We had 17 students in the Industrial Cybersecurity program cohort last August. All 17 graduated this Spring — either with their first Associate Degree (2 year program), or with an Intermediate Technical Certificate (1 year program on top of a previous degree).
I love the cohort model be because it allows students to work with people who have different backgrounds. Four cohort members were veterans. Two had previous master degrees. One was a graduate of the Naval Academy. Several were over 40. A couple were barely 20. Many of the students had lined up jobs and internships before graduating.
As the program has grown, the curriculum and delivery have improved. On the whole, I’d say that this cohort made it farther than any previous group. As we completed a Jeopardy-style review for the program-comprehensive knowledge exam, I loved it when students pointed out errors with the questions!
I am excited to see where these students go and how they influence not just their employers, but the industry and the world!
We launched a new course: ESET 181 IT-OT Fundamentals about three years ago. I am the primary course author. I haven’t done a lot of looking, but it could be the only such course in the country.
Industrial Cybersecurity students take the course in their first semester. It is also a required course for ISU’s Electrical Engineering Technology (EET) students. This means that we teach two sections each fall, and one section each spring (EET has a start in the spring and fall).
The first time I offered the course, it was rough. Industrial Cybersecurity students really liked it. But EET students couldn’t see why they needed to learn about computers and networks.
So, we sat down and really worked through the course to make it relevant from day 1. We structured the hands-on elements of the course around a semester long project-based learning (PBL) experience.
I love PBL — especially when the projects are applicable to real life. Because we are in Idaho, we based the project around upgrading the automation system for dehyrated potatoes.
Students read a real news article and a real job posting explaining the needs of a local employer.
The students then learn about the convergence of IT and OT with a variety of hands-on experiences. These include tearing down a computer, designing a SCADA HMI screen, creating a simple temperature control loop with a Raspberry Pi, performing basic switch configuration, and many others. In the end, these aggregate into a final project.
The image below shows the kit students build as they learn about the concepts. Temperature control loop consists of a light bulb, thermocouple, and relay board.
We’ve made several enhancements over the years (and have more to make!), and I am pleased to say we are hitting the mark. Here is some feedback from three of our EET students who just completed the course:
The most important thing I learned from the project was how interconnected OT and networking are. When drawing the network diagram I realized how the two are becoming closer and closer together. I learned that even though I am in an OT role, a good understanding of IT will put me leaps ahead…
The most important thing I learned form the project was the importance of a network and why the Purdue model is such a useful tool. When everything is connected and running it has to work in sync or the whole system doesn’t work. The networking is so much more than I thought it was and I do have a more profound respect for it.
The project helped me understand aspects of IT/OT the most. These were the networking of OT devices, setting up networks, and I was so grateful for the many examples of real world situations and scenarios. I can definitely see myself reflecting on this class and the learning activities as I enter and progress through my career.
Last year we placed a graduate with a water and wastewater systems engineering firm — that does SCADA master plans, HMI design, and PLC programming, along with cybersecurity and resilience consulting.
The graduate has had several of this colleagues and supervisors come to tour of our instructional facilities, and discuss our curriculum.
On a recent tour, we stopped at looked at the conduit bending station I blogged about several weeks ago.
We looked at our flow control trainers and talked about the custom multiplexing printed circuit board.
We stopped to examine the “pressure wall” in our mechanical engineering technology area. Here our students can adjust the height of pumps that move liquid through pipes of various materials — copper, PVC, steel. They can open and close valves by hand. And they can hook the pipes to pressure transmitters. They get to calculate pressure head and think about turbulent flow.
The graduate said “I’ve heard so many people say ‘In my job, don’t use anything I learned in school’; but, I feel like I use everything I learned in this program.”
Some may ask what these things have to do with cyber security — well, these determine the effects of an attack. This is what you can do if you control the pumps and the valves.
Our guest was impressed: “I wish this program had been around when I was a student!
One of the things I enjoy most about being an instructor is getting to know my students. Our program has a capacity of 20 students, and runs as a cohort. Because I teach several classes at a time (this semester I am teaching five), I get to spend quite a bit of time with the students.
