Blog

Building an Industrial Cybersecurity Workforce

Over 2019 and 2020, La Trobe University, Idaho State University and the Idaho National Laboratory worked to create a workforce development framework for industrial cybersecurity professionals.

Details regarding that work from an academic perspective can be found in the Papers section of this site.

Participants envision a series of easily consumable guides entitled “Building an Industrial Cybersecurity Workforce”. Today I am posting the first release in that series “A Manager’s Guide“.

This guide will aid managers in answering four pivotal questions:
1. Are you ready to build an industrial cybersecurity team?
2. How do you structure your industrial cybersecurity team?
3 . What does you industrial cybersecurity team need to know?
4. What does your industrial cybersecurity team need to do?

Identifying the unique knowledge and job roles required of industrial cybersecurity professionals represents a significant step towards developing a capable workforce. We note the ongoing need to establish a repository of knowledge, skills, attitudes, and behaviors on which diverse groups can rely to create training and education standards, personalized training plans, intervention methods, and training content. We anticipate using surveys, interviews, and field observations to expand, further validate, and refine this work.

Future deliverables include an Human Resources Guide and a Career Development Guide for Industrial Cybersecurity.

Rejections

Well, if you see me around, you can congratulate me. I have officially received my first rejections as an aspiring academic author!

One of the conferences to which I submitted was kind enough to provide some cryptic review comments. The other said (paraphrasing) “your paper was reviewed by three experts and found wanting” — no reviewer comments.

It might be easy to become disheartened, but this is the academic way; should I expect anything less? So I will keep at it.

The idea is to critically review the rejected papers, look for opportunities to round-out, re-organize, and maybe be more patient and selective on the target publication/conference. Be sure to incorporate more references from that particular conference or publication (homage to the reviewers?) .

Several months ago, I had an exchange about my topic with a well respected cybersecurity educator. She went straight for the jugular: “Your topic might be fit for a term paper, but not a dissertation.” Imagine me reading that email: doubt, despair, defensiveness.

One of my supervisors encouraged “Engage. This is how she treats PhD candidates. She’s at least giving you her time and attention.” So, we went the rounds, I made my case. She shot down my arguments one by one, but then left me an opening. And I took it. In the end she was even conservatively complimentary.

I think part of the challenge is providing sufficient context so that people who think they “already know all about it” recognize they really might not — all while balancing what you, as the author, might not know yet either.

New “Papers” Section

I’ve been very busy the past month writing, writing, writing.

You will now find a section entitled “Papers” within the site menu. This is where I will post the papers I’ve written related to the topic of industrial cybersecurity education. I’ll post the manuscript versions there, and then replace them with the published versions. This also allows paper reviewers to find manuscripts to which I refer (if self-references are allowed in copies submitted for review, of course).

The first papers I’ve posted describe the need for industrial cybersecurity education as a well-defined sub discipline. They examine efforts to establish industrial cybersecurity education and training standards 1) in the USA, and 2) in the world. They also provide detailed recommendations to improve the situation.

As you might expect with most academic literature, the papers are a bit dense; but, I’ve tried to ensure they flow well. I will cover elements of the content in later posts.

In the end, analysis finds that current standards fall short in three ways:

  • They were created without consideration for the unique needs of industrial control systems
  • They lack thorough development
  • They do not account for the career paths of industrial professionals

Against the Banking Model of Education

I’m about halfway through  “Pedagogy of the Oppressed” by Paolo Freire. It’s not a light book.

I picked it up as I was looking for thoughtful content on education. The book fit in well with the course I took on education evaluation (see previous post).

So far, I think I agree with several principal points:

  • What Freire described as conscientization seems the most important learning that a human being can have. To me, this means increasing one’s awareness of how things really work, and one’s relationship to the world, in order to make the world a better place.
  • I agree that it is not enough to merely understand our world, we must dedicate ourselves to its progress, or our lives are without meaning.
  • We cannot ignore the nakedness and hunger and misery of the human creatures on this planet without consenting thereto.

Freire harshly criticizes what he calls the prevailing banking model of education wherein instructors anesthetize student minds prior to depositing their own rote concepts, which they expect the students to vomit forth on command.

The criticism reverberated within me. I felt like I had experienced banking model instructors. I do not want to be among them.

I want students to have their own insights — insights which surpass mine. It’s not that they don’t need structure or guidance. It’s that they need to be and feel firmly in control of their journey of discovery — their journey to become.

To me, the glory of education lies not in the intellect of the instructor, but in the potential of the pupil.

Of course, I recognize that feeling these feelings and typing these words is the easy part. I have to align interaction with my loved ones, with my students, with my colleagues, and with the world around me to achieve lofty ambitions by careful and considerate daily effort.

I decided that on the first day of 3383 Secure Systems Design, I will require the students to write a 5 minute essay on “why cybersecurity matters”. Then we will have a robust discussion wherein I take the opposing side of the debate: “Cybersecurity does not matter”. And, I have plenty of great criticisms, and some serious doubts!

My hope is that in their very first interaction with me, they will see that it is okay to think outside the box, and that I want their reasoning to seriously consider alternate perspectives.

Fantastic support builds fantastic programs

I think I am passionate. I consider myself at least a medium-term visionary. I think I’ve worked hard to help create a program that will improve the lives of students, help maintain more resilient infrastructures, and serve as a pattern (or at least learning experiment) for future programs across the country.

