Whatcha readin?
So, I’ve been reading and listening quite a bit lately. A while ago, a friend of mine sent me a copy of “The Great Game” by Peter Hopkirk. Very engaging, and certainly on point given the recent US withdrawal from Afghanistan.
The book is named after a core idea in Kipling’s “Kim” — a book about a young anglo-Indian boy who becomes a spy. So, midway through “The Great Game” I decided to pause while I took up “Kim”. For anyone interested in spycraft, Kim is a fun read/listen (and it is a book where voice talent makes a big difference!).
Kipling – 1891
I was most impressed with Kipling’s effort (ability) to represent the perspectives and manners of cultures, ages, and gender. I love that aspect of “intelligence” — though I don’t always love how it is applied by intelligence services.
I also appreciate the deeper messages of the unity of mankind and duty to God that generally pervade Kipling’s work.
And, I found a couple of teaching-related treasures in “Kim”:
The first is a scene where Mahabub Ali, a horse-trader and spy, criticizes the madrasa — the school — where Kim is receiving his formal education. He says “Son, I am weary of that madrasa, where they take the best years of a man to teach him what he can only learn on the road. The folly of the sahibs has neither top nor bottom. And God, he knows, we need men more and more in the game”.
I couldn’t help but feel a little bit the same way about my own formal education. I wish it had a stronger applied focus. My favorite experiences occurred where I was applying my learning to my concurrent employment. And we do need men and women more and more in protecting our critical infrastructure systems. We need to prepare them efficiently and effectively.
The second is a scene where Kim and another young man are learning to expand their powers of observation. They are shown a tray of curiosities for a few seconds, and then told to describe the items on the tray, which they can no longer see. At first, Kim’s performance lags far behind a younger boy, but he learns to increase his power of observation.
I couldn’t help but agree wholeheartedly with the importance of quickly committing key information to memory, careful attention to detail, and the value of relevant practice. These can be reinforced by making the exercise a friendly contest — gamification.
Industrial Cybersecurity Workforce Development Community of Practice
In August of 2020, we got together with our friends from the INL for a brainstorming session at ESTEC in Pocatello. We asked ourselves, “What could we do together, that would help us get participation and raise visibility for industrial cybersecurity education?”
We decided to launch a virtual workshop — low cost — low risk — high potential payoff. We invited some great people in government and academia, and held a day-long workshop. Over 100 people attended.
To keep the momentum going, we decided to name it the “Industrial Cybersecurity Workforce Development Community of Practice” or ICSCOP for short. We divided into subgroups. We held monthly meetings. We did additional workshops in May and November 2021. Participants from all over the country have attended the meetings. ISA has been a strong supporter. NIST NICE leadership has also been a significant collaborator as they try to add ICS coverage into the NICE framework. Based on joint interests, Ida Ngambeki of Purdue and I wrote a paper together for the CISSE conference.
We are excited about the future. Check out this great article about the ICSCOP that ran in the NICE winter e-newsletter: https://www.nist.gov/itl/applied-cybersecurity/nice/nice-enewsletter-winter-2021-22-government-spotlight.
Resume preparation for industrial cybersecurity students
So, students in our professional development and certification class have been preparing their resumes. For students without much professional experience, this is significant challenge.
Fortunately, our Industrial Cybersecurity students have a lot of learning experiences to draw from. I provide them with a prototype resume that includes statements of things they have done during the program. They can select and tailor statements to their projects and interests, and to closely match the job description and requirements.
I try to put them in the mind-set of the HR lead and the hiring manager.
I explain that HR lead is the “pre-screener” — eliminating those who are obviously not qualified. The hiring manager will then sort the resumes into yes and no piles. In some cases this is a diligent process. In some cases, its a “feel” thing. In some cases this is a committee decision.
“Yes” pile resumes will qualify for a cover letter read, if cover letters are part of the process. Some organizations will administer a test of sorts. Based on the results, three to five candidates will be chosen for an interview. Two candidates will be called back for a second interview.
I think the most effective way to put students in the mindset of the HR lead and hiring manager is to expose them to a bunch of resumes. So, I have students bring several copies of their resume, which they share with classmates (I ask them to remove their names so that they don’t get distracted by that point).
