Minding the the IT-OT Gap: Student Project
As we have built the industrial cybersecurity program one of the coolest things we have done is develop our ESET 1181 Introduction to Cyber-Physical Systems course.
Industrial Cybersecurity students take the course in their first semester. I like to think of it as the entire program packed into a nutshell. With 20+ hands-on activities, students get brief exposure to topics that other courses will cover in greater depth.
During lucky week 13, we discuss the roles and responsibilities that professionals will encounter, and describe the factors (especially the non-technology factors) that have created the IT-OT gap.
I describe several real-life experiences where the gap loomed beneath. Then I ask students to deploy their creative energies to express gap. Over the years students have submitted poetry, skits, videos, and posters. I wanted to highlight a couple student videos that you might find entertaining. Happy viewing!
New Video Describing ISU Industrial Cybersecurity Degree Program
One of the things I did not fully anticipate when I left FireEye/Mandiant to lead ISU’s Industrial Cybersecurity Program was the full range of skills I would need to excel as a Program Coordinator.
Naturally, domain expertise is important — but curriculum design and development, overseeing faculty, interacting with students from a variety of ages and social backgrounds, receiving calls from parents, hiring faculty, guiding adjuncts, running advisory committees, creating exams and scoring rubrics, selecting high quality materials, dealing with department, college, and university curriculum review committees, making proposals to the state board of education, submitting grants has been much more involved and challenging than I anticipated!
I was very pleased to have some good marketing help in the form of the video above. It features a variety of faculty and staff that have made the Industrial Cybersecurity program a great success over the years! I love that it features our real students.
A special shout-out to Ryan Pitcher who is among the most dedicated faculty I can imagine. At school early and late. Always willing to take time for students and peer instructors alike. It is faculty like him that make ESTEC a hiring staple for technical professionals at regional, national, and global competitive firms!
If you are looking for well prepared entry level industrial cybersecurity talent, please reach out to me.
Easterly: Software Liability Regime for Critical Infrastructure
When I read congressional testimony from Jen Easterly on January 31, 2024 I was quite surprised. Check out this quote:



Unfortunately, the technology base underpinning much of our critical infrastructure is inherently insecure, because for decades software developers have been insulated from responsibility for defects in their products. This has led to misaligned incentives that prioritize features and speed to market over security, leaving our nation vulnerable to cyber invasion. That must stop.
The discussion over liability for software has been going on for a long time. Dale Peterson touched it in his post last week.
Our world depends on software – for which there are varying degrees of quality control. And the companies selling this software intentionally disclaim responsibility for their products via EULAs. Remarkably – but not unexpectedly – this is true even in the ICS space. Here is an excerpt from a leading ICS vendor’s EULA . I don’t intend to pick on this vendor alone because this type of language is standard practice across the industry.
VENDOR makes no representation or warranty, express or implied, that the operation of the Software will be uninterrupted or error free, or that the functions contained in the Software will meet or satisfy Your intended use or requirements; You assume complete responsibility for decisions made or actions taken based on information obtained using the Software. In addition, due to the continual development of new techniques for intruding upon and attacking networks, VENDOR does not warrant that the Software or any equipment, system or network on which the Software is used will be free of vulnerability to intrusion or attack.
Key passage there “VENDOR does not warrant that the software… will be free of vulnerability.”
Can you imagine requiring drivers who cross a high suspension bridge to sign a user license that says “we do not warrant that this bridge will support your vehicle”?
In my CYBR 3383 Security Design Principles class, one of the principles we highlight is “professional liability” — which means putting one’s name, reputation, honor, career, on the line.
Putting your name on the line is the standing expectation of engineers who sign engineering documents. And it extends to other fields as well.
In general, professional liability is missing from the software industry.
While I am not an expert in software development, I observe that there is a lack of support for software engineering licensure. I am not saying a license should be required in all cases, but certain software is running processes upon which millions of people depend for clean water and reliable electricity every day. Shouldn’t there be some overarching minimum professional standard for these individuals and their work?
Easterly envisions:
We must drive toward a future where defects in our technology products are a shocking anomaly, a future underpinned by a software liability regime based on a measurable standard of care and safe harbor provisions for software developers who do responsibly innovate by prioritizing security.
I’d like to hear more about that…
Cybersecurity in Control Systems Engineer PE Exam
I was visiting the NCEES web site the other day. NCEES is the National Council of Examiners for Engineering and Surveying. That is the group that produces/maintains the Fundamentals of Engineering (FE) and Principles and Practices of Engineering (PE) examinations.



