I’ve been very busy the past month writing, writing, writing.

You will now find a section entitled “Papers” within the site menu. This is where I will post the papers I’ve written related to the topic of industrial cybersecurity education. I’ll post the manuscript versions there, and then replace them with the published versions. This also allows paper reviewers to find manuscripts to which I refer (if self-references are allowed in copies submitted for review, of course).

The first papers I’ve posted describe the need for industrial cybersecurity education as a well-defined sub discipline. They examine efforts to establish industrial cybersecurity education and training standards 1) in the USA, and 2) in the world. They also provide detailed recommendations to improve the situation.

As you might expect with most academic literature, the papers are a bit dense; but, I’ve tried to ensure they flow well. I will cover elements of the content in later posts.

In the end, analysis finds that current standards fall short in three ways:

• They were created without consideration for the unique needs of industrial control systems
• They lack thorough development
• They do not account for the career paths of industrial professionals

I’m about halfway through  “Pedagogy of the Oppressed” by Paolo Freire. It’s not a light book.

I picked it up as I was looking for thoughtful content on education. The book fit in well with the course I took on education evaluation (see previous post).

So far, I think I agree with several principal points:

• What Freire described as conscientization seems the most important learning that a human being can have. To me, this means increasing one’s awareness of how things really work, and one’s relationship to the world, in order to make the world a better place.
• I agree that it is not enough to merely understand our world, we must dedicate ourselves to its progress, or our lives are without meaning.
• We cannot ignore the nakedness and hunger and misery of the human creatures on this planet without consenting thereto.

Freire harshly criticizes what he calls the prevailing banking model of education wherein instructors anesthetize student minds prior to depositing their own rote concepts, which they expect the students to vomit forth on command.

The criticism reverberated within me. I felt like I had experienced banking model instructors. I do not want to be among them.

I want students to have their own insights — insights which surpass mine. It’s not that they don’t need structure or guidance. It’s that they need to be and feel firmly in control of their journey of discovery — their journey to become.

To me, the glory of education lies not in the intellect of the instructor, but in the potential of the pupil.

Of course, I recognize that feeling these feelings and typing these words is the easy part. I have to align interaction with my loved ones, with my students, with my colleagues, and with the world around me to achieve lofty ambitions by careful and considerate daily effort.

I decided that on the first day of 3383 Secure Systems Design, I will require the students to write a 5 minute essay on “why cybersecurity matters”. Then we will have a robust discussion wherein I take the opposing side of the debate: “Cybersecurity does not matter”. And, I have plenty of great criticisms, and some serious doubts!

My hope is that in their very first interaction with me, they will see that it is okay to think outside the box, and that I want their reasoning to seriously consider alternate perspectives.

I think I am passionate. I consider myself at least a medium-term visionary. I think I’ve worked hard to help create a program that will improve the lives of students, help maintain more resilient infrastructures, and serve as a pattern (or at least learning experiment) for future programs across the country.

Fortunately, I’m not in this alone. This year I gained a profound appreciation for the sincere and enthusiastic participation and support of people with boots-on the ground experience and horse-in-the-race enthusiasm. I want to call out three of them:

First, the Idaho National Laboratory provided financial support which we used to create 8 flow control trainer stations. Several INL subject matter experts serve on Industrial Cybersecurity program advisory committee. Two top-notch analysts came to brief students on the Consequence-driven Cyber-informed Engineering (CCE) methodology. Several students ended up INL summer internships!

Second, Blackmere Consulting visited to provide focused job seeking and resume building guidance. Blackmere’s personal touch and cyber focus really sets them apart. Students found the talent acquisition perspective invaluable.

Third, Rockwell Automation’s Eastern Washington team provided insightful program advice, referred employers to us, and provided PLCs to upgrade ESTEC’s instrumentation engineering technology laboratory!

An enormous Thank You! to these organizations and their passionate personnel!

In my mind, the individualized feedback loop is at the core of education. Anyone can buy a book. Anyone can watch a video. The value you cannot get “on your own” is individualized expert feedback.

