I am pleased to announce the ISAGCA Webinar on building a new generation of industrial cybersecurity professionals this coming Thursday (April 25).

The Webinar will present the current culmination of nearly a five year effort to establish a concensus-based foundation of knowledge that qualifies industrial cybersecurity professionals

Following the webinar, the 125-page document and all the supporting resources will be available on the ISAGCA web site. This will serve as a valuable resource for the entire community. This would not have been possible without collaboration among DOE/INL, ISAGCA and ISU.

On the Webinar, I will discuss the broad needs, methodology and results of the work.
In addition to the “knowledge” document, we are releasing all of the data gathered and analysis performed. Importantly, this documentation includes the self-reported professional and academic qualifications of the participants. This an impressive level of transparency.

In addition, we are preparing an academic article that focuses on methodology and key insights in greater detail.

Here is the link to the Webinar registration. I hope you will join us!

Last week I attended the Cyber Security for Critical Assets conference in Houston. I was impressed. Low key, probably 200 attendees plus reps from 20 vendors. Hight asset owner presence. I loved hearing the hallway conversations — people talking about real challenges and real experiences.

I was surprised by the candor in the technical deep dive sessions: OT security practioners at asset owners talking about how they had built their programs, including what technologies they had selected for what purpose, and what they planned to do next.

I moderated a panel on workforce development. While it seems everyone likes training,  ours was the only presentation that dealt specifically with intentional developing your people. Panelists included Nikolai Zlatarev of Castleton Commodities, Jude Ejiobi of University of Houston Downtown, and Chuck Bondurant of the Texas Public Utilities Commission.

It was a great panel, and I appreciated representation from industry, academia, and (quasi) government. Each panelist had a different professional pathway into OT security, and that was a key take away. It is such an interdisciplinary field.

Nikolai emphasized that the best way to develop skills was through real world experience. He liked to throw people all the way in. He explained that his career was one great challenge after another. He was obviously a man who had learn to thrive in ambiguous environments, and has a knack for keeping a positive attitude.

Jude does a good bit of security consulting work, and was brought into academia as a lecturer, but now helps direct the UH Downtown Masters in Security Management. Practical and well-spoken.

Chuck came into OT security when he learned that he wasn’t cut out for retirement after military service. His job involves liaising with and supporting Texas utilities on cybersecurity. When he took the job, he had no idea what a PLC was, but his military cybersecurity experience gave him a solid foundation to build on.

I think there is great value to having candid conversations about developing ourselves and our programs. I will look forward to next year!

The ISU College of Technology hosts an annual technology fair for middle school and high school students from across Southeast Idaho. The event, held in the ICCU Dome, attracts more than 2,000 teens to explore technology careers.

Industrial Cybersecurity has hosted a Tech Expo “booth” for 7 years. During the event, I stand in the thoroughfare and ask the youthful attendees “have you ever hacked a computer? Come on over and we will show you how!” 

Not a tough sell.

This year I had several of my current Industrial Cybersecurity students run the booth — coaching the high-schoolers through the exercise. We sit the high-schoolers across from one another and help them create a “secret” file via command line, use a default ssh password to access the other person’s computer, steal the secret, and race to shut off the other person’s computer.

Students who have never thought about this get quite excited. When asked what they learned, some students reply that they didn’t know hacking was so easy.

The event is a whirlwind as the booth stays full for four hours. I would estimate we ran 50 or 60 students through the exercise.

What impressed me most this year, is that when I asked students what they were planning to do after they finished high school, I had three or four tell me “I am going into cybersecurity.” I even had one tell me, “I heard about hackers taking out a power grid. I want to do that.”

With a big smile I was able to tell them, “We are almost full for Fall, but I think there’s still some room. Just call or email, and we will get you signed up!”

I enjoyed reviewing the President’s Council of Advisors on Science and Technology (which boasts some big name institutions), “Report to the President” on “Strategy for Cyber-Physical Resilience”.