In States of the United States, passing the PE exam is a requirement for obtaining professional licensure as an engineer.
PE exams are offered in 16 fields, ranging (alphabetically) from Agricultural & Biological to Structural.
During the course of seven years developing the country’s first Industrial Cybersecurity degree program, I have asked myself what success would look like for the country.
One core idea (and I am not the only person to think this way – see DOE Cyber Informed Engineering effort) is that professional licensure for all engineering AND engineering technology fields would require some basic knowledge, or even better, basic competency in cybersecurity.
So, when reviewing the NCEES PE exam specifications document for Control Systems Engineering (CSE), I was pleased to find an entry for “Security”. It states:
D. Security of Industrial Automation and Control Systems
1. Security (e.g., physical, cyber, network, firewalls, routers, switches, protocols,
hubs, segregation, access controls)
2. Security life cycle (e.g., assessment, controls, audit, management of change)
3. Requirements for a security management system
4. Security risk assessment and system design
5. Product development and requirements
6. Verification of security levels (e.g., level 1, level 2)
This seems like a great start. I was left wondering what the exam questions might actually entail. Maybe I will have to take the exam to find out! I was able to gather that the CSE is offered exactly once each year at a Pearson Vue center.
Perhaps more importantly, I wondered:
* Are these the most important security concepts for a control systems engineer to know?
* How will cybersecurity knowledge affect the behavior of a control systems engineer?
* What are the correct answer rates for each question?
Interestingly, the exam specifications for the following exams (where we might hope to find it) do not name security (as in cybersecurity) among covered topics:
* Electrical and computer – electronics, controls, and communications
* Electrical and computer – power
* Industrial and systems
Specifications for the other exams (where we might be less expecting to find it): Agriculture and Biological, Architectural, Chemical, Civil, Environmental, Fire Protection, Mechanical, Metallurgical, Mining and Mineral Processing, Naval Architecture and Marine, Nuclear, Petroleum, and Structural do not mention cybersecurity despite its cross-cutting implications.
It is very informative that the NCEES Web site makes pass rate information available for all of the exams. A review of this data shows that in the 2023 year, the Control Systems Engineering exam was administered 221 times, with a 57% 1st time pass rate.
The data also indicates roughly 19,000 individuals take a PE exam in any field for the first time each year (data provided is biannual for some tests, I multiplied those by two to make an annual estimate).
In short, I believe there is a real opportunity to bake cybersecurity into the engineering discipline here, but it is going to require some serious effort!
The IA (Cybersecurity) Workforce



The Secretary and CICUL
I had the opportunity to meet with Energy Secretary Jennifer Granholm for about 5 minutes this past week on her visit to Idaho National Laboratory.
In my short time with her, I found Secretary Granholm energetic and inquisitive.
INL’s Eleanor Taylor, two ISU students interning at the INL, and I, led Secretary Ganholm and Idaho Representative Mike Simpson on a tour of the Cybercore Integration Center University Laboratory (CICUL).
As an INL/ISU joint appointee, I have the opportunity to leverage INL’s two decades of leadership in industrial cybersecurity to help create the next generation of engineers, technicians, analysts, managers, and researchers to defend the country’s critical infrastructures — it is an exciting mission!
We intend to use the CICUL to design, pilot and accelerate adoption of cyber-informed engineering of industrial control systems (ICS) by developing transformative educational experiences and conducting innovative research.
So, there was no better way to show our mission and our progress than by turning the time over to a pair of fantastic students/interns to describe the equipment in the laboratory, and explain their summer projects.
They did a great job describing the wastewater treatment skid, the user manual and startup guide they created, and their plans for allowing universities to integrate the skid into their educational offerings. Great opportunity for them!
ISU-INL publication cited in support of proposed legislation
I had a neat professional experience the other day. Research I conducted in collaboration with the INL was cited as a justification for proposed legislation: HR 7777 The Industrial Control Systems Cybersecurity Training Act.
Here’s the key quote from the House Committee Report:
Because those working in ICS cybersecurity must understand how technology impacts industrial operations, there are additional types of training required. According to a group of industrial cybersecurity experts convened by Idaho National Laboratory and Idaho State University, there are six industrial cybersecurity knowledge domains that are not included in traditional cybersecurity education: industrial operations, instrumentation and control, equipment, communications, safety, and regulation. Expanded Federal support for ICS cybersecurity training would ensure more workers have the necessary, specialized skills to protect ICS.
The report is citing the “Building an Industrial Cybersecurity Workforce: A Managers’ Guide“, published jointly by INL and ISU. I blogged about the document in December 2020. It is also embedded as an appendix to my doctoral thesis.
The bill, which essentially instructs the CISA to offer virtual and in-person training at no cost to participants, passed the House on June 22.
While I note that free ICS security training has been part of DHS, ICS-CERT and CISA’s offerings for nearly 20 years now, I am excited to see the idea that industrial cybersecurity is different gaining traction at a national level!
Five year curriculum review
We have been operating the country’s only two-year hands-on industrial cybersecurity degree program for six years! That’s hard to believe.