Then we do a drill where students take five seconds to consume each resume and make a mental “yes” or “no” decision. While five seconds may be sightly on the short side, it gets the point across.
CCE textbook
Our Critical Infrastructure Defense course incorporates the Consequence-driven Cyber-informed engineering textbook by Bochman and Freeman of the Idaho National Laboratory.
I like the text because it pulls so many thoughts into a single resource. Bochman especially (and I making assumptions about which concepts he principally wrote and which Freeman wrote) draws from leading reports and commentary that support the CCE approach. And there are some great quotes in there from dozens of sources (even including me!).
I also like the text because it lays out the CCE methodology — and what else could you expect?
CCE differs from other methodologies because it includes both the often-overlooked intelligence aspects of a cyber-operation against critical infrastructure and the engineering aspects of preventing a specific physical consequence.
On the other hand, I think the text missed an early opportunity to create its own language around the methodology.
One example is that the phase 4 language involves “protect”. In a podcast/video interview Dale Peterson did with the authors a year or so ago, Dale asked (and I paraphrase here) “why the focus on ‘protect’ when most of the industry has accepted that protection is a bound-to-fail approach?”
It seemed to me that the responses of Bochman and Freeman didn’t hit this head-on. The obvious answer is that when CCE talks protection it means preventing the selected physical consequence — literally engineering it off the table, rather than preventing a breach of a network asset (which is how the broad cybersecurity industry uses the term “protect”).
I give that example to point out that the choice of terminology could influence the clarity of the methodology and the confidence with which it is viewed. In this instance, I would prefer the official terminology refer directly to “cyber-physical fail-safes” instead of “protect”.
In the end, I am pleased that Bochman and Freeman along with the INL team and their government supporters put this out there for use – even if it’s not perfect yet! I am excited to see a variety of firms latching onto the concepts and implementing them in their own work. And I’m thankful to have the book and other publicly-available materials to teach students who will soon work for those firms.
The Survey
In the education and training world, curricular guidance documents (sometimes called content standards), help educators ensure they are teaching what needs to be taught.
To help address a lack of “industrial-ness” in cybersecurity curricular guidance, Idaho State University (ISU) teamed up with Idaho National Laboratory (INL) and the International Society of Automation (ISA) to solicit input from industrial cybersecurity experts.
The result is the industrial cybersecurity knowledge survey.



The output will be a consensus-based curricular guidance document. We also plan to release an analysis of the data, a description of how the survey came to be, and the raw data for anyone to review.
The survey is open through the first week of February. If you haven’t taken it, do it now!
Diversity in a new semester
One of the great feelings of being a teacher is seeing the enthusiasm of your students. It is a humbling experience to recognize that someone is placing a high value on the ideas you intend to impart to them.
I have a handful of students getting a jump start on next fall’s start date by taking a couple of classes with me this spring semester. One has a previous AAS in information technology systems, one has a previous AAS in nuclear operations, and one has a previous AAS in Mechatronics — all going on for bachelor degrees in cyber-physical systems. Two decided to change majors from Computer Science to Industrial Cybersecurity.
When I asked the CS majors why they wanted to change they said they wanted to do something more hands-on!
This same group of early starters includes a veteran, a career changer, an international student, a female, and traditional student from my same town. Thinking about that inspires me to do and be better!
This new video highlights the diversity of our great programs: ESTEC Power Careers.
Building an Industrial Cybersecurity Workforce
Over 2019 and 2020, La Trobe University, Idaho State University and the Idaho National Laboratory worked to create a workforce development framework for industrial cybersecurity professionals.
Participants envision a series of easily consumable guides entitled “Building an Industrial Cybersecurity Workforce”. Today I am posting the first release in that series “A Manager’s Guide“.
This guide will aid managers in answering four pivotal questions:
1. Are you ready to build an industrial cybersecurity team?
2. How do you structure your industrial cybersecurity team?
3 . What does you industrial cybersecurity team need to know?
4. What does your industrial cybersecurity team need to do?
Identifying the unique knowledge and job roles required of industrial cybersecurity professionals represents a significant step towards developing a capable workforce. We note the ongoing need to establish a repository of knowledge, skills, attitudes, and behaviors on which diverse groups can rely to create training and education standards, personalized training plans, intervention methods, and training content. We anticipate using surveys, interviews, and field observations to expand, further validate, and refine this work.
