“I’ve been educating now for about eight years within the college system and that hands-on experiential learning is critical. When I have students do something that’s like a scenario based off of different security assessments I’ve done or just weaving in some real world stuff, they thrive. They really get excited. They walk away from it energized.” – Dennis Skarr
In this episode of Hack the Plant, Dennis Skarr of Everett Community College joins us to talk about an industrial cybersecurity program for students he has recently built. He describes the interactive element that helps students get excited about cybersecurity – in turn inspiring the next generation of cybersecurity professionals.
What success has this program had – and how, and why, should it be replicated across the country?
Join us as we discuss these questions, and more.
For today’s episode, I’m joined by Dennis Skarr, who built an industrial cybersecurity program for students at Everett Community College (EvCC). I first met Dennis when he came to an ICS village event a few years ago. He saw our interactive ICS WALL at the event that inspired him to re-think how to educate students for cybersecurity jobs. He describes his initial experience, and how he took what he learned to create an academic program to increase the pipeline into ICS security.
We’ve been fortunate enough to have Washington state invest in the hardware for us, and GRIMM did some fantastic work developing trainers as well as to capture the flag competitions for us. And now I’m working on how we can actually integrate that technology into existing classes and talk to other supporting programs like engineering, computer science, business, to be interested in this material and why it’s relevant to students outside of information security.
Today, we discuss the importance of interactive learning, and how that motivates the next generation of cybersecurity professionals.
I’ve been educating now for about eight years within the college system and that hands-on experiential learning is critical. When I have students do something that’s like a scenario based off of different security assessments I’ve done or just weaving in some real world stuff, they thrive. They really get excited. They walk away from it energized.
What success has this program had – and how, and why, should it be replicated across the country? Join us as we discuss these questions, and more.
So what we decided to do at Everett is we kind of wanted to dip our toe into offering industrial cybersecurity material. And our goal at a college, especially at a community college, is to retool incumbent workers who may have been displaced due to the economy going a little bit sideways, as well as high school students looking at kind of getting into those goals.
So the challenge that we had with industrial cybersecurity is there aren’t a lot of jobs readily available for students to graduate into, especially within our region. So we’re working on introducing students to those concepts and those learning outcomes to kind of start shifting culture of the workforce as students are leaving our program and entering the workforce and kind of progressing upward in leadership.
And where did you get the idea to do it this way?
Well, I was actually inspired by the technology at the ICS village years ago when I kind of met you and Tom. I saw the wall and was absolutely blown away with just being able to touch ICS devices in a training environment. In my experience in the military doing similar work, the trainers were good, but it was very restrictive and kind of limited to what you could and couldn’t do.
And seeing that in front of eager students really kind of changed my perspective on what could be done when it comes to educating students in this space. And when we were exploring opportunities to pursue a grant, it was my team that actually nudged me along to go for something I see as security related and they were the one that nudged me into this space. And then with that, when we decided to pursue the grant, I reached out to Tom and I’m like, “Hey Tom, what could we do? And how can we kind of bring that here to Everett?”
Okay. So you had this idea, this seed for building out more of the cybersecurity program tied to the community college goals of helping workers transition from current career into cybersecurity and more of that vocational getting high schoolers within a shorter period of time into the cybersecurity workforce.
And then it sounds like the water was… And this was not a setup. I promise I did not give Dennis $20 to give the call out to our nonprofit. But the water then was seeing the ICS village, and I’m presuming that was at DEFCON?
At DEFCON and going, “Oh, okay. So here’s some equipment, here is a way to drive kinesthetic learning that I can build a curriculum around where they get exposed to the ideas, they get to see the ideas, and they get hands-on learning,” which ties again to more of that vocational interest at the community college level.
Absolutely. That was really it. I’ve been educating now for about eight years within the college system and that hands-on experiential learning is critical. When I have students do something that’s like a scenario based off of different security assessments I’ve done or just weaving in some real world stuff, they thrive. They really get excited. They walk away from it energized.
