Student Research Symposium and Engineering Technicians

Two weeks ago ISU hosted its annual Research and Creative Works Symposium. It is a really neat event that gives any student – graduate or undergraduate – a forum at which to share their work. Students simply sign up and voila they have a speaking spot in front of a panel of judges and anyone who might come support them!

I think this is a very useful, low stakes practice for students.

This year I am supervising two graduate student research projects. One, who chose to present at the conference, is investigating the effects of ransomware in Southeast Idaho. A handful of organizations, including local governments, health care, and manufacturing have all taken a ransomware hit. The student’s research is qualitative, relying on interviews with individuals who were impacted. Really insightful to have a collection of first-hand perspectives.

I was so impressed that all my graduate students will be required to present next year!

But that wasn’t what I found the most intriguing. After my student presented, I stuck around to hear other presentations.

I was especially intrigued by research into training levels of psychiatric technicians. Psychiatric care technicians work in mental health facilities and have more regular contact with patients than any other health care provider. They engage in a variety of interventions, including group therapy sessions.

Despite the boots-on-the ground role that these technicians play for patients, in Idaho and 45 other states (if I remember the statistic correctly), there is no baseline education or training requirement for such technicians.

The student had created and administered a questionnaire to a variety of psychiatric care professionals at a local psychiatric hospital to see what level of training psychiatric technicians should have. The student’s research found (again if I remember correctly) that a technician should have between 8 and 40 hours of training related to their role – which training could be concurrent with job function.

When she was finished, another member of the audience (who I surmised was the student’s supervisor) asked “what do you plan on doing next?”

“Well,” the student responded, “In our program we have learned about lobbying. I am going to lobby for change. I think there needs to be a minimum level of training these technicians need to have.”

Ahhh. Now you can see where I am going…

In the OT sphere, in the USA alone, we have probably several hundred thousand technicians – instrumentation and control technicians, electrical engineering technicians, mechanical engineering technicians – who install, configure, operate and maintain industrial control systems – systems that provide electricity, drinking water, and manufactured goods. Not a single state (0 of 50) requires them to have any cybersecurity training or demonstrated competence.

“Wow”, I thought, “We require barbers and hairdressers to have professional licensure in all 50 states. But there are no requirements for those individuals whose job performance directly affects the well being of millions.”

This is an addressable issue. Let’s get on it.

Tech Expo 2024!

The ISU College of Technology hosts an annual technology fair for middle school and high school students from across Southeast Idaho. The event, held in the ICCU Dome, attracts more than 2,000 teens to explore technology careers.

Industrial Cybersecurity has hosted a Tech Expo “booth” for 7 years. During the event, I stand in the thoroughfare and ask the youthful attendees “have you ever hacked a computer? Come on over and we will show you how!” 

Not a tough sell.

This year I had several of my current Industrial Cybersecurity students run the booth — coaching the high-schoolers through the exercise. We sit the high-schoolers across from one another and help them create a “secret” file via command line, use a default ssh password to access the other person’s computer, steal the secret, and race to shut off the other person’s computer.

Students who have never thought about this get quite excited. When asked what they learned, some students reply that they didn’t know hacking was so easy.

The event is a whirlwind as the booth stays full for four hours. I would estimate we ran 50 or 60 students through the exercise.

What impressed me most this year, is that when I asked students what they were planning to do after they finished high school, I had three or four tell me “I am going into cybersecurity.” I even had one tell me, “I heard about hackers taking out a power grid. I want to do that.”

With a big smile I was able to tell them, “We are almost full for Fall, but I think there’s still some room. Just call or email, and we will get you signed up!”

PCAST Report on CPS Resilience

I enjoyed reviewing the President’s Council of Advisors on Science and Technology (which boasts some big name institutions), “Report to the President” on “Strategy for Cyber-Physical Resilience”.

The Strategy offers a total of 14 recommendations across four categories:

  • Establish performance goals
    • 1.A Define sector minimum viable operating capabilities and minimum viable
      delivery objectives
    • 1.B Establish and measure leading indicators
    • 1.C Commit to radical transparency and stress testing
  • Bolster and coordinate research and development
    • 2.A Establish a National Critical Infrastructure Observatory
    • 2.B Formulate a national plan for cyber-physical resilience research
    • 2.C Pursue cross-ARPA coordination
    • 2.D Radically increase engagement on international standards
    • 2.E Embed content on cyber-physical resilience skills into engineering professions
      and education programs
  • Break down silos and strengthen government cyber-physical resilience capacity
    • 3.A Establish consistent prioritization of critical infrastructure
    • 3.B Bolster Sector Risk Management Agencies staffing and capabilities
    • 3.C Clarify and strengthen Sector Risk Management Agency authorities
    • 3.D Enhance the DHS Cyber Safety Review Board (CSRB)
  • Develop greater industry, board, CEO and executive accountability and flexibility
    • 4.A Enhance Sector Coordinating Councils
    • 4.B Promote supply chain focus and resilience by design

The report provides some context and insight on each of these. I can’t help but comment on 1.A. “Define sector minimum viable operating capabilities and minimum viable delivery objectives”.

I really like this idea because it shifts focus from the system itself (networks, software, process equipment) to the delivery of the critical function (power, water, food, etc). This is a great step in thinking through what matters most.

My observation is that in a highly interconnected world, with global supply chains, setting a scope for performance for an entire sector seems challenging because sectors don’t really “exist”. They are not monoliths. Their value is the service they provide to various users and customers, rather than to themselves.

Consider that the number and size of infrastructure service providers can vary greatly depending on geography. What is the minimum level of electricity or water to sustain quality of life for Southeast Idaho? For the city of Los Angeles? For the state of Texas? So the approach has got to include both sector and geography.

And within those geographies, various organizations rely on infrastructure services. Who should receive those services first?

Then, we have to recognize that sources of communications, energy, food, water, and medicine frequently (most frequently?, almost always?) operate across geographic boundaries — including in some (many?) cases across national boundaries.

Finally, each sector is not truly independent of other sectors. One geo-sector’s minimum viability may depend upon and/or conflict with that of another geo-sector.

I am pleased that the PCAST took up this topic. I am very optimistic about incorporating function-centered thinking. I find intriguing the idea of establishing minimum viable operating capabilities and objectives. However, I remain concerned that administrative constructs based primarily on sectors and geographies leave significant gaps.

There are some words in the strategy, such as “enhance supply chain focus” and “enhance cross-sector coordinating councils” that could address this concern, but I found this presented as “do this too” rather than as an indispensable component of CPS robustness and resiliency.

I am not advocating abandonment of sector and geography thinking, but I believe we will need some additional paradigms and/or alternative perspectives to do this well.