From participation in last-week’s symposium, it is clear that CAEs are developing in several significant ways:

1. Increasing number of CAE-designated institutions
2. Requiring each program to align to recognized cybersecurity roles
3. Incorporating competency statements

I am going to dedicate the next several blog posts to these topics. Today I am covering the increasing number of CAE-designated institutions.

Over the 27 years of its existence, the CAE community has grown from just 7 institutions to 467. This is an annual growth rate of 16.84 percent. That is quite impressive. Play that out for another 10 years and we would be looking at about 2,000 CAEs.

According to the US National Center for education statistics, there are 3,931 higher educational institutions in the USA during 2020-2021. So 2,000 would be a 50% penetration rate. Impressive. Will the demand for entry level cybersecurity professionals continue at that pace for the next decade?

The presentations also indicated that currently, 137 of the 467 CAEs are community colleges (~30%). Department of Education reports that in 2020-2021, there were 1,022 community colleges in the USA. If growth were to achieve a total 50% penetration across all IHEs, we would expect much of the CAE growth to come from community colleges.

At the symposium I made some new friends – including several from community colleges. I loved the community college instructors. Those I spoke with had transitioned to teaching from other careers – one from military service, and another from IT. They love teaching – because they know education makes a difference!

My concern with this rate of growth is that instead of developing centers of academic excellence (CAEs), we are developing centers of educational adequacy (CEAs)! Don’t get me wrong: you must pass through adequacy to reach excellence; but, in a situation (10 years from now) where half the schools in the country rely on canned curricula, free lab experiences, and standardized assessments – what should/will excellence look like?
I have given some thought into how I would stay ahead. I won’t give away all the details here and now, but here are some focal points:

1. New foundational paradigms
2. Transformative experiences
3. Cyber-infused interdisciplinary programs of study
4. Interpersonal excellence

This week I am in Charleston at the National Centers of Academic Excellence (CAE) Symposium in Charleston. I am guessing there are around 500 attendees representing the 467 (if I heard correctly) NSA designated CAEs. If you are a CAE, attendance is required.

A little background: NSA stood up the CAEs in 1998. ISU (where I teach) was one of the original 7 CAEs. The Idea was that there was no specialized accreditation for cybersecurity education. NSA awarded the CAE designation to institutions that aligned their curricula with the NSTISS/CNSS 401x training standards.

Becoming a CAE-designated institution requires having a designated program of study (among other requirements).

Institutions can be designated for cyber defense (CD), research (R), and/or cyber operations (CO).

The good:
It is cool to see such a vibrant community of educators. I think there are seven simultaneous tracks at some points. Because the CAE community is growing, there are lots of schools and faculty that are “new”. It is fun to talk with this friendly group. If you’ve been here before, it is good to see faculty friends from other institutions.

When I go to a conference, I find that I enjoy it more if I attend sessions that I know nothing about.

In that attitude, I rather enjoyed the session by Derek Hansen of Brigham Young University about creating a graphic modeling language for cyber attack scenarios. I wouldn’t call it a stroke of sheer genius, but I understood the power in making students express adversarial thinking graphically.

I have students in my Critical Infrastructure Defense class do a deep dive of the Triton attacks against the oil refinery in Saudi Arabia, and use MITRE ATT&CK to describe the techniques used.

I can see that my assignment focuses on one-step-at-a-time, and ultimately ends up in a good bit of text. So asking students to select and arrange graphics would reinforce a wholistic view and the importance of technique sequencing.

I could perceive that complicated attacks might not fit in one graphic. But that’s ok.

Derek’s presentation got me thinking about modeling (languages) in general. Our (mental) models can limit or empower us. I have spent a lot of effort over the past years consuming and contributing to workforce development models. I carefully compared 15 or so cybersecurity workforce development models for my PhD thesis (chapter 7). None of these natively used a graphical component. I wonder whether a graphical approach would be beneficial there…

The not-so-good:
It’s a bit tough to leave my students during the last four weeks of the semester. For both my graduate students and undergraduates, this is “crunch time”. While I left my in-person classes this week in capable hands of a research assistant, it seemed a bit ironic that a group focusing on academic excellence would host the event at this time of year. Now, there might never be a good time, and planning around spring breaks of 400+ institutions will inevitably leave some disappointed. But for me — it is painful.

Seven years ago I left a great job as the Director of Industrial Control Systems Security at FireEye/Mandiant to head up ISU’s Industrial Cybersecurity Degree program.

I did it because I was — and I remain — certain that the best way to secure the digital future for critical infrastructure is to create the high quality educational programming that will give us a new generation of engineering and technology professionals capable of seamlessly moving between IT, OT, engineering, and cybersecurity domains.