And years later, I run into students on the street and they still bring up like those experiences. So when I saw the wall initially, I made that connection to my head like, wow, if I had that ability on campus, I could really kind of change that experience. And it took a while.
I think the first time I saw you guys was maybe 2014. I think it was the first year you had that. And then it was last year where we first rolled that out on campus. But I think the timing for our institution and bringing in the equipment was spot on with meeting the current demands in this sector right now and a lot of other initiatives kind of happening on the workforce development side that I’m also part of.
Sorry. Yeah, there we go. So you’ve been teaching this now for at least one semester, correct?
I just wrapped up my second quarter teaching this material. Yes.
And what have you learned from teaching this for the past two quarters?
So I’ve learned a lot. I think I’ve learned as much as my students. Obviously, COVID throws a wrench in education and I’ve only been able to instruct this class online so far, which really adds a layer of a complexity to it because the beauty of this equipment is you get to see things happening right in front of you and interact with it.
But we’ve kind of found some work-arounds and the capstone exercise for the class is based off of some security assessments that I’ve done in my military career. And they’re given a mock scenario that they have to do a security assessment. And they start off just taking pictures of all the equipment, gatherings serial numbers, pulling up ICS cert and looking for known vulnerabilities.
Then they move up to the network and kind of start asking for different levels of permission to do different types of scans. And the capstone itself has been a great experience, where normally we only can do that in like the last two weeks of school. And I’m really hungry to kind of have that hands-on learning throughout the whole 10-week quarter, starting in spring.
And at the end of that, where I do most of my kind of learning is we have professionals from industry sitting in to listen in on that presentation that students have. So they have to out-brief on their findings as well as prepare a written report. And the feedback I get from people in industry really helps me identify gaps in my training and where I need to kind of boost different skills and activities for students to be more successful understanding the fundamentals of industrial cybersecurity.
What are some of those lessons learned specifically?
The lessons learned specifically is, well, one, I really need to work with the groups more over the quarter to build up their presentation skills, like the soft skills. I feel like they need kind of come up a little bit. And that’s perfectly fine because a lot of these students are second or third quarter students.
So they may not have been exposed to a lot of group projects and online learning can kind of squash that a little bit. So I’m working to kind of get more group projects where they can work as a team. They can kind of sort through their different differences, logistical barriers to be more effective, and then getting a little bit more technical on the keyboard.
So I’m trying to build more activities that kind of feed up into the overall security assessment. And then also I think giving them more time for the assessment overall, like trying to jam it into two, three weeks to do that much work on top of other finals can be challenging on students. So I think giving them more time and more access to equipment. So I think moving the class to in-person this spring will be a lot of what I need to kind of start executing on those concepts.
How long is the program or are there different flavors and lengths of the program?
So our program is a traditional IT program, very similar to just about everything kind of going on in community colleges. We kind of have our traditional classes that we do well in. You have your networking classes, server, a little bit of security, and then your breath requirements for transferring English, math, human relations.
So students are in a program about two years, and right now this class is a technical elective that just gives them some exposure to it. So right now the class itself is five credits. But what we’re trying to do with our whole program on campus is I don’t want it to be a one and done experience with a five credit class, which is why I’m trying to introduce some of the trainers into applicable classes on campus.
So as they’re learning different concepts within Cisco equipment, can they actually apply the same concepts to Affordanet, something on industrial cyber side. So taking those concepts and kind of building on them. So they develop a level of proficiency with this equipment.
So it’s not so foreign and strange if they bump across it in the workforce side of things. Another thing that we’re trying to do campus-wide is we’re currently working with the STEM club to get students outside of IT interested in this space. If they’re going into engineering or if they’re going into computer science, they’re going into business, what we kind of cover within our program are applicable to them.
