One of the things I enjoy most about being an instructor is getting to know my students. Our program has a capacity of 20 students, and runs as a cohort. Because I teach several classes at a time (this semester I am teaching five), I get to spend quite a bit of time with the students.
I love getting to know my students as individuals. I love finding out where they came from, and what interested them in cybersecurity. I come to appreciate their unique experiences and points of view. I enjoy their creative abilities. I especially like giving them individualized feedback.
Near the conclusion of each school year, The University alumni organization puts on an awards ceremony for 11 outstanding students — one or two from each college at the University. This year I nominated a student to receive our Outstanding Student Achievement Award — and I was pleased that he was chosen to receive that honor.
This student — who happened to be from Pocatello (our university town) — did something unique and impressive: He asked one of his teachers from grade school, one from middle school, and one from high school to be present at the ceremony; then, during his acceptance remarks, he shared a short experience where each teacher had positively influenced his life.
I am sure it was a rewarding moment for those teachers to feel that they had influenced this student in some small way.
According to information shared openly about his academic performance, this student had a 3.98 (scale of 4.0) GPA: he had received one single B during his entire undergraduate studies.
Now, before the ceremony began, I was chatting with another instructor from my department. He said to me “I am very happy for this student. But when I realized that I had given him his only B, I felt like I might have ruined his perfect run.”
I responded in jest “Well, he will remember you one way or another!”
Then, I smiled immensely when in his acceptance speech, after honoring his grade school, middle school, and high school teachers, the student called my colleague’s name and said “he is a demanding teacher who expects his students to work hard, knowing it will serve them well as professionals, and I am thankful for the learning experience I had in his class.”
That was outstanding.
I ask students in our IT-OT Fundamentals course to create a short slide presentation about a current event in industrial automation — which they then share with the class.
The assignment increases their familiarity with industry trade publications and gives them a sampling of intriguing news.
Ethernet to the transmitter (SPE), and connected pumps were a couple of developments that caught my attention — because they represent a transformation of both input and output. Couple this with cloud services, and things can get very interesting.
A couple of weeks ago I made a trip to Utah State University in Logan, where we talked with the fine people running the innovative Center for Anticipatory Intelligence. At lunch, one faculty member asked me a very thoughtful question (especially for someone who isn’t a cybersecurity person): “Do you think the new systems being built today are more or less vulnerable than what we’ve created in the past?”
My response? “On the whole, I am afraid we are making the most vulnerable industrial processes we’ve ever had.”
That should give us a lot to think about – with important implications for how we educate and train the emerging workforce.
Here is something you might not have expected: We have all our cybersecurity students take an energy systems hands-on lab where they spend a session learning to bend metal conduit. We actually have a nice little conduit bending station. Students get to try making several different bends. It is not necessarily an easy thing to do!
Cybersecurity students have some times wondered — especially in the heat of the moment — “Why am I learning to bend metal conduit? This is not what I ever intend to do as a professional!”
I tell them, “I don’t think you will ever bend conduit. But you will never look at a facility — and especially the conduit — the way same again. That’s what makes us different from ‘traditional’ cybersecurity programs.”
To me, a fundamental part of bridging the IT-OT gap is appreciating another perspective — learning to value the training, competencies and objectives of someone else; and, maybe even to revere differently competent technical professionals as artists in their own right!
The conduit bending exercise also gets the students thinking about the cables — not just power, but communications. Near the end of the program, in our Critical Infrastructure Defense class, we discuss attack vectors — who, when, and where could a structured threat actor strike? The point of the cables comes back up — and when re-enforced with examples of tapping tools — the security implications of every inch of cable suddenly make a lot more sense!
A couple of years ago we had planned to carry out an Industrial Operations Combine for all students in ESTEC programs. We intended to pattern the Combine after the NFL combine, where regional industrial employers could come and watch students perform a variety of simple tasks, and conduct interviews.
Unfortunately, COVID-19 forced us to re-think our approach. Instead, for the past two years, we have held an “interview night” for industrial cybersecurity students.
