Our Critical Infrastructure Defense course incorporates the Consequence-driven Cyber-informed engineering textbook by Bochman and Freeman of the Idaho National Laboratory.
I like the text because it pulls so many thoughts into a single resource. Bochman especially (and I making assumptions about which concepts he principally wrote and which Freeman wrote) draws from leading reports and commentary that support the CCE approach. And there are some great quotes in there from dozens of sources (even including me!).
I also like the text because it lays out the CCE methodology — and what else could you expect?
CCE differs from other methodologies because it includes both the often-overlooked intelligence aspects of a cyber-operation against critical infrastructure and the engineering aspects of preventing a specific physical consequence.
On the other hand, I think the text missed an early opportunity to create its own language around the methodology.
One example is that the phase 4 language involves “protect”. In a podcast/video interview Dale Peterson did with the authors a year or so ago, Dale asked (and I paraphrase here) “why the focus on ‘protect’ when most of the industry has accepted that protection is a bound-to-fail approach?”
It seemed to me that the responses of Bochman and Freeman didn’t hit this head-on. The obvious answer is that when CCE talks protection it means preventing the selected physical consequence — literally engineering it off the table, rather than preventing a breach of a network asset (which is how the broad cybersecurity industry uses the term “protect”).
I give that example to point out that the choice of terminology could influence the clarity of the methodology and the confidence with which it is viewed. In this instance, I would prefer the official terminology refer directly to “cyber-physical fail-safes” instead of “protect”.
In the end, I am pleased that Bochman and Freeman along with the INL team and their government supporters put this out there for use – even if it’s not perfect yet! I am excited to see a variety of firms latching onto the concepts and implementing them in their own work. And I’m thankful to have the book and other publicly-available materials to teach students who will soon work for those firms.
In the education and training world, curricular guidance documents (sometimes called content standards), help educators ensure they are teaching what needs to be taught.
To help address a lack of “industrial-ness” in cybersecurity curricular guidance, Idaho State University (ISU) teamed up with Idaho National Laboratory (INL) and the International Society of Automation (ISA) to solicit input from industrial cybersecurity experts.
The result is the industrial cybersecurity knowledge survey.
The output will be a consensus-based curricular guidance document. We also plan to release an analysis of the data, a description of how the survey came to be, and the raw data for anyone to review.
The survey is open through the first week of February. If you haven’t taken it, do it now!
Diversity in a new semester
One of the great feelings of being a teacher is seeing the enthusiasm of your students. It is a humbling experience to recognize that someone is placing a high value on the ideas you intend to impart to them.
I have a handful of students getting a jump start on next fall’s start date by taking a couple of classes with me this spring semester. One has a previous AAS in information technology systems, one has a previous AAS in nuclear operations, and one has a previous AAS in Mechatronics — all going on for bachelor degrees in cyber-physical systems. Two decided to change majors from Computer Science to Industrial Cybersecurity.
When I asked the CS majors why they wanted to change they said they wanted to do something more hands-on!
This same group of early starters includes a veteran, a career changer, an international student, a female, and traditional student from my same town. Thinking about that inspires me to do and be better!
This new video highlights the diversity of our great programs: ESTEC Power Careers.
Building an Industrial Cybersecurity Workforce
Over 2019 and 2020, La Trobe University, Idaho State University and the Idaho National Laboratory worked to create a workforce development framework for industrial cybersecurity professionals.
Details regarding that work from an academic perspective can be found in the Papers section of this site.
Participants envision a series of easily consumable guides entitled “Building an Industrial Cybersecurity Workforce”. Today I am posting the first release in that series “A Manager’s Guide“.
This guide will aid managers in answering four pivotal questions:
1. Are you ready to build an industrial cybersecurity team?
2. How do you structure your industrial cybersecurity team?
3 . What does you industrial cybersecurity team need to know?
