CCE textbook

Our Critical Infrastructure Defense course incorporates the Consequence-driven Cyber-informed engineering textbook by Bochman and Freeman of the Idaho National Laboratory.

I like the text because it pulls so many thoughts into a single resource. Bochman especially (and I making assumptions about which concepts he principally wrote and which Freeman wrote) draws from leading reports and commentary that support the CCE approach. And there are some great quotes in there from dozens of sources (even including me!).

I also like the text because it lays out the CCE methodology — and what else could you expect?

CCE differs from other methodologies because it includes both the often-overlooked intelligence aspects of a cyber-operation against critical infrastructure and the engineering aspects of preventing a specific physical consequence.

On the other hand, I think the text missed an early opportunity to create its own language around the methodology.

One example is that the phase 4 language involves “protect”. In a podcast/video interview Dale Peterson did with the authors a year or so ago, Dale asked (and I paraphrase here) “why the focus on ‘protect’ when most of the industry has accepted that protection is a bound-to-fail approach?”

It seemed to me that the responses of Bochman and Freeman didn’t hit this head-on. The obvious answer is that when CCE talks protection it means preventing the selected physical consequence — literally engineering it off the table, rather than preventing a breach of a network asset (which is how the broad cybersecurity industry uses the term “protect”).

I give that example to point out that the choice of terminology could influence the clarity of the methodology and the confidence with which it is viewed. In this instance, I would prefer the official terminology refer directly to “cyber-physical fail-safes” instead of “protect”.

In the end, I am pleased that Bochman and Freeman along with the INL team and their government supporters put this out there for use – even if it’s not perfect yet! I am excited to see a variety of firms latching onto the concepts and implementing them in their own work. And I’m thankful to have the book and other publicly-available materials to teach students who will soon work for those firms.

The Survey

In the education and training world, curricular guidance documents (sometimes called content standards), help educators ensure they are teaching what needs to be taught.

To help address a lack of “industrial-ness” in cybersecurity curricular guidance, Idaho State University (ISU) teamed up with Idaho National Laboratory (INL) and the International Society of Automation (ISA) to solicit input from industrial cybersecurity experts.

The result is the industrial cybersecurity knowledge survey.

The output will be a consensus-based curricular guidance document. We also plan to release an analysis of the data, a description of how the survey came to be, and the raw data for anyone to review.

The survey is open through the first week of February. If you haven’t taken it, do it now!

Diversity in a new semester

One of the great feelings of being a teacher is seeing the enthusiasm of your students. It is a humbling experience to recognize that someone is placing a high value on the ideas you intend to impart to them.

I have a handful of students getting a jump start on next fall’s start date by taking a couple of classes with me this spring semester. One has a previous AAS in information technology systems, one has a previous AAS in nuclear operations, and one has a previous AAS in Mechatronics — all going on for bachelor degrees in cyber-physical systems. Two decided to change majors from Computer Science to Industrial Cybersecurity.

When I asked the CS majors why they wanted to change they said they wanted to do something more hands-on!

This same group of early starters includes a veteran, a career changer, an international student, a female, and traditional student from my same town. Thinking about that inspires me to do and be better!

This new video highlights the diversity of our great programs: ESTEC Power Careers.