Tips for employers interviewing industrial cybersecurity candidates

As we come down to the end of the semester here, my students are interviewing for internships and jobs.

AMTEC Photos, CC BY-SA 2.0

Based on student feedback, sometimes it seems that employers may not be attuned to the skill sets they need or know how to identify individuals who have the right competencies.

To aid employers in evaluating our students we encourage our students to maintain a portfolio of their projects, including photographs and final presentations from various courses, which they invite employers to review.

In addition to reviewing the portfolio and asking some questions about it, I’ve created the following short list of sample questions that help employers discern between an IT security person and an industrial cyber person capable of bridging the IT-OT divide:

  • Can you share your experience programming PLCs?
  • Will you tell me about how you protect technician lap tops?
  • How do you differentiate between a physical failure and a cyber attack?
  • What steps are involved in calibrating a temperature transmitter?
  • How does one segment an industrial network?
  • What challenges have you faced when creating an ICS asset inventory for security purposes?

Security-related questions for facility tours

A previous post described that our industrial cybersecurity students take at least five tours in their first year.

I created a list of questions that industrial cybersecurity students might ask their tour guide. We look specifically at: Asset inventory, network issues, change detection, external connections, recovery, security, IT-OT gap.

Here’s a sampling:

  • How many different PLC vendors do you have?
  • Has a process ever shut down as the result of a network issue?
  • What procedure is used to make a control logic change (PLC programming)?

The key idea is encourage application of in-class principles to the real world.

It is interesting to hear tour guide responses.

I’ve attached the entire question set in the curricular materials section of the Web site. Happy touring!

Sandworm Discussion Results

A couple of weeks ago I mentioned that Andy Greenberg’s Sandworm is required reading in my Critical Infrastructure Defense course, and I posted a study guide for others to use.

As COVID-19 has moved our in-person class to an online format, I decided to move the Sandworm discussion online too.

We are maintaining the same schedule of chapters each week, but I provided students the following guidance:

  • Pose one thoughtful question about the assigned chapters by Wednesday
  • When posting, please put the main idea or topic of your question as the Subject line. This allows potential respondents to sift through the topics without having to open each post. Moreover, forcing yourself to write a concise, meaningful subject is an important written communication skill.
  • I consider the ideal format for the initial question post to include the following:
    • Brief background
    • Cite the chapter (maybe even page number) — to allow other participants to know exactly what you are referring to.
    • Make an observation
    • Ask a question that elicits thoughtful responses
  • Questions can address something you want to understand better OR something you find interesting to discuss. The following question formats may be useful
    • What was meant by…?
    • Can you help me understand…?
    • What is the difference between…?
    • How would this apply to …?
    • Does anyone else…?
    • What does the class think about …?
  • Thoughtfully respond to two classmate’s questions by Sunday
  • Please re-respond to those who answer the question you posed

We’ve had some fantastic questions and ensuing discussion. For example, here are two questions posed by students (which they allowed me to share publicly):

In Chapter 29, it discusses how there are still different debates about NotPetya’s intentions. What debate do you think is the most cogent for NotPetya’s intentions?

We can see here that the student picked out the concept of intent, and noted that this is a challenging topic. A question like this can lead to discussions about threat intelligence, attribution, attack design, and evaluation of competing hypotheses, among other possibilities.

Here’s another:

For these chapters about NotPetya and how it spread I kept thinking about the Systems of System Analysis and how even outside ICS environments it would be beneficial to all organizations to go through this approach with their networked systems and software as a service system’s. For example, the book talked about hospital dictation software and how it was affected by NotPetya. I am assuming they never considered that as a crucial part of their day to day operations. What are your thoughts on applying system of system analysis on more than just ICS but potentially the enterprise side of the organization? Do you think this would have been beneficial to the hospitals or other organizations affected by NotPetya?

In this case the student took a core concept we cover in the class (system of systems analysis) and found where it would have applied within the Sandworm narrative. Then, the student realized the concept probably doesn’t only apply to industrial environments. This can lead to a discussion about biases of human cognition, differences in expertise necessary to conduct SOSA in an ICS vs IT environment, critical vs non-critical dependencies, and so on.

What I love about using an applied text like Sandworm is that it comes with the context for application — engaging the imagination. Standard texts may encourage vocabulary acquisition, but don’t get to this level of richness.

COVID-19 means no more facility tours this school year

One of my favorite parts of the Industrial Cybersecurity program are the tours our students get to take. We try to get them 5 field trips in the first year alone. This generally includes the ISU heat plant, Great Western Malting, the Simplot Don Plant, Amy’s Kitchen, and a nearby substation. We even bring our own headsets so all students can hear the guide.

Here’s a photo of our industrial cybersecurity students at Amy’s Kitchen. One of our instructors is explaining a principle of operation pointing to an instrument panel. It is super cool that an ESTEC Instrumentation graduate who works at the facility was our tour guide!

For the first couple of tours students are a bit lost, but as the semester progresses, they gain vocabulary and use industrial equipment in educational labs. By the final tours they are excited as they understand how things are working. They can converse with the guide and ask meaningful questions.

So, it was a bit of downer that COVID-19 cut the tours short for the year. We will do our best to get these students into more facilities next fall!