I love getting to know my students as individuals. I love finding out where they came from, and what interested them in cybersecurity. I come to appreciate their unique experiences and points of view. I enjoy their creative abilities. I especially like giving them individualized feedback.
Near the conclusion of each school year, The University alumni organization puts on an awards ceremony for 11 outstanding students — one or two from each college at the University. This year I nominated a student to receive our Outstanding Student Achievement Award — and I was pleased that he was chosen to receive that honor.
This student — who happened to be from Pocatello (our university town) — did something unique and impressive: He asked one of his teachers from grade school, one from middle school, and one from high school to be present at the ceremony; then, during his acceptance remarks, he shared a short experience where each teacher had positively influenced his life.
I am sure it was a rewarding moment for those teachers to feel that they had influenced this student in some small way.
According to information shared openly about his academic performance, this student had a 3.98 (scale of 4.0) GPA: he had received one single B during his entire undergraduate studies.
Now, before the ceremony began, I was chatting with another instructor from my department. He said to me “I am very happy for this student. But when I realized that I had given him his only B, I felt like I might have ruined his perfect run.”
I responded in jest “Well, he will remember you one way or another!”
Then, I smiled immensely when in his acceptance speech, after honoring his grade school, middle school, and high school teachers, the student called my colleague’s name and said “he is a demanding teacher who expects his students to work hard, knowing it will serve them well as professionals, and I am thankful for the learning experience I had in his class.”
I ask students in our IT-OT Fundamentals course to create a short slide presentation about a current event in industrial automation — which they then share with the class.
The assignment increases their familiarity with industry trade publications and gives them a sampling of intriguing news.
Ethernet to the transmitter (SPE), and connected pumps were a couple of developments that caught my attention — because they represent a transformation of both input and output. Couple this with cloud services, and things can get very interesting.
A couple of weeks ago I made a trip to Utah State University in Logan, where we talked with the fine people running the innovative Center for Anticipatory Intelligence. At lunch, one faculty member asked me a very thoughtful question (especially for someone who isn’t a cybersecurity person): “Do you think the new systems being built today are more or less vulnerable than what we’ve created in the past?”
My response? “On the whole, I am afraid we are making the most vulnerable industrial processes we’ve ever had.”
That should give us a lot to think about – with important implications for how we educate and train the emerging workforce.
Here is something you might not have expected: We have all our cybersecurity students take an energy systems hands-on lab where they spend a session learning to bend metal conduit. We actually have a nice little conduit bending station. Students get to try making several different bends. It is not necessarily an easy thing to do!
Cybersecurity students have some times wondered — especially in the heat of the moment — “Why am I learning to bend metal conduit? This is not what I ever intend to do as a professional!”
I tell them, “I don’t think you will ever bend conduit. But you will never look at a facility — and especially the conduit — the way same again. That’s what makes us different from ‘traditional’ cybersecurity programs.”
To me, a fundamental part of bridging the IT-OT gap is appreciating another perspective — learning to value the training, competencies and objectives of someone else; and, maybe even to revere differently competent technical professionals as artists in their own right!
The conduit bending exercise also gets the students thinking about the cables — not just power, but communications. Near the end of the program, in our Critical Infrastructure Defense class, we discuss attack vectors — who, when, and where could a structured threat actor strike? The point of the cables comes back up — and when re-enforced with examples of tapping tools — the security implications of every inch of cable suddenly make a lot more sense!
A couple of years ago we had planned to carry out an Industrial Operations Combine for all students in ESTEC programs. We intended to pattern the Combine after the NFL combine, where regional industrial employers could come and watch students perform a variety of simple tasks, and conduct interviews.
Unfortunately, COVID-19 forced us to re-think our approach. Instead, for the past two years, we have held an “interview night” for industrial cybersecurity students.
The purposes of this event are to:
1. Allow program stakeholders to interact with the potential employees produced by the program.
2. Give every student a short and realistic interaction with a potential employer (regardless of whether the interviewer is actually hiring at the moment).
