This was a fantastic school year in so many ways. The Industrial Cybersecurity program grew from 2 graduates in May 2017, to 3 in 2018, 6 in 2019, to 13 in 2020! (We are enrolled at capacity for Fall 2020, and have started a plan for competitive enrollment for Fall 2021).
I am so pleased with my students. I made the following video to share my congratulations with them.
The students gave their Capstone presentations yesterday. I wish there had been an audience of 100 people there to see how far they had come in two years. Among the projects, we had a student who put together a simple power grid simulation using equipment donated by SEL. We had a student who made an ICS security job posting board. We had several students examine ICS security technology solutions. My personal favorite might have been the student who write a short story about the consequences of not hiring the right industrial cybersecurity talent.
Nothing would make me happier than to have them pass me up in a few years — and I am sure they will!
I am sure I will address this in greater detail in the future, but I wanted to tell readers about the actual courses in the Industrial Cybersecurity Engineering Technology program at Idaho State University.
You can see from the list that 13 of the 28 courses fall into the industrial process control category, six fall into cybersecurity, and three fit under IT. This is a specific and intentional program design intended to make sure our graduates are ready to enter the industrial/plant floor environment.
In fact, what we really want is students to graduate from any of the other hands-on engineering technology AAS degrees offered in our department: electrical, instrumentation, mechanical, nuclear operations, then go get a job and work for a couple of years. With real-world experience under your belt, return to enroll in Industrial Cybersecurity, where they can bring valuable real-world perspective into the classroom, and increase their earnings potential.
As we come down to the end of the semester here, my students are interviewing for internships and jobs.
AMTEC Photos, CC BY-SA 2.0
Based on student feedback, sometimes it seems that employers may not be attuned to the skill sets they need or know how to identify individuals who have the right competencies.
To aid employers in evaluating our students we encourage our students to maintain a portfolio of their projects, including photographs and final presentations from various courses, which they invite employers to review.
In addition to reviewing the portfolio and asking some questions about it, I’ve created the following short list of sample questions that help employers discern between an IT security person and an industrial cyber person capable of bridging the IT-OT divide:
Can you share your experience programming PLCs?
Will you tell me about how you protect technician lap tops?
How do you differentiate between a physical failure and a cyber attack?
What steps are involved in calibrating a temperature transmitter?
How does one segment an industrial network?
What challenges have you faced when creating an ICS asset inventory for security purposes?
A previous post described that our industrial cybersecurity students take at least five tours in their first year.
I created a list of questions that industrial cybersecurity students might ask their tour guide. We look specifically at: Asset inventory, network issues, change detection, external connections, recovery, security, IT-OT gap.
Here’s a sampling:
How many different PLC vendors do you have?
Has a process ever shut down as the result of a network issue?
What procedure is used to make a control logic change (PLC programming)?
The key idea is encourage application of in-class principles to the real world.
A couple of weeks ago I mentioned that Andy Greenberg’s Sandworm is required reading in my Critical Infrastructure Defense course, and I posted a study guide for others to use.
As COVID-19 has moved our in-person class to an online format, I decided to move the Sandworm discussion online too.
We are maintaining the same schedule of chapters each week, but I provided students the following guidance:
Pose one thoughtful question about the assigned chapters by Wednesday
When posting, please put the main idea or topic of your question as the Subject line. This allows potential respondents to sift through the topics without having to open each post. Moreover, forcing yourself to write a concise, meaningful subject is an important written communication skill.
I consider the ideal format for the initial question post to include the following:
Brief background
Cite the chapter (maybe even page number) — to allow other participants to know exactly what you are referring to.
Make an observation
Ask a question that elicits thoughtful responses
Questions can address something you want to understand better OR something you find interesting to discuss. The following question formats may be useful
What was meant by…?
Can you help me understand…?
What is the difference between…?
How would this apply to …?
Does anyone else…?
What does the class think about …?