The Strategy offers a total of 14 recommendations across four categories:

• Establish performance goals
  • 1.A Define sector minimum viable operating capabilities and minimum viable
    delivery objectives
  • 1.B Establish and measure leading indicators
  • 1.C Commit to radical transparency and stress testing
• Bolster and coordinate research and development
  • 2.A Establish a National Critical Infrastructure Observatory
  • 2.B Formulate a national plan for cyber-physical resilience research
  • 2.C Pursue cross-ARPA coordination
  • 2.D Radically increase engagement on international standards
  • 2.E Embed content on cyber-physical resilience skills into engineering professions
    and education programs
• Break down silos and strengthen government cyber-physical resilience capacity
  • 3.A Establish consistent prioritization of critical infrastructure
  • 3.B Bolster Sector Risk Management Agencies staffing and capabilities
  • 3.C Clarify and strengthen Sector Risk Management Agency authorities
  • 3.D Enhance the DHS Cyber Safety Review Board (CSRB)
• Develop greater industry, board, CEO and executive accountability and flexibility
  • 4.A Enhance Sector Coordinating Councils
  • 4.B Promote supply chain focus and resilience by design

The report provides some context and insight on each of these. I can’t help but comment on 1.A. “Define sector minimum viable operating capabilities and minimum viable delivery objectives”.

I really like this idea because it shifts focus from the system itself (networks, software, process equipment) to the delivery of the critical function (power, water, food, etc). This is a great step in thinking through what matters most.

My observation is that in a highly interconnected world, with global supply chains, setting a scope for performance for an entire sector seems challenging because sectors don’t really “exist”. They are not monoliths. Their value is the service they provide to various users and customers, rather than to themselves.

Consider that the number and size of infrastructure service providers can vary greatly depending on geography. What is the minimum level of electricity or water to sustain quality of life for Southeast Idaho? For the city of Los Angeles? For the state of Texas? So the approach has got to include both sector and geography.

And within those geographies, various organizations rely on infrastructure services. Who should receive those services first?

Then, we have to recognize that sources of communications, energy, food, water, and medicine frequently (most frequently?, almost always?) operate across geographic boundaries — including in some (many?) cases across national boundaries.

Finally, each sector is not truly independent of other sectors. One geo-sector’s minimum viability may depend upon and/or conflict with that of another geo-sector.

I am pleased that the PCAST took up this topic. I am very optimistic about incorporating function-centered thinking. I find intriguing the idea of establishing minimum viable operating capabilities and objectives. However, I remain concerned that administrative constructs based primarily on sectors and geographies leave significant gaps.

There are some words in the strategy, such as “enhance supply chain focus” and “enhance cross-sector coordinating councils” that could address this concern, but I found this presented as “do this too” rather than as an indispensable component of CPS robustness and resiliency.

I am not advocating abandonment of sector and geography thinking, but I believe we will need some additional paradigms and/or alternative perspectives to do this well.

As we have built the industrial cybersecurity program one of the coolest things we have done is develop our ESET 1181 Introduction to Cyber-Physical Systems course.

Industrial Cybersecurity students take the course in their first semester. I like to think of it as the entire program packed into a nutshell. With 20+ hands-on activities, students get brief exposure to topics that other courses will cover in greater depth.

During lucky week 13, we discuss the roles and responsibilities that professionals will encounter, and describe the factors (especially the non-technology factors) that have created the IT-OT gap.

I describe several real-life experiences where the gap loomed beneath. Then I ask students to deploy their creative energies to express gap. Over the years students have submitted poetry, skits, videos, and posters. I wanted to highlight a couple student videos that you might find entertaining. Happy viewing!

One of the things I did not fully anticipate when I left FireEye/Mandiant to lead ISU’s Industrial Cybersecurity Program was the full range of skills I would need to excel as a Program Coordinator.

Naturally, domain expertise is important — but curriculum design and development, overseeing faculty, interacting with students from a variety of ages and social backgrounds, receiving calls from parents, hiring faculty, guiding adjuncts, running advisory committees, creating exams and scoring rubrics, selecting high quality materials, dealing with department, college, and university curriculum review committees, making proposals to the state board of education, submitting grants has been much more involved and challenging than I anticipated!

I was very pleased to have some good marketing help in the form of the video above. It features a variety of faculty and staff that have made the Industrial Cybersecurity program a great success over the years! I love that it features our real students.

A special shout-out to Ryan Pitcher who is among the most dedicated faculty I can imagine. At school early and late. Always willing to take time for students and peer instructors alike. It is faculty like him that make ESTEC a hiring staple for technical professionals at regional, national, and global competitive firms!

If you are looking for well prepared entry level industrial cybersecurity talent, please reach out to me.

When I read congressional testimony from Jen Easterly on January 31, 2024 I was quite surprised. Check out this quote:

Unfortunately, the technology base underpinning much of our critical infrastructure is inherently insecure, because for decades software developers have been insulated from responsibility for defects in their products. This has led to misaligned incentives that prioritize features and speed to market over security, leaving our nation vulnerable to cyber invasion. That must stop.

The discussion over liability for software has been going on for a long time. Dale Peterson touched it in his post last week.