Interview Night format: * Interviews conducted via Zoom. * Each interview lasts ~30 minutes. * Each interviewer conducts two interviews. * Interviewer and student are paired in a Zoom breakout room.
Interviewers are free to craft their own interview questions, but they could include: * What interests you most about a career in industrial cybersecurity? * What course or project was engaging to you? * We often face INSERT RELEVANT CHALLENGE, how would you suggest we address that?
We have 17 students finishing up the industrial cybersecurity portion of the program — be it AAS, or Intermediate Technical Certificate. About 7 of those will continue on for a Bachelor degree, and enter the workforce in January or May 2023, which leaves 10 that would like to enter the workforce in May. We have four or five students who will graduate with their BAS this May (2022).
Of these 17, twelve were able to attend Interview Night. We had 14 industry representatives show up — meaning that every student got two half-hour interviews! Industry reps hailed from INL, West Yost, Accenture, Nucor, 1898, TSA, Mandiant, Siemens, Duke Energy, and QED. I am so thankful for their fantastic support.
I would say that this year’s interview night was one of my favorite parts of my five-year adventure in education — the opportunity to show off the product– the students — to the consumer — industry representatives!
In my last post I told a very short version of my relationship with ISU’s industrial cybersecurity program. Here I’ll address the second motivating factor for a shift in professional direction: a goal I set for myself in 2005 of obtaining a PhD.
In 2016, I told Corey Schou, who had invited me to return to ISU, “I am willing to make a change; and I have two goals: first is to create the world’s best industrial cybersecurity degree program, and second is to obtain a PhD.”
Corey said “Great! I’ll introduce you to one of the best PhD supervisors I know”, and soon I was engaging with Jill Slay — then at La Trobe University in Melbourne.
Jill happens to be one of the world’s leading experts in cybersecurity education. She was co-chair of the international advisory board of the CSEC-17 project that formally established cybersecurity as an academic discipline.
My friends with PhDs had told me that the best thing you can do is find an outstanding supervisor – someone who knows the space, has confidence in your capabilities, and can provide the right level of support, without being overbearing.
Jill was all that plus the sincere belief in the value of each individual. She personifies the power of careful, critical thought. Each time my work hit a roadblock, she expressed confidence and optimism in me and the work I had undertaken.
How did I have time to do the PhD work while simultaneously building industrial cybersecurity degree program at ISU?
Well, I chose the thesis topic “Foundations of Industrial Cybersecurity Education and Training”. So, there was natural and even necessary congruence. In fact, I don’t think I could have built the program without doing the PhD nor done the PhD without actually building the program, because building something right takes time and critical thought; it takes understanding what others have done before, and determining what needs to be done now.
I am pleased to report that in December 2021, The office of graduate research at the School of Engineering and Mathematical Sciences at La Trobe University accepted my PhD thesis.
You can find the thesis at this link in case you’re interested.
It is dense, but makes several important contributions to the field:
Clarification of differences between industrial cybersecurity and common cybersecurity for use in guiding education and training
Comprehensive review of current state of industrial cybersecurity education and training guidance documents/efforts
Proposed workforce development framework for industrial cybersecurity
Archetype industrial cybersecurity job roles
Knowledge categories, topics and justifications
NSA CAE-style knowledge unit for industrial control systems
Key tasks for each archetype role
Leverage point for future standard development
Historic documentation of process used to create the world’s first cybersecurity education and training standards
As you can tell, I am very thankful to Dr. Corey Schou and Dr. Jill Slay. I also need to thank La Trobe University for the full tuition graduate scholarship. I thank the INL, especially Eleanor Taylor, Wayne Austad, Zach Tudor, Shane Stailey, and for always asking “what can we do to help?” and then providing the help! I also thank Dr. Diana Burley of American University for her thoughtful examination of the thesis — which helped me keep the focus appropriately on “foundations”.
I really do think the work makes some strong initial steps towards establishing the foundation; and, I acknowledge that we still have a long way to go!
In 2017 I made a significant professional and personal change of course. I was working as the Director of Industrial Control Systems at FireEye’s threat intelligence team. We had a great team, and had produced some compelling intelligence products.