We’re looking at kind of shifting culture within a lot of different businesses in our area and that shouldn’t be limited to just students who are going to be working on the information technology. We need the decision makers and more people who are interacting with industrial equipment to understand the real-world threats and impacts to this.
And I’m kind of using the club as a way to get more students interested in the class and developing online training for them to kind of get more involved in this area. And there’s a lot of enthusiasm outside of the IT space right now, too. I think most of the students who are really kind of flocking to this equipment and these concepts are on the engineering side, which kind of was delightful and surprising for me to see.
Do you have some idea of what that would look like with this kind of class being adapted for I guess the non-traditional folks, those that you described as outside of IT?
Yeah. We actually designed this class not be tech heavy because we are trying to encourage business, the operational technology, students within the mechatronic program, really any student with passion and curiosity to get into this class and understand just the basics of, what really is industrial cybersecurity?
What is the real-world impact? How fragile are these systems? And I think there’s a lot of misconceptions that students just kind of hear through whatever’s floating through their social media channels about these different topics and giving them direct access to that and understanding the basics and develop that common language is really important.
I’m trying to create more official pathways within our college to get this class to count towards their programs as an elective. And that’s kind of one of the challenges I’m kind of facing on campus.
On a future episode, we’ll be talking about a recently announced consortium with Siemens, the ICS Village, and others to establish a new apprenticeship program to defend critical infrastructure. The Cybersecurity & Industrial Infrastructure Security Apprenticeship Program (CIISAp). First cohort expected in Fall, 2022.
I know you only have two quarters under your belt, but have you had any students graduate with a degree with this elective yet?
Yes. I’ve had two students who have kind of moved on from the program. Strangely enough, one student graduated and came back just for this class, and he’s doing really well right now. I have students who are definitely on path and ambitious to get into this flavor of cyber security.
Chris actually just enrolled in SANS and he wants a focus on ICS. I still kind of work with him and mentor him in that space to try and see how I can kind of still shepherd him along and move in that direction. And then I have another student who just graduated from the class, but still has a year left on campus.
And I’m working with him right now to help us with kind of the capture the flags that we’re kind of setting up as well, being part of the club system to kind of help out net space. But I’ve also had an opportunity with a local utility where they wanted me to come in and support them through a tabletop exercise, which is great.
And my request was I bring in students. So he’s like assisting me with kind of going through the different injects and the tabletop exercise. And he is going to be on site with me when we’re kind of executing this and capturing lessons learned. So I have students going through it and they’re inspired. They’re on path. They’re dedicated.
And as more opportunities are presented to me in the program on how students can get involved, I’m always trying to make sure that students are involved and it’s not just me, the instructor, kind of in these role. I won’t even do anything unless I can get a student involved and give them their eye on grabbing the next run of the ladder and building up their resumes so they’re more prepared to enter this space.
So too early to have any of the employment feedback, correct?
Correct. Yeah. One of the challenges we kind of have is we’re building supply and demand at the same time. With these programs out there, it’s making us splash locally. And we have students interested into it, but we’re also looking at not just the big employers in the area, but the small manufacturers that all feed into the aerospace sector here can definitely benefit from our students or sending one of their current employees through this program to get a little bit more savvy in this area.
So we’re trying to kind of educate and do outreach at the same time. And this is where a few of the different workforce development programs I’m involved in will really kind of help out as well. So we have a lot of different work to do in order to make sure that we’re effectively creating students with the right skill sets to enter the workforce and shift culture, make change, as well as educate local business that this is an in-demand skill that you should be actively looking for.
You mentioned the capture of the flags. Can you go into a little more description of how you do capture the flags with the industrial control system ranges that you have, as well as what is the value of a capture the flag game or exercise in education?
Yeah, absolutely. Well, anytime you can gamify a learning lesson, students lean forward and embrace it. So the capture of the flag competitions were a really good fit for what we wanted to achieve. And there are two capture the flags that were developed by grim for us to use in our program. And one of them is geared towards high school students, which has a broad spectrum of STEM skills.
