Computer Science programs may fall short in contributing to critical infrastructure protection

 

“There’s a great future in plastics. Think about it. Will you think about it?”
– Advice given to a young man in the 1967 Film, “The Graduate” (1)

In the 1967 film, “The Graduate” an older man gives insider advice to a young person struggling to decide on a future career. I was in a similar situation when someone advised me to go into computers. This was back in the late 70’s and early 80’s. So I did take up the advice and took some extra courses in computer science and computer education to position myself for a career change. The master’s degree program in Computer Education I enrolled in was strictly oriented to Information Technology and Information Systems. Operational Technology (OT) was never mentioned in any of the courses I took and I am sure my professors had no clue what OT was or where it referred to. Later I did write a simple accounting/inventory program for a very small electric motor resale business but that was about as close as I came to anything near to what could be an industrial control system.

Many years later as a deputy director of an IT and Telecommunications department for a government ministry I was responsible for coordinating the implementation of NATO’s information and communication security requirements (then called Infosec and Comsec) prior to joining NATO. Then again there was no mention of any OT security requirements. It was the government IT and Telecommunications systems that were the focus of the security work. What went on in a national power grid, water supply system or pipeline was not directly of concern to us.

Since then the cybersecurity of OT has really entered the public consciousness. Concerns about cyber- attacks on national power grids and pipeline control systems are much in the news. Working in OT requires a different kind of knowledge and skill sets then what is usually found in office IT. So one wonders about the preparation of new cybersecurity professionals to protect industrial control systems used to monitor and manage critical infrastructure.

Ran into an article with a listing of some of the computer science programs being made available in U.S. higher schools of education. (2) The offerings in terms of preparing cybersecurity professionals to secure critical infrastructure are disappointing. Only one interestingly enough had a “Masters of Engineering in Cybersecurity” program offered in a collaboration among the Electrical and Engineering Departments and a government cybersecurity center (3).

Cybersecurity however in most of these programs seems to be about securing what takes place in the government or business office environment. Namely securing information or data from cyber spies or cyber criminals. While searches throughout the course offerings for terms like “IT, IS, network and Critical Information” came up with many hits there were ZERO results found searching for OT terms such as “ICS, SCADA, control, process”. Security was also mentioned in terms of the IT security priorities of Confidentiality, Integrity and Availability. “Safety” and “reliability” came up with no matches. The term “forensic” came up but one can infer that the application is in investigating a cybercrime (4).

In terms of motivation for these new programs in computer science it seems that it comes from the Government where several schools indicate their program meets the requirements of the NSA and DHS. However the focus seems again to be not process control but working with and securing data or “information infrastructure” (5). Where is the voice of the utilities and manufacturers in the private sector? The operators?  Where are their requirements?

In short I found confirmation to a question I frequently get after a lecture on cybersecurity and critical infrastructure: “what can education do to address the lack of communication between IT and OT professionals?” I respond by saying that the IT bias needs to be remedied by  including an appreciation for the peculiarities of OT security. Computer Science programs need to include relevant OT security aspects together with what they teach about IT cybersecurity which currently seems attuned to the needs of office IT environments.  In other words a one-size-that-fits-all solution will not work.

The implications for policy making are significant. If computer science sees cybersecurity in terms of  securing the office IT environment then then what can come of work on national cybersecurity strategies that attempt to include critical infrastructure protection? What can we expect of the cybersecurity professional trained in these IT biased programs when he gets a job working for a power plant or manufacturing facility? Is there a risk for other Hatch type incidents (6)?

 

Computer Science degrees that focus on cybersecurity need to fix the link between IT and OT.

 

I cannot comment about what is taught about cybersecurity in schools of engineering but I would not be surprised if there was a similar OT bias and lack of IT cybersecurity awareness in engineering curriculums. If anyone has any information at hand about this please share it.

The gap between IT and OT security has been noted before as well as the need for IT and OT security practitioners to work together. However if we continue to train IT and OT cybersecurity professionals in silos the needed bridge of cooperation and understanding between the IT and OT worlds in regard to cybersecurity will be long in coming. Until Computer Science  course curriculums  include IT/OT cross training, we can expect more unsettling cyber incidents and surprises in critical infrastructure.

1 https://en.wikiquote.org/wiki/The_Graduate Accessed August 17, 2018
2 Hodge, S., Top bachelors and masters cybersecurity degree programs, CSO online, August 3, 2018 https://www.csoonline.com/article/3294206/security-awareness/top-bachelors-and-masters-cybersecurity-degree-programs.html Accessed August 17, 2018
3 Ibid.
4. Ibid.
5. Ibid.
6. http://www.homelandsecuritynewswire.com/cyber-mishap-causes-nuclear-power-plant-shutdown

 

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.