But, I could see that critical infrastructure and industrial control systems was not on the list of important priorities for the company. I did not live in the San Jose or Washington, DC areas — which meant that my access to decision makers was only occasional.
I had been invited by Dr. Corey Schou, under whom I had studied previously, to teach one night a week in ISU’s newly created Cyber-Physical Security program. I was affiliate faculty. I viewed it as my chance to give back a little. It was a low-pressure situation. We only had three students signed up. It was probably best described as an experiment on both the University’s part and mine.
Through the process I recognized that I really enjoyed teaching. Students engaged with the subject matter. And when I walked through the hands-on educational laboratories in the ESTEC building, I realized there was a great opportunity to make something special — to build the next generation of industrial cybersecurity defenders — to create the program I wished I would have been a part of.
So, at the end of a year of teaching pro bono, I decided — let’s do this full time. It was a major change in many ways.
I found the ESTEC department amazing. Instructors have a mix of degrees — from AAS to MS. The requirement to teach was not academic credentials, but real world experience. These are the practical, “get it done people”, in contrast to the “let’s think about how we might go about his if we never had to actually do it” people (said somewhat tongue-in-cheek).
Perhaps most impressively, every one in my department was focused — entirely focused — on the students. These students would leave their various programs with a two-year degree making between 55 and 70 thousand dollars a year. Placement near 100%. It really is a neat place to be. And they have been very supportive of my vision and efforts.
We changed the program name to Industrial Cybersecurity Engineering Technology. We changed course names. We pushed a BAS pathway through the system so that students from a broad variety of Engineering Technology courses could have a clear pathway to bachelor degree that included layering cybersecurity on top of their previous hands-on experience. This last change has allowed students with Engineering Technology degrees in Instrumentation, Electrical, Mechanical, Nuclear Operations and On-site Diesel power to come through the program.
While we started with a heavy reliance on several adjunct faculty members (who had fantastic cybersecurity experience but no industrial cybersecurity experience), I worked my way through the course offerings, eventually authoring the following courses:
ESET 0181 IT-OT Fundamentals
CYBR 3383 Security Design for Cyber-Physical Systems
CYBR 3384 Risk Management for Cyber-Physical Systems
CYBR 4481 Critical Infrastructure Defense
CYBR 4487 Professional Development & Certification
CYBR 4489 Capstone
ESET 4499 Current Intelligence Practicum
I have to admit that I have never worked harder. My previous efforts at entrepreneurship, as an expert analyst, and as a team manager were engaging and fulfilling, but do not compare with the breadth of competencies (beyond teaching) I have (attempted to?) developed as an instructor and program coordinator. For example:
Helping administrators accurately understand the cybersecurity space
Collaborating with peers from other departments on curriculum
Recruiting students into the program
Coordinating access to instructional space
Ensuring students with disabilities have every opportunity to succeed
Building and running an advisory committee of employers
In the end, it is very rewarding to see students become excited, work hard, and obtain great employment helping secure our critical infrastructure; but, it is no wonder that it is challenging to find, create, and retain good instructors in such an important, emerging field. I hope we are preparing the way!
My work at ISU (in collaboration with INL and LaTrobe University) has not just been about developing a single Industrial Cybersecurity program — it has really been about addressing a critical need that has been overlooked — that is the need to intentionally and systematically develop an industrial cybersecurity workforce.
I know the statement “critical need that has been overlooked” will meet with opposition — and that some who have reviewed my work not only disbelieve the claim, but find it offensive. There are several reasons for this disagreement, and maybe I’ll discuss them in a later post, but here’s a slide that I think summarizes the current state of affairs:
Yes, there are bright spots at a variety of schools, including University of Houston, Purdue, Everett CC, and others (along with ISU). But the vast majority of the efforts I see focus on adding some ICS content into programs that create traditional cybersecurity professionals and researchers. My observation is that from a strategic point of view, such an approach will be insufficient to securely design, build, operate and maintain critical infrastructures in the age of digitization.
Maybe we don’t just need centers of academic excellence for this space. Maybe we need centers of engineering excellence!