Our world depends on software – for which there are varying degrees of quality control. And the companies selling this software intentionally disclaim responsibility for their products via EULAs. Remarkably – but not unexpectedly – this is true even in the ICS space. Here is an excerpt from a leading ICS vendor’s EULA . I don’t intend to pick on this vendor alone because this type of language is standard practice across the industry.

VENDOR makes no representation or warranty, express or implied, that the operation of the Software will be uninterrupted or error free, or that the functions contained in the Software will meet or satisfy Your intended use or requirements; You assume complete responsibility for decisions made or actions taken based on information obtained using the Software. In addition, due to the continual development of new techniques for intruding upon and attacking networks, VENDOR does not warrant that the Software or any equipment, system or network on which the Software is used will be free of vulnerability to intrusion or attack.

Key passage there “VENDOR does not warrant that the software… will be free of vulnerability.”

Can you imagine requiring drivers who cross a high suspension bridge to sign a user license that says “we do not warrant that this bridge will support your vehicle”?

In my CYBR 3383 Security Design Principles class, one of the principles we highlight is “professional liability” — which means putting one’s name, reputation, honor, career, on the line.

Putting your name on the line is the standing expectation of engineers who sign engineering documents. And it extends to other fields as well.

In general, professional liability is missing from the software industry.

While I am not an expert in software development, I observe that there is a lack of support for software engineering licensure. I am not saying a license should be required in all cases, but certain software is running processes upon which millions of people depend for clean water and reliable electricity every day. Shouldn’t there be some overarching minimum professional standard for these individuals and their work?

Easterly envisions:

We must drive toward a future where defects in our technology products are a shocking anomaly, a future underpinned by a software liability regime based on a measurable standard of care and safe harbor provisions for software developers who do responsibly innovate by prioritizing security.

I’d like to hear more about that…

I was visiting the NCEES web site the other day. NCEES is the National Council of Examiners for Engineering and Surveying. That is the group that produces/maintains the Fundamentals of Engineering (FE) and Principles and Practices of Engineering (PE) examinations.

In States of the United States, passing the PE exam is a requirement for obtaining professional licensure as an engineer.

PE exams are offered in 16 fields, ranging (alphabetically) from Agricultural & Biological to Structural.

During the course of seven years developing the country’s first Industrial Cybersecurity degree program, I have asked myself what success would look like for the country.

One core idea (and I am not the only person to think this way – see DOE Cyber Informed Engineering effort) is that professional licensure for all engineering AND engineering technology fields would require some basic knowledge, or even better, basic competency in cybersecurity.

So, when reviewing the NCEES PE exam specifications document for Control Systems Engineering (CSE), I was pleased to find an entry for “Security”. It states:

D. Security of Industrial Automation and Control Systems
1. Security (e.g., physical, cyber, network, firewalls, routers, switches, protocols,
hubs, segregation, access controls)
2. Security life cycle (e.g., assessment, controls, audit, management of change)
3. Requirements for a security management system
4. Security risk assessment and system design
5. Product development and requirements
6. Verification of security levels (e.g., level 1, level 2)

This seems like a great start. I was left wondering what the exam questions might actually entail. Maybe I will have to take the exam to find out! I was able to gather that the CSE is offered exactly once each year at a Pearson Vue center.

Perhaps more importantly, I wondered:
* Are these the most important security concepts for a control systems engineer to know?
* How will cybersecurity knowledge affect the behavior of a control systems engineer?
* What are the correct answer rates for each question?

Interestingly, the exam specifications for the following exams (where we might hope to find it) do not name security (as in cybersecurity) among covered topics:
* Electrical and computer – electronics, controls, and communications
* Electrical and computer – power
* Industrial and systems

Specifications for the other exams (where we might be less expecting to find it): Agriculture and Biological, Architectural, Chemical, Civil, Environmental, Fire Protection, Mechanical, Metallurgical, Mining and Mineral Processing, Naval Architecture and Marine, Nuclear, Petroleum, and Structural do not mention cybersecurity despite its cross-cutting implications.

It is very informative that the NCEES Web site makes pass rate information available for all of the exams. A review of this data shows that in the 2023 year, the Control Systems Engineering exam was administered 221 times, with a 57% 1st time pass rate.

The data also indicates roughly 19,000 individuals take a PE exam in any field for the first time each year (data provided is biannual for some tests, I multiplied those by two to make an annual estimate).

In short, I believe there is a real opportunity to bake cybersecurity into the engineering discipline here, but it is going to require some serious effort!