultquist ran the Espionage team. We offered complimentary coverage as I analyzed the industrial control aspects of Sandworm activities. When the electric transmission pylons serving Crimea were blown up in fall 2015, we collaborated to warn our customers that cyber attack against Ukraine utilities would be a likely Russian response. We presented together on the S4 Main Stage on the first Ukraine outage just weeks after it occurred. In Sandworm, I was pleased to see Hultquist’s own fascinating story presented to the world.

Rob Lee and I crossed paths many times over the course of his rise. I found Andy’s description of Rob excruciatingly accurate. Rob’s intelligence, contagious passion and persuasive ability has driven him to stardom, and attracted great talent into his firm, Dragos. Early on he invited me to join him, too. But I had an alternate vision of my future.

In all, I decided to make this book mandatory reading for students in my Critical Infrastructure Defense course. Students remember stories – and Sandworm provides rich context for exploration and application.  Plus, I have developed my own profound perspectives around these same events.

I created a Sandworm Discussion Guide, which you can find in the Curricular Materials section of my Web site at this link. Happy teaching!

Teaching to the test? continued

This post is part 2 of “teaching to the test“. 

We just reviewed differing opinions on whether it’s okay to teach to the test, and I promised to tell what approach I was taking in ISU’s Industrial Cybersecurity Program.

In my program, I require a Professional Certification course. It’s really a professional preparation course, but the main thrust is obtaining the SSCP cert.


  • First, I want my program to tie to some external validation point.
  • Second, I want students to enter my program clearly expecting to take and pass the exam.
  • Third, no single existing certification will accurately reflect what my students know and can do as they bridge IT and OT.
  • Fourth, the class covers a breadth of cybersecurity content not covered in other classes – so it’s not just review.

I specifically chose to have a class that teaches to this exam because that way the “narrowing of scope” that concerns Ravitch and Schou (see previous post) are concerned is confined to a single space and time.

If content from that course spills into other courses, or vice versa, that’s a benefit rather than a drawback.

I chose the SSCP cert because it is an appropriate medium level certification. It has a reasonable price point for students, and is tied to a nonprofit membership association — the (ISC)2. Thus, the certification is tied to professionalism rather than merely a credential. Moreover, maintenance of the certification requires continuing professional education credits. It also requires adherence to a formalized statement of ethics. I encourage my students to participate in the ISC2 Idaho Chapter.

Students are required to take the exam, and it’s costs are included in the course fees.

I also use this course to ensure students transition to the workplace. They are sharpening the resumes, honing their social media profiles, and conducting mock interviews.

Teaching to the test?

In my education evaluation class (in which I am a graduate student) we’ve been learning about, well, evaluation — through the framework of Kirkpatrick’s four levels.
Kirkpatrick’s level 2 deals with learning assessment. That is, tests students take.

Courtesy Allison Wood CC 3.0

On my brief commute, I’ve been listening to Diane Ravitch’s book The Death and Life of the Great American School System.
Ravitch, addressing primarily K-12 education, holds that teaching to the exam leads to narrowing the curriculum, particularly in English and mathematics. She explains that exams are imperfect one time measures of a student’s overall learning, and do not account for myriad characteristics that cannot accurately be tested, many of which have a significant influence on the ultimate success of a student.
In addition to my class and commute listen, I recently read a statement on the educational philosophy of Dr. Corey Schou, who was my own masters thesis supervisor.
Schou decries approaches that teach to the exam. He believes that the educational experience should be sufficient to prepare the student for the exam.
Schou was an early member of the (ISC)2 organization, which certifies information security professionals. The major component of that certification is passing an exam.
Schou expects his students to pass the (ISC)2 Certified Information Systems Security Professional (CISSP) exam upon exit of his program, and explains that his graduates have a 100% pass rate of the CISSP since his first graduate took it 15 years ago.
To be fair, I know that his students do spend time directly preparing for the exam (who wants the shame of breaking that trend?); but, it is absolutely true that he does not teach to it.
Other education thinkers, including training expert Robert Mager, do believe in teaching to the exam. In his view, if the exam appropriately reflects what a student really needs to know, then why wouldn’t you teach to it?
How are we addressing this in the ISU Industrial Cybersecurity program? Come back next time to find out!

Industrial Operations Combine

This year I volunteered to advise our International Society of Automation (ISA) student club. We have a good number of participants across all five programs (electrical, mechanical, instrumentation, nuclear, industrial cyber) and fantastic student leadership.

The club determined to organize an Industrial Operations Combine – modeled after the NFL Scouting combine. We invite potential employers to come and see the students in action completing a challenge such as wiring up a PLC, interpreting a P&ID, running Wireshark. This gives them a great feel for what our students can really do, rather than just what a resume says.

Participating employers receive resumes and contact details for all candidates, and can schedule interviews for the next day. If this sounds intriguing, come and check it out. Then sign up to bring a challenge next year!