I made the image below to describe the idea of how formalized learning generally occurs. It’s not as if there is anything novel here, but it provides good background. You can see that “Provide Individualized Critique” is an instructor responsibility during the grading or sign-off intervention.

As we shifted to online mode curing the COVID-19 outbreak, I was most concerned about the “provide individualized critique” element.

Being that I teach in a hands-on environment, students work on laboratory exercises, then come to me for sign-off. I review their progress on-the-spot and say “Great start. Have you considered N?” They address N, and come back. I ask, “What about O?” And so on. Until they and I are satisfied with their work. I sign them off.

Under this arrangement, students are progressing at different rates. They are working with each other. They overhear what I tell other students. It works quite nicely.

For example, we spend several weeks working with ICS device inventories for security purposes. In one exercise I require students to identify what fields they would want the inventory to include, and why.

Generally speaking, the sharpest students are not those that get it right the first time — because no one does. They are those that move through the loop more times.

Once we went online, this level of individualized feedback was largely lost. Students were submitting their lab assignments as best they could, and I provided feedback, but then it was on to the next exercise. Instead of running through that loop several times, we only made it through once.

As the in-person paradigm is now regularly supplanted by the online paradigm in schools throughout the world, I/we will struggle to maintain (and enhance) our effectiveness.

I am particularly concerned about how this will play out for technical professionals, who will be expected to keep critical facilities like water provisioning systems up and running — for whom “work from home” is not an option.

“Hands-on. Online.” We’re going to figure this out.

This was a fantastic school year in so many ways. The Industrial Cybersecurity program grew from 2 graduates in May 2017, to 3 in 2018, 6 in 2019, to 13 in 2020! (We are enrolled at capacity for Fall 2020, and have started a plan for competitive enrollment for Fall 2021).

I am so pleased with my students. I made the following video to share my congratulations with them.

The students gave their Capstone presentations yesterday. I wish there had been an audience of 100 people there to see how far they had come in two years. Among the projects, we had a student who put together a simple power grid simulation using equipment donated by SEL. We had a student who made an ICS security job posting board. We had several students examine ICS security technology solutions. My personal favorite might have been the student who write a short story about the consequences of not hiring the right industrial cybersecurity talent.

Nothing would make me happier than to have them pass me up in a few years — and I am sure they will!

I am sure I will address this in greater detail in the future, but I wanted to tell  readers about the actual courses in the Industrial Cybersecurity Engineering Technology program at Idaho State University.

You can see from the list that 13 of the 28 courses fall into the industrial process control category, six fall into cybersecurity, and three fit under IT. This is a specific and intentional program design intended to make sure our graduates are ready to enter the industrial/plant floor environment.

In fact, what we really want is students to graduate from any of the other hands-on engineering technology AAS degrees offered in our department: electrical, instrumentation, mechanical, nuclear operations, then go get a job and work for a couple of years. With real-world experience under your belt, return to enroll in Industrial Cybersecurity,  where they can bring valuable real-world perspective into the classroom, and increase their earnings potential.

As we come down to the end of the semester here, my students are interviewing for internships and jobs.

AMTEC Photos, CC BY-SA 2.0

Based on student feedback, sometimes it seems that employers may not be attuned to the skill sets they need or know how to identify individuals who have the right competencies.

To aid employers in evaluating our students we encourage our students to maintain a portfolio of their projects, including photographs and final presentations from various courses, which they invite employers to review.

In addition to reviewing the portfolio and asking some questions about it, I’ve created the following short list of sample questions that help employers discern between an IT security person and an industrial cyber person capable of bridging the IT-OT divide:

• Can you share your experience programming PLCs?
• Will you tell me about how you protect technician lap tops?
• How do you differentiate between a physical failure and a cyber attack?
• What steps are involved in calibrating a temperature transmitter?
• How does one segment an industrial network?
• What challenges have you faced when creating an ICS asset inventory for security purposes?

A previous post described that our industrial cybersecurity students take at least five tours in their first year.