Along this journey, I have proposed new educational pathways, recruited students, authored courses, created exams, hired faculty, taught diligently, stayed up past midnight grading, and placed students at fantastic national-level employers.

It has been a stretching experience to essentially start over with nothing but a vision.

About two years ago, ISU’s Industrial Cybersecurity Program received recognition as an NSA-designated cybersecurity program.

I am pleased to share that this week the Program has also received official ABET accreditation!

As a testament to ISU ESTEC’s quality, all five of the department’s Engineering Technology Programs (Electrical, Instrumentation, Mechanical, Nuclear Operations and Industrial Cybersecurity) are ABET accredited!

I am pleased to announce the ISAGCA Webinar on building a new generation of industrial cybersecurity professionals this coming Thursday (April 25).

The Webinar will present the current culmination of nearly a five year effort to establish a concensus-based foundation of knowledge that qualifies industrial cybersecurity professionals

Following the webinar, the 125-page document and all the supporting resources will be available on the ISAGCA web site. This will serve as a valuable resource for the entire community. This would not have been possible without collaboration among DOE/INL, ISAGCA and ISU.

On the Webinar, I will discuss the broad needs, methodology and results of the work.
In addition to the “knowledge” document, we are releasing all of the data gathered and analysis performed. Importantly, this documentation includes the self-reported professional and academic qualifications of the participants. This an impressive level of transparency.

In addition, we are preparing an academic article that focuses on methodology and key insights in greater detail.

Here is the link to the Webinar registration. I hope you will join us!

Last week I attended the Cyber Security for Critical Assets conference in Houston. I was impressed. Low key, probably 200 attendees plus reps from 20 vendors. Hight asset owner presence. I loved hearing the hallway conversations — people talking about real challenges and real experiences.

I was surprised by the candor in the technical deep dive sessions: OT security practioners at asset owners talking about how they had built their programs, including what technologies they had selected for what purpose, and what they planned to do next.

I moderated a panel on workforce development. While it seems everyone likes training,  ours was the only presentation that dealt specifically with intentional developing your people. Panelists included Nikolai Zlatarev of Castleton Commodities, Jude Ejiobi of University of Houston Downtown, and Chuck Bondurant of the Texas Public Utilities Commission.

It was a great panel, and I appreciated representation from industry, academia, and (quasi) government. Each panelist had a different professional pathway into OT security, and that was a key take away. It is such an interdisciplinary field.

Nikolai emphasized that the best way to develop skills was through real world experience. He liked to throw people all the way in. He explained that his career was one great challenge after another. He was obviously a man who had learn to thrive in ambiguous environments, and has a knack for keeping a positive attitude.

Jude does a good bit of security consulting work, and was brought into academia as a lecturer, but now helps direct the UH Downtown Masters in Security Management. Practical and well-spoken.

Chuck came into OT security when he learned that he wasn’t cut out for retirement after military service. His job involves liaising with and supporting Texas utilities on cybersecurity. When he took the job, he had no idea what a PLC was, but his military cybersecurity experience gave him a solid foundation to build on.

I think there is great value to having candid conversations about developing ourselves and our programs. I will look forward to next year!

The ISU College of Technology hosts an annual technology fair for middle school and high school students from across Southeast Idaho. The event, held in the ICCU Dome, attracts more than 2,000 teens to explore technology careers.

Industrial Cybersecurity has hosted a Tech Expo “booth” for 7 years. During the event, I stand in the thoroughfare and ask the youthful attendees “have you ever hacked a computer? Come on over and we will show you how!” 

Not a tough sell.

This year I had several of my current Industrial Cybersecurity students run the booth — coaching the high-schoolers through the exercise. We sit the high-schoolers across from one another and help them create a “secret” file via command line, use a default ssh password to access the other person’s computer, steal the secret, and race to shut off the other person’s computer.

Students who have never thought about this get quite excited. When asked what they learned, some students reply that they didn’t know hacking was so easy.

The event is a whirlwind as the booth stays full for four hours. I would estimate we ran 50 or 60 students through the exercise.

What impressed me most this year, is that when I asked students what they were planning to do after they finished high school, I had three or four tell me “I am going into cybersecurity.” I even had one tell me, “I heard about hackers taking out a power grid. I want to do that.”

With a big smile I was able to tell them, “We are almost full for Fall, but I think there’s still some room. Just call or email, and we will get you signed up!”

I enjoyed reviewing the President’s Council of Advisors on Science and Technology (which boasts some big name institutions), “Report to the President” on “Strategy for Cyber-Physical Resilience”.