Fortunately, I’m not in this alone. This year I gained a profound appreciation for the sincere and enthusiastic participation and support of people with boots-on the ground experience and horse-in-the-race enthusiasm. I want to call out three of them:

First, the Idaho National Laboratory provided financial support which we used to create 8 flow control trainer stations. Several INL subject matter experts serve on Industrial Cybersecurity program advisory committee. Two top-notch analysts came to brief students on the Consequence-driven Cyber-informed Engineering (CCE) methodology. Several students ended up INL summer internships!

Second, Blackmere Consulting visited to provide focused job seeking and resume building guidance. Blackmere’s personal touch and cyber focus really sets them apart. Students found the talent acquisition perspective invaluable.

Third, Rockwell Automation’s Eastern Washington team provided insightful program advice, referred employers to us, and provided PLCs to upgrade ESTEC’s instrumentation engineering technology laboratory!

An enormous Thank You! to these organizations and their passionate personnel!

Online Instruction and the Feedback Loop

In my mind, the individualized feedback loop is at the core of education. Anyone can buy a book. Anyone can watch a video. The value you cannot get “on your own” is individualized expert feedback.

I made the image below to describe the idea of how formalized learning generally occurs. It’s not as if there is anything novel here, but it provides good background. You can see that “Provide Individualized Critique” is an instructor responsibility during the grading or sign-off intervention.

As we shifted to online mode curing the COVID-19 outbreak, I was most concerned about the “provide individualized critique” element.

Being that I teach in a hands-on environment, students work on laboratory exercises, then come to me for sign-off. I review their progress on-the-spot and say “Great start. Have you considered N?” They address N, and come back. I ask, “What about O?” And so on. Until they and I are satisfied with their work. I sign them off.

Under this arrangement, students are progressing at different rates. They are working with each other. They overhear what I tell other students. It works quite nicely.

For example, we spend several weeks working with ICS device inventories for security purposes. In one exercise I require students to identify what fields they would want the inventory to include, and why.

Generally speaking, the sharpest students are not those that get it right the first time — because no one does. They are those that move through the loop more times.

Once we went online, this level of individualized feedback was largely lost. Students were submitting their lab assignments as best they could, and I provided feedback, but then it was on to the next exercise. Instead of running through that loop several times, we only made it through once.

As the in-person paradigm is now regularly supplanted by the online paradigm in schools throughout the world, I/we will struggle to maintain (and enhance) our effectiveness.

I am particularly concerned about how this will play out for technical professionals, who will be expected to keep critical facilities like water provisioning systems up and running — for whom “work from home” is not an option.

“Hands-on. Online.” We’re going to figure this out.

Graduation 2020

This was a fantastic school year in so many ways. The Industrial Cybersecurity program grew from 2 graduates in May 2017, to 3 in 2018, 6 in 2019, to 13 in 2020! (We are enrolled at capacity for Fall 2020, and have started a plan for competitive enrollment for Fall 2021).

I am so pleased with my students. I made the following video to share my congratulations with them.

The students gave their Capstone presentations yesterday. I wish there had been an audience of 100 people there to see how far they had come in two years. Among the projects, we had a student who put together a simple power grid simulation using equipment donated by SEL. We had a student who made an ICS security job posting board. We had several students examine ICS security technology solutions. My personal favorite might have been the student who write a short story about the consequences of not hiring the right industrial cybersecurity talent.

Nothing would make me happier than to have them pass me up in a few years — and I am sure they will!

The courses

I am sure I will address this in greater detail in the future, but I wanted to tell  readers about the actual courses in the Industrial Cybersecurity Engineering Technology program at Idaho State University.

You can see from the list that 13 of the 28 courses fall into the industrial process control category, six fall into cybersecurity, and three fit under IT. This is a specific and intentional program design intended to make sure our graduates are ready to enter the industrial/plant floor environment.

In fact, what we really want is students to graduate from any of the other hands-on engineering technology AAS degrees offered in our department: electrical, instrumentation, mechanical, nuclear operations, then go get a job and work for a couple of years. With real-world experience under your belt, return to enroll in Industrial Cybersecurity,  where they can bring valuable real-world perspective into the classroom, and increase their earnings potential.

Tips for employers interviewing industrial cybersecurity candidates

As we come down to the end of the semester here, my students are interviewing for internships and jobs.

AMTEC Photos, CC BY-SA 2.0

Based on student feedback, sometimes it seems that employers may not be attuned to the skill sets they need or know how to identify individuals who have the right competencies.

To aid employers in evaluating our students we encourage our students to maintain a portfolio of their projects, including photographs and final presentations from various courses, which they invite employers to review.

In addition to reviewing the portfolio and asking some questions about it, I’ve created the following short list of sample questions that help employers discern between an IT security person and an industrial cyber person capable of bridging the IT-OT divide:

  • Can you share your experience programming PLCs?
  • Will you tell me about how you protect technician lap tops?
  • How do you differentiate between a physical failure and a cyber attack?
  • What steps are involved in calibrating a temperature transmitter?
  • How does one segment an industrial network?
  • What challenges have you faced when creating an ICS asset inventory for security purposes?

Security-related questions for facility tours

A previous post described that our industrial cybersecurity students take at least five tours in their first year.

I created a list of questions that industrial cybersecurity students might ask their tour guide. We look specifically at: Asset inventory, network issues, change detection, external connections, recovery, security, IT-OT gap.

Here’s a sampling:

  • How many different PLC vendors do you have?
  • Has a process ever shut down as the result of a network issue?
  • What procedure is used to make a control logic change (PLC programming)?

The key idea is encourage application of in-class principles to the real world.

It is interesting to hear tour guide responses.

I’ve attached the entire question set in the curricular materials section of the Web site. Happy touring!