I created a list of questions that industrial cybersecurity students might ask their tour guide. We look specifically at: Asset inventory, network issues, change detection, external connections, recovery, security, IT-OT gap.

Here’s a sampling:

• How many different PLC vendors do you have?
• Has a process ever shut down as the result of a network issue?
• What procedure is used to make a control logic change (PLC programming)?

The key idea is encourage application of in-class principles to the real world.

It is interesting to hear tour guide responses.

I’ve attached the entire question set in the curricular materials section of the Web site. Happy touring!

A couple of weeks ago I mentioned that Andy Greenberg’s Sandworm is required reading in my Critical Infrastructure Defense course, and I posted a study guide for others to use.

As COVID-19 has moved our in-person class to an online format, I decided to move the Sandworm discussion online too.

We are maintaining the same schedule of chapters each week, but I provided students the following guidance:

• Pose one thoughtful question about the assigned chapters by Wednesday
• When posting, please put the main idea or topic of your question as the Subject line. This allows potential respondents to sift through the topics without having to open each post. Moreover, forcing yourself to write a concise, meaningful subject is an important written communication skill.
• I consider the ideal format for the initial question post to include the following:
  • Brief background
  • Cite the chapter (maybe even page number) — to allow other participants to know exactly what you are referring to.
  • Make an observation
  • Ask a question that elicits thoughtful responses
• Questions can address something you want to understand better OR something you find interesting to discuss. The following question formats may be useful
  • What was meant by…?
  • Can you help me understand…?
  • What is the difference between…?
  • How would this apply to …?
  • Does anyone else…?
  • What does the class think about …?
• Thoughtfully respond to two classmate’s questions by Sunday
• Please re-respond to those who answer the question you posed

We’ve had some fantastic questions and ensuing discussion. For example, here are two questions posed by students (which they allowed me to share publicly):

In Chapter 29, it discusses how there are still different debates about NotPetya’s intentions. What debate do you think is the most cogent for NotPetya’s intentions?

We can see here that the student picked out the concept of intent, and noted that this is a challenging topic. A question like this can lead to discussions about threat intelligence, attribution, attack design, and evaluation of competing hypotheses, among other possibilities.

Here’s another:

For these chapters about NotPetya and how it spread I kept thinking about the Systems of System Analysis and how even outside ICS environments it would be beneficial to all organizations to go through this approach with their networked systems and software as a service system’s. For example, the book talked about hospital dictation software and how it was affected by NotPetya. I am assuming they never considered that as a crucial part of their day to day operations. What are your thoughts on applying system of system analysis on more than just ICS but potentially the enterprise side of the organization? Do you think this would have been beneficial to the hospitals or other organizations affected by NotPetya?

In this case the student took a core concept we cover in the class (system of systems analysis) and found where it would have applied within the Sandworm narrative. Then, the student realized the concept probably doesn’t only apply to industrial environments. This can lead to a discussion about biases of human cognition, differences in expertise necessary to conduct SOSA in an ICS vs IT environment, critical vs non-critical dependencies, and so on.

What I love about using an applied text like Sandworm is that it comes with the context for application — engaging the imagination. Standard texts may encourage vocabulary acquisition, but don’t get to this level of richness.

One of my favorite parts of the Industrial Cybersecurity program are the tours our students get to take. We try to get them 5 field trips in the first year alone. This generally includes the ISU heat plant, Great Western Malting, the Simplot Don Plant, Amy’s Kitchen, and a nearby substation. We even bring our own headsets so all students can hear the guide.

Here’s a photo of our industrial cybersecurity students at Amy’s Kitchen. One of our instructors is explaining a principle of operation pointing to an instrument panel. It is super cool that an ESTEC Instrumentation graduate who works at the facility was our tour guide!

For the first couple of tours students are a bit lost, but as the semester progresses, they gain vocabulary and use industrial equipment in educational labs. By the final tours they are excited as they understand how things are working. They can converse with the guide and ask meaningful questions.

So, it was a bit of downer that COVID-19 cut the tours short for the year. We will do our best to get these students into more facilities next fall!