The Strategy offers a total of 14 recommendations across four categories:

• Establish performance goals
  • 1.A Define sector minimum viable operating capabilities and minimum viable
    delivery objectives
  • 1.B Establish and measure leading indicators
  • 1.C Commit to radical transparency and stress testing
• Bolster and coordinate research and development
  • 2.A Establish a National Critical Infrastructure Observatory
  • 2.B Formulate a national plan for cyber-physical resilience research
  • 2.C Pursue cross-ARPA coordination
  • 2.D Radically increase engagement on international standards
  • 2.E Embed content on cyber-physical resilience skills into engineering professions
    and education programs
• Break down silos and strengthen government cyber-physical resilience capacity
  • 3.A Establish consistent prioritization of critical infrastructure
  • 3.B Bolster Sector Risk Management Agencies staffing and capabilities
  • 3.C Clarify and strengthen Sector Risk Management Agency authorities
  • 3.D Enhance the DHS Cyber Safety Review Board (CSRB)
• Develop greater industry, board, CEO and executive accountability and flexibility
  • 4.A Enhance Sector Coordinating Councils
  • 4.B Promote supply chain focus and resilience by design

The report provides some context and insight on each of these. I can’t help but comment on 1.A. “Define sector minimum viable operating capabilities and minimum viable delivery objectives”.

I really like this idea because it shifts focus from the system itself (networks, software, process equipment) to the delivery of the critical function (power, water, food, etc). This is a great step in thinking through what matters most.

My observation is that in a highly interconnected world, with global supply chains, setting a scope for performance for an entire sector seems challenging because sectors don’t really “exist”. They are not monoliths. Their value is the service they provide to various users and customers, rather than to themselves.

Consider that the number and size of infrastructure service providers can vary greatly depending on geography. What is the minimum level of electricity or water to sustain quality of life for Southeast Idaho? For the city of Los Angeles? For the state of Texas? So the approach has got to include both sector and geography.

And within those geographies, various organizations rely on infrastructure services. Who should receive those services first?

Then, we have to recognize that sources of communications, energy, food, water, and medicine frequently (most frequently?, almost always?) operate across geographic boundaries — including in some (many?) cases across national boundaries.

Finally, each sector is not truly independent of other sectors. One geo-sector’s minimum viability may depend upon and/or conflict with that of another geo-sector.

I am pleased that the PCAST took up this topic. I am very optimistic about incorporating function-centered thinking. I find intriguing the idea of establishing minimum viable operating capabilities and objectives. However, I remain concerned that administrative constructs based primarily on sectors and geographies leave significant gaps.

There are some words in the strategy, such as “enhance supply chain focus” and “enhance cross-sector coordinating councils” that could address this concern, but I found this presented as “do this too” rather than as an indispensable component of CPS robustness and resiliency.

I am not advocating abandonment of sector and geography thinking, but I believe we will need some additional paradigms and/or alternative perspectives to do this well.

As we have built the industrial cybersecurity program one of the coolest things we have done is develop our ESET 1181 Introduction to Cyber-Physical Systems course.

Industrial Cybersecurity students take the course in their first semester. I like to think of it as the entire program packed into a nutshell. With 20+ hands-on activities, students get brief exposure to topics that other courses will cover in greater depth.

During lucky week 13, we discuss the roles and responsibilities that professionals will encounter, and describe the factors (especially the non-technology factors) that have created the IT-OT gap.

I describe several real-life experiences where the gap loomed beneath. Then I ask students to deploy their creative energies to express gap. Over the years students have submitted poetry, skits, videos, and posters. I wanted to highlight a couple student videos that you might find entertaining. Happy viewing!

One of the things I did not fully anticipate when I left FireEye/Mandiant to lead ISU’s Industrial Cybersecurity Program was the full range of skills I would need to excel as a Program Coordinator.

Naturally, domain expertise is important — but curriculum design and development, overseeing faculty, interacting with students from a variety of ages and social backgrounds, receiving calls from parents, hiring faculty, guiding adjuncts, running advisory committees, creating exams and scoring rubrics, selecting high quality materials, dealing with department, college, and university curriculum review committees, making proposals to the state board of education, submitting grants has been much more involved and challenging than I anticipated!

I was very pleased to have some good marketing help in the form of the video above. It features a variety of faculty and staff that have made the Industrial Cybersecurity program a great success over the years! I love that it features our real students.

A special shout-out to Ryan Pitcher who is among the most dedicated faculty I can imagine. At school early and late. Always willing to take time for students and peer instructors alike. It is faculty like him that make ESTEC a hiring staple for technical professionals at regional, national, and global competitive firms!

If you are looking for well prepared entry level industrial cybersecurity talent, please reach out to me.