The purposes of this event are to:
1. Allow program stakeholders to interact with the potential employees produced by the program.
2. Give every student a short and realistic interaction with a potential employer (regardless of whether the interviewer is actually hiring at the moment).
Interview Night format:
* Interviews conducted via Zoom.
* Each interview lasts ~30 minutes.
* Each interviewer conducts two interviews.
* Interviewer and student are paired in a Zoom breakout room.
Interviewers are free to craft their own interview questions, but they could include:
* What interests you most about a career in industrial cybersecurity?
* What course or project was engaging to you?
* We often face INSERT RELEVANT CHALLENGE, how would you suggest we address that?
We have 17 students finishing up the industrial cybersecurity portion of the program — be it AAS, or Intermediate Technical Certificate. About 7 of those will continue on for a Bachelor degree, and enter the workforce in January or May 2023, which leaves 10 that would like to enter the workforce in May. We have four or five students who will graduate with their BAS this May (2022).
Of these 17, twelve were able to attend Interview Night. We had 14 industry representatives show up — meaning that every student got two half-hour interviews! Industry reps hailed from INL, West Yost, Accenture, Nucor, 1898, TSA, Mandiant, Siemens, Duke Energy, and QED. I am so thankful for their fantastic support.
I would say that this year’s interview night was one of my favorite parts of my five-year adventure in education — the opportunity to show off the product– the students — to the consumer — industry representatives!
In my last post I told a very short version of my relationship with ISU’s industrial cybersecurity program. Here I’ll address the second motivating factor for a shift in professional direction: a goal I set for myself in 2005 of obtaining a PhD.
In 2016, I told Corey Schou, who had invited me to return to ISU, “I am willing to make a change; and I have two goals: first is to create the world’s best industrial cybersecurity degree program, and second is to obtain a PhD.”
Corey said “Great! I’ll introduce you to one of the best PhD supervisors I know”, and soon I was engaging with Jill Slay — then at La Trobe University in Melbourne.
Jill happens to be one of the world’s leading experts in cybersecurity education. She was co-chair of the international advisory board of the CSEC-17 project that formally established cybersecurity as an academic discipline.
My friends with PhDs had told me that the best thing you can do is find an outstanding supervisor – someone who knows the space, has confidence in your capabilities, and can provide the right level of support, without being overbearing.
Jill was all that plus the sincere belief in the value of each individual. She personifies the power of careful, critical thought. Each time my work hit a roadblock, she expressed confidence and optimism in me and the work I had undertaken.
How did I have time to do the PhD work while simultaneously building industrial cybersecurity degree program at ISU?
Well, I chose the thesis topic “Foundations of Industrial Cybersecurity Education and Training”. So, there was natural and even necessary congruence. In fact, I don’t think I could have built the program without doing the PhD nor done the PhD without actually building the program, because building something right takes time and critical thought; it takes understanding what others have done before, and determining what needs to be done now.
I am pleased to report that in December 2021, The office of graduate research at the School of Engineering and Mathematical Sciences at La Trobe University accepted my PhD thesis.
You can find the thesis at this link in case you’re interested.
It is dense, but makes several important contributions to the field:
- Clarification of differences between industrial cybersecurity and common cybersecurity for use in guiding education and training
- Comprehensive review of current state of industrial cybersecurity education and training guidance documents/efforts
- Proposed workforce development framework for industrial cybersecurity
- Archetype industrial cybersecurity job roles
- Knowledge categories, topics and justifications
- NSA CAE-style knowledge unit for industrial control systems
- Key tasks for each archetype role
- Leverage point for future standard development
- Historic documentation of process used to create the world’s first cybersecurity education and training standards
As you can tell, I am very thankful to Dr. Corey Schou and Dr. Jill Slay. I also need to thank La Trobe University for the full tuition graduate scholarship. I thank the INL, especially Eleanor Taylor, Wayne Austad, Zach Tudor, Shane Stailey, and for always asking “what can we do to help?” and then providing the help! I also thank Dr. Diana Burley of American University for her thoughtful examination of the thesis — which helped me keep the focus appropriately on “foundations”.
I really do think the work makes some strong initial steps towards establishing the foundation; and, I acknowledge that we still have a long way to go!
