Sandworm Discussion Results

A couple of weeks ago I mentioned that Andy Greenberg’s Sandworm is required reading in my Critical Infrastructure Defense course, and I posted a study guide for others to use.

As COVID-19 has moved our in-person class to an online format, I decided to move the Sandworm discussion online too.

We are maintaining the same schedule of chapters each week, but I provided students the following guidance:

  • Pose one thoughtful question about the assigned chapters by Wednesday
  • When posting, please put the main idea or topic of your question as the Subject line. This allows potential respondents to sift through the topics without having to open each post. Moreover, forcing yourself to write a concise, meaningful subject is an important written communication skill.
  • I consider the ideal format for the initial question post to include the following:
    • Brief background
    • Cite the chapter (maybe even page number) — to allow other participants to know exactly what you are referring to.
    • Make an observation
    • Ask a question that elicits thoughtful responses
  • Questions can address something you want to understand better OR something you find interesting to discuss. The following question formats may be useful
    • What was meant by…?
    • Can you help me understand…?
    • What is the difference between…?
    • How would this apply to …?
    • Does anyone else…?
    • What does the class think about …?
  • Thoughtfully respond to two classmate’s questions by Sunday
  • Please re-respond to those who answer the question you posed

We’ve had some fantastic questions and ensuing discussion. For example, here are two questions posed by students (which they allowed me to share publicly):

In Chapter 29, it discusses how there are still different debates about NotPetya’s intentions. What debate do you think is the most cogent for NotPetya’s intentions?

We can see here that the student picked out the concept of intent, and noted that this is a challenging topic. A question like this can lead to discussions about threat intelligence, attribution, attack design, and evaluation of competing hypotheses, among other possibilities.

Here’s another:

For these chapters about NotPetya and how it spread I kept thinking about the Systems of System Analysis and how even outside ICS environments it would be beneficial to all organizations to go through this approach with their networked systems and software as a service system’s. For example, the book talked about hospital dictation software and how it was affected by NotPetya. I am assuming they never considered that as a crucial part of their day to day operations. What are your thoughts on applying system of system analysis on more than just ICS but potentially the enterprise side of the organization? Do you think this would have been beneficial to the hospitals or other organizations affected by NotPetya?

In this case the student took a core concept we cover in the class (system of systems analysis) and found where it would have applied within the Sandworm narrative. Then, the student realized the concept probably doesn’t only apply to industrial environments. This can lead to a discussion about biases of human cognition, differences in expertise necessary to conduct SOSA in an ICS vs IT environment, critical vs non-critical dependencies, and so on.

What I love about using an applied text like Sandworm is that it comes with the context for application — engaging the imagination. Standard texts may encourage vocabulary acquisition, but don’t get to this level of richness.

Posted in Uncategorized.

Leave a Reply

Your email address will not be published.