4. What does your industrial cybersecurity team need to do?
Identifying the unique knowledge and job roles required of industrial cybersecurity professionals represents a significant step towards developing a capable workforce. We note the ongoing need to establish a repository of knowledge, skills, attitudes, and behaviors on which diverse groups can rely to create training and education standards, personalized training plans, intervention methods, and training content. We anticipate using surveys, interviews, and field observations to expand, further validate, and refine this work.
Future deliverables include an Human Resources Guide and a Career Development Guide for Industrial Cybersecurity.
Well, if you see me around, you can congratulate me. I have officially received my first rejections as an aspiring academic author!
One of the conferences to which I submitted was kind enough to provide some cryptic review comments. The other said (paraphrasing) “your paper was reviewed by three experts and found wanting” — no reviewer comments.
It might be easy to become disheartened, but this is the academic way; should I expect anything less? So I will keep at it.
The idea is to critically review the rejected papers, look for opportunities to round-out, re-organize, and maybe be more patient and selective on the target publication/conference. Be sure to incorporate more references from that particular conference or publication (homage to the reviewers?) .
Several months ago, I had an exchange about my topic with a well respected cybersecurity educator. She went straight for the jugular: “Your topic might be fit for a term paper, but not a dissertation.” Imagine me reading that email: doubt, despair, defensiveness.
One of my supervisors encouraged “Engage. This is how she treats PhD candidates. She’s at least giving you her time and attention.” So, we went the rounds, I made my case. She shot down my arguments one by one, but then left me an opening. And I took it. In the end she was even conservatively complimentary.
I think part of the challenge is providing sufficient context so that people who think they “already know all about it” recognize they really might not — all while balancing what you, as the author, might not know yet either.
New “Papers” Section
I’ve been very busy the past month writing, writing, writing.
You will now find a section entitled “Papers” within the site menu. This is where I will post the papers I’ve written related to the topic of industrial cybersecurity education. I’ll post the manuscript versions there, and then replace them with the published versions. This also allows paper reviewers to find manuscripts to which I refer (if self-references are allowed in copies submitted for review, of course).
The first papers I’ve posted describe the need for industrial cybersecurity education as a well-defined sub discipline. They examine efforts to establish industrial cybersecurity education and training standards 1) in the USA, and 2) in the world. They also provide detailed recommendations to improve the situation.
As you might expect with most academic literature, the papers are a bit dense; but, I’ve tried to ensure they flow well. I will cover elements of the content in later posts.
In the end, analysis finds that current standards fall short in three ways:
- They were created without consideration for the unique needs of industrial control systems
- They lack thorough development
- They do not account for the career paths of industrial professionals
Against the Banking Model of Education
I’m about halfway through “Pedagogy of the Oppressed” by Paolo Freire. It’s not a light book.
I picked it up as I was looking for thoughtful content on education. The book fit in well with the course I took on education evaluation (see previous post).
So far, I think I agree with several principal points:
- What Freire described as conscientization seems the most important learning that a human being can have. To me, this means increasing one’s awareness of how things really work, and one’s relationship to the world, in order to make the world a better place.
- I agree that it is not enough to merely understand our world, we must dedicate ourselves to its progress, or our lives are without meaning.
- We cannot ignore the nakedness and hunger and misery of the human creatures on this planet without consenting thereto.
Freire harshly criticizes what he calls the prevailing banking model of education wherein instructors anesthetize student minds prior to depositing their own rote concepts, which they expect the students to vomit forth on command.
The criticism reverberated within me. I felt like I had experienced banking model instructors. I do not want to be among them.
I want students to have their own insights — insights which surpass mine. It’s not that they don’t need structure or guidance. It’s that they need to be and feel firmly in control of their journey of discovery — their journey to become.
To me, the glory of education lies not in the intellect of the instructor, but in the potential of the pupil.
Of course, I recognize that feeling these feelings and typing these words is the easy part. I have to align interaction with my loved ones, with my students, with my colleagues, and with the world around me to achieve lofty ambitions by careful and considerate daily effort.