In 2017 I made a significant professional and personal change of course. I was working as the Director of Industrial Control Systems at FireEye’s threat intelligence team. We had a great team, and had produced some compelling intelligence products.
But, I could see that critical infrastructure and industrial control systems was not on the list of important priorities for the company. I did not live in the San Jose or Washington, DC areas — which meant that my access to decision makers was only occasional.
I had been invited by Dr. Corey Schou, under whom I had studied previously, to teach one night a week in ISU’s newly created Cyber-Physical Security program. I was affiliate faculty. I viewed it as my chance to give back a little. It was a low-pressure situation. We only had three students signed up. It was probably best described as an experiment on both the University’s part and mine.
Through the process I recognized that I really enjoyed teaching. Students engaged with the subject matter. And when I walked through the hands-on educational laboratories in the ESTEC building, I realized there was a great opportunity to make something special — to build the next generation of industrial cybersecurity defenders — to create the program I wished I would have been a part of.
So, at the end of a year of teaching pro bono, I decided — let’s do this full time. It was a major change in many ways.
I found the ESTEC department amazing. Instructors have a mix of degrees — from AAS to MS. The requirement to teach was not academic credentials, but real world experience. These are the practical, “get it done people”, in contrast to the “let’s think about how we might go about his if we never had to actually do it” people (said somewhat tongue-in-cheek).
Perhaps most impressively, every one in my department was focused — entirely focused — on the students. These students would leave their various programs with a two-year degree making between 55 and 70 thousand dollars a year. Placement near 100%. It really is a neat place to be. And they have been very supportive of my vision and efforts.
We changed the program name to Industrial Cybersecurity Engineering Technology. We changed course names. We pushed a BAS pathway through the system so that students from a broad variety of Engineering Technology courses could have a clear pathway to bachelor degree that included layering cybersecurity on top of their previous hands-on experience. This last change has allowed students with Engineering Technology degrees in Instrumentation, Electrical, Mechanical, Nuclear Operations and On-site Diesel power to come through the program.
While we started with a heavy reliance on several adjunct faculty members (who had fantastic cybersecurity experience but no industrial cybersecurity experience), I worked my way through the course offerings, eventually authoring the following courses:
- ESET 0181 IT-OT Fundamentals
- CYBR 3383 Security Design for Cyber-Physical Systems
- CYBR 3384 Risk Management for Cyber-Physical Systems
- CYBR 4481 Critical Infrastructure Defense
- CYBR 4487 Professional Development & Certification
- CYBR 4489 Capstone
- ESET 4499 Current Intelligence Practicum
I have to admit that I have never worked harder. My previous efforts at entrepreneurship, as an expert analyst, and as a team manager were engaging and fulfilling, but do not compare with the breadth of competencies (beyond teaching) I have (attempted to?) developed as an instructor and program coordinator. For example:
- Helping administrators accurately understand the cybersecurity space
- Collaborating with peers from other departments on curriculum
- Recruiting students into the program
- Coordinating access to instructional space
- Ensuring students with disabilities have every opportunity to succeed
- Building and running an advisory committee of employers
In the end, it is very rewarding to see students become excited, work hard, and obtain great employment helping secure our critical infrastructure; but, it is no wonder that it is challenging to find, create, and retain good instructors in such an important, emerging field. I hope we are preparing the way!
My work at ISU (in collaboration with INL and LaTrobe University) has not just been about developing a single Industrial Cybersecurity program — it has really been about addressing a critical need that has been overlooked — that is the need to intentionally and systematically develop an industrial cybersecurity workforce.
I know the statement “critical need that has been overlooked” will meet with opposition — and that some who have reviewed my work not only disbelieve the claim, but find it offensive. There are several reasons for this disagreement, and maybe I’ll discuss them in a later post, but here’s a slide that I think summarizes the current state of affairs:
Yes, there are bright spots at a variety of schools, including University of Houston, Purdue, Everett CC, and others (along with ISU). But the vast majority of the efforts I see focus on adding some ICS content into programs that create traditional cybersecurity professionals and researchers. My observation is that from a strategic point of view, such an approach will be insufficient to securely design, build, operate and maintain critical infrastructures in the age of digitization.