We have produced some great graduates and placed them with great employers, including the INL, Accenture, West Yost, Automated Dairy, and Simplot.
In order to ensure the relevance of the program, we recently conducted a comprehensive curriculum review with the ESTEC Executive Director and seven faculty members who teach program courses.
We walked-down every course in the program, including title, description, learning objectives, syllabus, mapping to program objectives, assessments administered, and educational materials (including laboratory equipment) used.
The review was a big deal and made for some long sessions. We asked hard questions and had meaningful discussions about what to include or exclude. For example:
- We decided to add a new course to provide deeper coverage into operating systems. This meant we were going to have to cut a course. Where instructors are limited, and some courses are taken by students in multiple programs of study, this was a tough decision to make.
- We debated whether we were spending too much time on units of measure, including conversions of temperature, pressure, level and flow. At first the repeated emphasis on this topic seemed unnecessary; but, frank discussion bore out that if a student cannot do this, they will be ineffective at understanding/describing both the causes and consequences of an incident. We decided that assignments dealing with this topic needed to include context that reinforced their relevance to industrial cybersecurity.
- We determined to re-emphasize the importance of reading and creating engineering diagrams, especially piping and instrumentation diagrams.
What you might not realize if you are unfamiliar with formalized education administration is that some curriculum changes require approval of the entire university curriculum council — meaning that changes will not appear in the catalog for a year or more!
In all, I felt like this detailed review represented a new level of maturity for ISU’s industrial cybersecurity program. I am excited for how these changes will better prepare our students to tackle the complexity of an exciting and evolving field.
17 Graduates
This was a great school year.
We had 17 students in the Industrial Cybersecurity program cohort last August. All 17 graduated this Spring — either with their first Associate Degree (2 year program), or with an Intermediate Technical Certificate (1 year program on top of a previous degree).



I love the cohort model be because it allows students to work with people who have different backgrounds. Four cohort members were veterans. Two had previous master degrees. One was a graduate of the Naval Academy. Several were over 40. A couple were barely 20. Many of the students had lined up jobs and internships before graduating.
As the program has grown, the curriculum and delivery have improved. On the whole, I’d say that this cohort made it farther than any previous group. As we completed a Jeopardy-style review for the program-comprehensive knowledge exam, I loved it when students pointed out errors with the questions!
I am excited to see where these students go and how they influence not just their employers, but the industry and the world!
IT-OT Fundamentals Course
We launched a new course: ESET 181 IT-OT Fundamentals about three years ago. I am the primary course author. I haven’t done a lot of looking, but it could be the only such course in the country.
Industrial Cybersecurity students take the course in their first semester. It is also a required course for ISU’s Electrical Engineering Technology (EET) students. This means that we teach two sections each fall, and one section each spring (EET has a start in the spring and fall).
The first time I offered the course, it was rough. Industrial Cybersecurity students really liked it. But EET students couldn’t see why they needed to learn about computers and networks.
So, we sat down and really worked through the course to make it relevant from day 1. We structured the hands-on elements of the course around a semester long project-based learning (PBL) experience.
I love PBL — especially when the projects are applicable to real life. Because we are in Idaho, we based the project around upgrading the automation system for dehyrated potatoes.
Students read a real news article and a real job posting explaining the needs of a local employer.
The students then learn about the convergence of IT and OT with a variety of hands-on experiences. These include tearing down a computer, designing a SCADA HMI screen, creating a simple temperature control loop with a Raspberry Pi, performing basic switch configuration, and many others. In the end, these aggregate into a final project.
The image below shows the kit students build as they learn about the concepts. Temperature control loop consists of a light bulb, thermocouple, and relay board.
We’ve made several enhancements over the years (and have more to make!), and I am pleased to say we are hitting the mark. Here is some feedback from three of our EET students who just completed the course:
The most important thing I learned from the project was how interconnected OT and networking are. When drawing the network diagram I realized how the two are becoming closer and closer together. I learned that even though I am in an OT role, a good understanding of IT will put me leaps ahead…
The most important thing I learned form the project was the importance of a network and why the Purdue model is such a useful tool. When everything is connected and running it has to work in sync or the whole system doesn’t work. The networking is so much more than I thought it was and I do have a more profound respect for it.
The project helped me understand aspects of IT/OT the most. These were the networking of OT devices, setting up networks, and I was so grateful for the many examples of real world situations and scenarios. I can definitely see myself reflecting on this class and the learning activities as I enter and progress through my career.