I decided that on the first day of 3383 Secure Systems Design, I will require the students to write a 5 minute essay on “why cybersecurity matters”. Then we will have a robust discussion wherein I take the opposing side of the debate: “Cybersecurity does not matter”. And, I have plenty of great criticisms, and some serious doubts!
My hope is that in their very first interaction with me, they will see that it is okay to think outside the box, and that I want their reasoning to seriously consider alternate perspectives.
Fantastic support builds fantastic programs
I think I am passionate. I consider myself at least a medium-term visionary. I think I’ve worked hard to help create a program that will improve the lives of students, help maintain more resilient infrastructures, and serve as a pattern (or at least learning experiment) for future programs across the country.
Fortunately, I’m not in this alone. This year I gained a profound appreciation for the sincere and enthusiastic participation and support of people with boots-on the ground experience and horse-in-the-race enthusiasm. I want to call out three of them:
First, the Idaho National Laboratory provided financial support which we used to create 8 flow control trainer stations. Several INL subject matter experts serve on Industrial Cybersecurity program advisory committee. Two top-notch analysts came to brief students on the Consequence-driven Cyber-informed Engineering (CCE) methodology. Several students ended up INL summer internships!
Second, Blackmere Consulting visited to provide focused job seeking and resume building guidance. Blackmere’s personal touch and cyber focus really sets them apart. Students found the talent acquisition perspective invaluable.
Third, Rockwell Automation’s Eastern Washington team provided insightful program advice, referred employers to us, and provided PLCs to upgrade ESTEC’s instrumentation engineering technology laboratory!
An enormous Thank You! to these organizations and their passionate personnel!
Online Instruction and the Feedback Loop
In my mind, the individualized feedback loop is at the core of education. Anyone can buy a book. Anyone can watch a video. The value you cannot get “on your own” is individualized expert feedback.
I made the image below to describe the idea of how formalized learning generally occurs. It’s not as if there is anything novel here, but it provides good background. You can see that “Provide Individualized Critique” is an instructor responsibility during the grading or sign-off intervention.
As we shifted to online mode curing the COVID-19 outbreak, I was most concerned about the “provide individualized critique” element.
Being that I teach in a hands-on environment, students work on laboratory exercises, then come to me for sign-off. I review their progress on-the-spot and say “Great start. Have you considered N?” They address N, and come back. I ask, “What about O?” And so on. Until they and I are satisfied with their work. I sign them off.
Under this arrangement, students are progressing at different rates. They are working with each other. They overhear what I tell other students. It works quite nicely.
For example, we spend several weeks working with ICS device inventories for security purposes. In one exercise I require students to identify what fields they would want the inventory to include, and why.
Generally speaking, the sharpest students are not those that get it right the first time — because no one does. They are those that move through the loop more times.
Once we went online, this level of individualized feedback was largely lost. Students were submitting their lab assignments as best they could, and I provided feedback, but then it was on to the next exercise. Instead of running through that loop several times, we only made it through once.
As the in-person paradigm is now regularly supplanted by the online paradigm in schools throughout the world, I/we will struggle to maintain (and enhance) our effectiveness.
I am particularly concerned about how this will play out for technical professionals, who will be expected to keep critical facilities like water provisioning systems up and running — for whom “work from home” is not an option.
“Hands-on. Online.” We’re going to figure this out.
This was a fantastic school year in so many ways. The Industrial Cybersecurity program grew from 2 graduates in May 2017, to 3 in 2018, 6 in 2019, to 13 in 2020! (We are enrolled at capacity for Fall 2020, and have started a plan for competitive enrollment for Fall 2021).
I am so pleased with my students. I made the following video to share my congratulations with them.
The students gave their Capstone presentations yesterday. I wish there had been an audience of 100 people there to see how far they had come in two years. Among the projects, we had a student who put together a simple power grid simulation using equipment donated by SEL. We had a student who made an ICS security job posting board. We had several students examine ICS security technology solutions. My personal favorite might have been the student who write a short story about the consequences of not hiring the right industrial cybersecurity talent.
Nothing would make me happier than to have them pass me up in a few years — and I am sure they will!