That competition is really geared for generating interest and sparking curiosity. And students can come to us with no understanding of anything and we go get them through the crawl, walk, run, kind of process to introduce them to the technology, how they can be affected with everything from programming a programmable logic controller, to a little bit of Python, to the fundamentals of information security.
And ultimately they kind of walk through a dinosaur themed capture a flag competition that would be a one day competition. We’re looking at actually hosting this May. The second competition that will run concurrent with that is geared towards the college students. So the two-year level college students.
And similar concept, where we can teach the college students a little bit more of the ICS kicker. They come to us and we can train them on what is ICS and introduce them to the technology. But they learn cybersecurity at their home school and their kind of programs.
The value to the capture the flag competitions is it’s different than what they get in a learning management system on college or in their classroom. I mean, they’re hands-on. They’re getting something new. They have to work well as a team. They have time management. They have communication skills that they kind of have to keep sharp.
And they may have to divide and curve with the skill sets of their team, which I really kind of enjoy. You may have an individual that’s a whiz-bang with programming, but may not be very well off with the actual hands-on information technology side of things, and kind of vice versa.
So I love the idea that the students have to kind of build up this team and rely on each other’s strengths to kind of get everything kind of moving along. The flag type challenge is something that I’m looking at kind of incorporating more into our program now that I’ve actually been introduced to the platform. So one of the things I’m currently working on is, can I incorporate like a capture the flag as a capstone exercise for some of the entry level classes? Answered your question?
Yeah. I’ve seen a capture the flag sort of exercise like that used as a capstone at the US Air Force Academy.
So you had to build this and it was an inspiration of multiple different things that led you to there. So what is the state of fairs of education in general that you see in the United States?
Well, education has been a little bit tricky over the last couple years, especially at the community college system, because I feel like we’re normally really dialed into what is the pulse of the work force doing within information technology. And how we interact with technology has changed everything over the last couple years.
One of the challenges we initially had was the economy was in a little bit of a collapse and we had a huge influx of students from the aerospace sector coming to us because they lost their jobs and they’re looking at retooling into something that’s stable and growing. And every time the economy kind of like takes a hit, a lot of students do kind of retrain into information technology. That’s just kind of how things work. Old technologies kind of like whittle away and more intelligent devices come on board.
But when companies add more intelligent devices into their business, it’s not a one for one with workers lost versus worker gained. Some tech jobs are gained, but a lot of the more physical labor intensive jobs kind of die. So just look at the history of manufacturing, where we lost a lot of bodies doing these routine tasks and it’s replaced with automation.
So we have that coming in, but we’re still struggling to see where information technology jobs are re-emerging right now. And in the past we always had a very steady flow of internship opportunities coming to our program. And we’re still not quite seeing those just yet. We’re starting to see a little bit more. We just looked at some great data on the kind of national level workforce development with information technology and we see support really kind of springing up.
So we know that we’re still doing well preparing students for the new jobs that are coming to us to rebrand and retool into a job that’s stable, but we’re not hearing it directly from the employers, which is kind of a challenge. So on the workforce side, that’s one thing that we’re still kind of struggling with. The other layer is just content delivery. COVID was really just extremely disruptive to the classroom, and we thrive in the classroom.
I love being in the classroom. I think that’s where I really kind of excel. And we had to go to remote learning. And remote learning does have its strengths for the right audience, but a lot of students really kind of struggle with that format, especially if they tend to be a little bit more hands-on, it may not be the best fit for everyone.
And then you throw the stressors of a pandemic on top of it and a lot of students are more focused on just getting through day to day life and education may not be as high of a priority as what it normally would be, which kind of adds a little bit of challenges to things. I kind of had to change who I am in the virtual classroom now, where I talk to my students and I share, like, don’t think of me as a teacher, think of me as a mentor and a coach.