Future deliverables include an Human Resources Guide and a Career Development Guide for Industrial Cybersecurity.
Rejections
Well, if you see me around, you can congratulate me. I have officially received my first rejections as an aspiring academic author!
One of the conferences to which I submitted was kind enough to provide some cryptic review comments. The other said (paraphrasing) “your paper was reviewed by three experts and found wanting” — no reviewer comments.
It might be easy to become disheartened, but this is the academic way; should I expect anything less? So I will keep at it.
The idea is to critically review the rejected papers, look for opportunities to round-out, re-organize, and maybe be more patient and selective on the target publication/conference. Be sure to incorporate more references from that particular conference or publication (homage to the reviewers?) .
Several months ago, I had an exchange about my topic with a well respected cybersecurity educator. She went straight for the jugular: “Your topic might be fit for a term paper, but not a dissertation.” Imagine me reading that email: doubt, despair, defensiveness.
One of my supervisors encouraged “Engage. This is how she treats PhD candidates. She’s at least giving you her time and attention.” So, we went the rounds, I made my case. She shot down my arguments one by one, but then left me an opening. And I took it. In the end she was even conservatively complimentary.
I think part of the challenge is providing sufficient context so that people who think they “already know all about it” recognize they really might not — all while balancing what you, as the author, might not know yet either.
New “Papers” Section
I’ve been very busy the past month writing, writing, writing.
You will now find a section entitled “Papers” within the site menu. This is where I will post the papers I’ve written related to the topic of industrial cybersecurity education. I’ll post the manuscript versions there, and then replace them with the published versions. This also allows paper reviewers to find manuscripts to which I refer (if self-references are allowed in copies submitted for review, of course).
The first papers I’ve posted describe the need for industrial cybersecurity education as a well-defined sub discipline. They examine efforts to establish industrial cybersecurity education and training standards 1) in the USA, and 2) in the world. They also provide detailed recommendations to improve the situation.
As you might expect with most academic literature, the papers are a bit dense; but, I’ve tried to ensure they flow well. I will cover elements of the content in later posts.
In the end, analysis finds that current standards fall short in three ways:
- They were created without consideration for the unique needs of industrial control systems
- They lack thorough development
- They do not account for the career paths of industrial professionals
Against the Banking Model of Education
I’m about halfway through “Pedagogy of the Oppressed” by Paolo Freire. It’s not a light book.
I picked it up as I was looking for thoughtful content on education. The book fit in well with the course I took on education evaluation (see previous post).
- What Freire described as conscientization seems the most important learning that a human being can have. To me, this means increasing one’s awareness of how things really work, and one’s relationship to the world, in order to make the world a better place.
- I agree that it is not enough to merely understand our world, we must dedicate ourselves to its progress, or our lives are without meaning.
- We cannot ignore the nakedness and hunger and misery of the human creatures on this planet without consenting thereto.
Freire harshly criticizes what he calls the prevailing banking model of education wherein instructors anesthetize student minds prior to depositing their own rote concepts, which they expect the students to vomit forth on command.
The criticism reverberated within me. I felt like I had experienced banking model instructors. I do not want to be among them.
I want students to have their own insights — insights which surpass mine. It’s not that they don’t need structure or guidance. It’s that they need to be and feel firmly in control of their journey of discovery — their journey to become.
To me, the glory of education lies not in the intellect of the instructor, but in the potential of the pupil.
Of course, I recognize that feeling these feelings and typing these words is the easy part. I have to align interaction with my loved ones, with my students, with my colleagues, and with the world around me to achieve lofty ambitions by careful and considerate daily effort.
I decided that on the first day of 3383 Secure Systems Design, I will require the students to write a 5 minute essay on “why cybersecurity matters”. Then we will have a robust discussion wherein I take the opposing side of the debate: “Cybersecurity does not matter”. And, I have plenty of great criticisms, and some serious doubts!
My hope is that in their very first interaction with me, they will see that it is okay to think outside the box, and that I want their reasoning to seriously consider alternate perspectives.