Maybe we don’t just need centers of academic excellence for this space. Maybe we need centers of engineering excellence!
One of the most exciting things about ISU’s Industrial Cybersecurity program is the tours our students get to take. Last week we visited the Driscoll fresh pack plant.
If you are wondering what “fresh pack” means, you might not be from Idaho — it means fresh potatoes!
According to the foreman who gave us the tour, laborers are hard to come by, and automation has helped make up the difference.
Potatoes arrive in trucks (from storage cellars) to be washed and polished. Sorters send the potatoes down alternate tracks to be boxed or bagged by size as a variety of marketing options for different brands.
Students get to see how the ideas of safety, power distribution, and motor control come together to make the plant run.
My favorite part? Probably the vision systems that identify “strange potatoes” and flick them onto alternate conveyor, where they end up as processed products (think dehydrated mash) rather than fresh products.
One of the neat things we have done in our Critical Infrastructure Defense class is incorporate the CCE methodology. The training materials created by the INL focus on two fictitious scenarios: Stinky Cheese — a Montana-based diary operation, and Baltavia — based roughly on the Ukraine power outages.
The materials allow learners to have some hand-holding with Stinky Cheese, and then a bit more freedom with Baltavia. I think it was a nice approach.
The next step, of course, is for participants to carry out the methodology on real systems. Our students don’t have that quite yet (they are students). So we have come up with set of 16 applied learning activities, as can be seen in the table below. These are in various stages of completion.
|Build critical infrastructure sector taxonomy and infographic
|Identify high consequence event (HCE) for chosen sector
|Conduct notional system of systems analysis (SOSA) for chosen HCE with real artifacts
|Conduct SOSA & system description for heat exchanger skid (perfect knowledge)
|Break down and document PLC components
|Create targeting portfolio for HCE
|Develop initial Concept of Operations to cause HCE
|Conduct Process Hazards Assessment for heat exchanger skid
|Conduct hackability analysis for heat exchanger skid
|Identify fail-safe for heat exchanger skid
|Conduct Process Hazards Assessment for flow control trainers
|Conduct hackability analysis for flow control trainers
|Identify fail-safes for flow control trainers
|Describe feasibility of recommended fail-safe for flow control trainer
|Implement non-hackable fail-safe for flow control trainer
|Describe an early warning system for identified HCE
I feel like CCE is a little light on both phase 3 and phase 4. Phase 3 probably because there is concern about teaching attack-related concepts, and Phase 4 because, well, I don’t know why. But, you can see that those are the areas on which we are really trying to focus.
For the activities in phase 3 and 4, we are supplementing with the ISA Security PHA methodology and book. Maybe I’ll discuss that another day!
I started reading the book “How humans learn” by Joshua Eyler. It’s billed as an idea book for college teachers. Being as I am a college teacher, and I like ideas about teaching — I have not been disappointed.
The first chapter deals with Curiosity. Humans learn because they are innately curious: humans come pre-programmed to learn.
Unfortunately, as Eyler explains (citing the research of others), high-stakes learning teaches humans to learn for reasons other than curiosity. “O wow” I thought, “that sounds exactly like my experience as a young student!”
Eyler suggests designing courses around key questions — so that instead of telling a student what they are expected to learn (which could rob them of the excitement and satisfaction of learning) the entire course is framed as a journey of discovery for the student.
I can see great benefits *IF* students will truly invest in it. But, because I teach college students, I have to counteract students who have already been rewarded for suppressing their natural curiosity!
Nevertheless, I have identified the following (work-in-progress) overarching questions for several of the courses I am teaching this semester:
* ESET 181 IT-OT Fundamentals: How are computers used to control critical the physical real world?
* ESET 4481 Critical Infrastructure Defense: How can we best defend critical infrastructure industrial control systems from intentional cyber attack?
* ESET 4487 Professional Development and Certification: How do you become a successful industrial cybersecurity professional?
These now feature prominently at the top of each course page. I have been referring back to them periodically as I interact with students, lecture, and lead discussions. I already like the feeling of congruence and direction it gives me and them.