Thoughtfully respond to two classmate’s questions by Sunday
Please re-respond to those who answer the question you posed
We’ve had some fantastic questions and ensuing discussion. For example, here are two questions posed by students (which they allowed me to share publicly):
In Chapter 29, it discusses how there are still different debates about NotPetya’s intentions. What debate do you think is the most cogent for NotPetya’s intentions?
We can see here that the student picked out the concept of intent, and noted that this is a challenging topic. A question like this can lead to discussions about threat intelligence, attribution, attack design, and evaluation of competing hypotheses, among other possibilities.
Here’s another:
For these chapters about NotPetya and how it spread I kept thinking about the Systems of System Analysis and how even outside ICS environments it would be beneficial to all organizations to go through this approach with their networked systems and software as a service system’s. For example, the book talked about hospital dictation software and how it was affected by NotPetya. I am assuming they never considered that as a crucial part of their day to day operations. What are your thoughts on applying system of system analysis on more than just ICS but potentially the enterprise side of the organization? Do you think this would have been beneficial to the hospitals or other organizations affected by NotPetya?
In this case the student took a core concept we cover in the class (system of systems analysis) and found where it would have applied within the Sandworm narrative. Then, the student realized the concept probably doesn’t only apply to industrial environments. This can lead to a discussion about biases of human cognition, differences in expertise necessary to conduct SOSA in an ICS vs IT environment, critical vs non-critical dependencies, and so on.
What I love about using an applied text like Sandworm is that it comes with the context for application — engaging the imagination. Standard texts may encourage vocabulary acquisition, but don’t get to this level of richness.
One of my favorite parts of the Industrial Cybersecurity program are the tours our students get to take. We try to get them 5 field trips in the first year alone. This generally includes the ISU heat plant, Great Western Malting, the Simplot Don Plant, Amy’s Kitchen, and a nearby substation. We even bring our own headsets so all students can hear the guide.
Here’s a photo of our industrial cybersecurity students at Amy’s Kitchen. One of our instructors is explaining a principle of operation pointing to an instrument panel. It is super cool that an ESTEC Instrumentation graduate who works at the facility was our tour guide!
For the first couple of tours students are a bit lost, but as the semester progresses, they gain vocabulary and use industrial equipment in educational labs. By the final tours they are excited as they understand how things are working. They can converse with the guide and ask meaningful questions.
So, it was a bit of downer that COVID-19 cut the tours short for the year. We will do our best to get these students into more facilities next fall!
Couched within the fascinating journeys of real-world characters striving to understand the implications of our evolving cyber world, no other book provides as rich and accessible a discussion of cybersecurity, threat intelligence, critical infrastructure, and nation-state threat actors as Greenberg’s Sandworm.
I’ve read many of Greenberg’s articles over the years. I admire his breadth of coverage, and ability to take complex topics and prepare them for a popular – though tech literate – audience.
I appreciated that the book represents Greenberg’s personal journey to answer the question “who is Sandworm?”, making an easy journey for the reader as well. While I found myself laughing – and even shouting out loud – in agreement, I also frowned a time or two. As someone who spent a decade of his life dedicated to understanding and explaining the cyber threat to critical infrastructure, things that seemed obvious to me were sometimes revelations to Greenberg; and, several conclusions I thought were plain wrong. But knowing that he was simply (and eloquently) describing his journey encouraged my patience.
Greenberg seems naturally a people person – which contributes to the book’s accessibility. I was surprised and pleased by his effort to paint the personalities of the main cast of characters.
John Hultquist and I worked together on Sandworm-related threat intelligence at iSIGHT Partners (which acquired my firm Critical Intelligence in March 2015) and later FireEye. I ran the Attack team, and Hultquist ran the Espionage team. We offered complimentary coverage as I analyzed the industrial control aspects of Sandworm activities. When the electric transmission pylons serving Crimea were blown up in fall 2015, we collaborated to warn our customers that cyber attack against Ukraine utilities would be a likely Russian response. We presented together on the S4 Main Stage on the first Ukraine outage just weeks after it occurred. In Sandworm, I was pleased to see Hultquist’s own fascinating story presented to the world.
Rob Lee and I crossed paths many times over the course of his rise. I found Andy’s description of Rob excruciatingly accurate. Rob’s intelligence, contagious passion and persuasive ability has driven him to stardom, and attracted great talent into his firm, Dragos. Early on he invited me to join him, too. But I had an alternate vision of my future.
In all, I decided to make this book mandatory reading for students in my Critical Infrastructure Defense course. Students remember stories – and Sandworm provides rich context for exploration and application. Plus, I have developed my own profound perspectives around these same events.
I created a Sandworm Discussion Guide, which you can find in the Curricular Materials section of my Web site at this link. Happy teaching!
We just reviewed differing opinions on whether it’s okay to teach to the test, and I promised to tell what approach I was taking in ISU’s Industrial Cybersecurity Program.
In my program, I require a Professional Certification course. It’s really a professional preparation course, but the main thrust is obtaining the SSCP cert.
Why?
First, I want my program to tie to some external validation point.
Second, I want students to enter my program clearly expecting to take and pass the exam.
Third, no single existing certification will accurately reflect what my students know and can do as they bridge IT and OT.
Fourth, the class covers a breadth of cybersecurity content not covered in other classes – so it’s not just review.
I specifically chose to have a class that teaches to this exam because that way the “narrowing of scope” that concerns Ravitch and Schou (see previous post) are concerned is confined to a single space and time.
If content from that course spills into other courses, or vice versa, that’s a benefit rather than a drawback.
I chose the SSCP cert because it is an appropriate medium level certification. It has a reasonable price point for students, and is tied to a nonprofit membership association — the (ISC)2. Thus, the certification is tied to professionalism rather than merely a credential. Moreover, maintenance of the certification requires continuing professional education credits. It also requires adherence to a formalized statement of ethics. I encourage my students to participate in the ISC2 Idaho Chapter.
Students are required to take the exam, and it’s costs are included in the course fees.
I also use this course to ensure students transition to the workplace. They are sharpening the resumes, honing their social media profiles, and conducting mock interviews.
In my education evaluation class (in which I am a graduate student) we’ve been learning about, well, evaluation — through the framework of Kirkpatrick’s four levels.
Kirkpatrick’s level 2 deals with learning assessment. That is, tests students take.
Ravitch, addressing primarily K-12 education, holds that teaching to the exam leads to narrowing the curriculum, particularly in English and mathematics. She explains that exams are imperfect one time measures of a student’s overall learning, and do not account for myriad characteristics that cannot accurately be tested, many of which have a significant influence on the ultimate success of a student.
In addition to my class and commute listen, I recently read a statement on the educational philosophy of Dr. Corey Schou, who was my own masters thesis supervisor.
Schou decries approaches that teach to the exam. He believes that the educational experience should be sufficient to prepare the student for the exam.
Schou was an early member of the (ISC)2 organization, which certifies information security professionals. The major component of that certification is passing an exam.
Schou expects his students to pass the (ISC)2 Certified Information Systems Security Professional (CISSP) exam upon exit of his program, and explains that his graduates have a 100% pass rate of the CISSP since his first graduate took it 15 years ago.
To be fair, I know that his students do spend time directly preparing for the exam (who wants the shame of breaking that trend?); but, it is absolutely true that he does not teach to it.
Other education thinkers, including training expert Robert Mager, do believe in teaching to the exam. In his view, if the exam appropriately reflects what a student really needs to know, then why wouldn’t you teach to it?
How are we addressing this in the ISU Industrial Cybersecurity program? Come back next time to find out!
This year I volunteered to advise our International Society of Automation (ISA) student club. We have a good number of participants across all five programs (electrical, mechanical, instrumentation, nuclear, industrial cyber) and fantastic student leadership.
The club determined to organize an Industrial Operations Combine – modeled after the NFL Scouting combine. We invite potential employers to come and see the students in action completing a challenge such as wiring up a PLC, interpreting a P&ID, running Wireshark. This gives them a great feel for what our students can really do, rather than just what a resume says.
Participating employers receive resumes and contact details for all candidates, and can schedule interviews for the next day. If this sounds intriguing, come and check it out. Then sign up to bring a challenge next year!