I’m really here to support you through your goals in life and make sure that you can kind of get through this program. And I let my students know that if life is really rough and you need to take a break, let me know. Because if your life is stressing you out right now and you’re trying to do school, you’re not going to do it well. I’d rather have you take a little bit of a pause, address those concerns, take a deep breath, recover, and then come back to education strong.
And I’ve had a lot of students take me up on that. And I’ve had to do it a little bit as well, too, where I’m not immune to things going on. I’ve had to kind of respond to that as well, where I need to take a little bit of a break, kind of check out to what capacity I can and come back strong on the instruction side.
So I think that just the psychological impact and just weight of being in a remote environment has really been challenging for students at all levels right now. And our college isn’t really kind of immune. We’re seeing things start to recover a little bit, but that was actually right before this next variant. I was looking at this quarter kind of coming in and I’m like, “Hey, this is going to be a great quarter. I’m teaching in person now. This is going to be a really strong quarter for us.”
And then all of a sudden, now we’re seeing headlines of students walking out of schools because they don’t feel safe. So it’s another layer of unknown, which really kind of cripples any momentum that we’re trying to get in this program. I feel like I’m constantly getting things up and humming.
And when I get a good flow going, then all of a sudden something shakes everything up and I got to drop those initiatives and start all over in a few weeks, which is… I love momentum when we’re kind of working on a project and it’s been like this sputtering process kind of moving along, which makes making changes and improvements to any program a challenge.
Should the government be doing more with this? If so, what?
So I think the government definitely can help. What we kind of need right now is like, especially if we’re growing a program, Bryson, we have to run it with low numbers. Because we may not have that student interest or may not be enough students to actually break even with the cost of running that class.
And I know that there have been grants given to programs like this, where they understand that we need to build this capacity and it may take two, three years to actually kind of get something like this up to a maturity where it’s on its own. And you have students graduating it, they’re getting well-paying jobs in industries kind of like hungry for this program.
So if we could get some sort of funded cohort model through our program and similar programs, I think that would definitely help, especially if we could possibly tie that in with a supported internship or apprenticeship model on the employer side. So I know a lot of the small businesses in the area are also struggling to meet ends financially.
And if there could be a internship that was funded to kind help them and assist them, bring in these new roles within their workforce, I think that would definitely help with kind of starting to shift the culture of all these small businesses, as well as starting to create a community here of like-minded individuals who are currently active in improving these systems county and statewide.
So what kind of future plans do you have for the program?
So we are in the middle of redoing our degree as a whole. So we’re looking at actually having more transfer options for our students. Our program historically has done very well for worker retraining students, but we kind of struggled with high school students in the past. And having the high school level capture the flag is one of the tools we’re looking at to kind of assist us with recruitment and generating interest in that space.
But then once students leave our program, we want to make sure that they have multiple transfer opportunities to kind of flush out their career. We’re also working to kind of get our students into the community as much as possible, getting involved in more security conferences, getting out there, seeing people building that network both online and in person so that relationships can be made while they’re in college.
And as they kind of progress through their career, they might be picked up by companies later on once they have on-the-job experience and a little bit of security chops. We’re also trying to explore another round of funding for our program. So we’re extremely happy with what we have been given so far, but we’re looking at actually expanding on that ICS infrastructure to include like really the whole business side of the Purdue model, and including cloud.
So we can actually create like our own little small mock company with all the virtual infrastructure in there to provide all sorts of different learning activities for students that are not just ICS flavored or that touch ICS technology, but are definitely incorporated part of it. So we’re looking at kind of moving that direction and also including some monitoring and detection capabilities with possibly an OT SOC concept as well.
So we’re really kind of looking at what we’ve done well so far given the circumstances and what technology can we add to this lab to even take it to the next level for our students and possibly even people working in the field that want to learn more about these different skills.
If you could wave a magic air gap wand, changing everything around industrial control systems and critical infrastructure, so bigger than the education program, what is one thing you would change?
If I had that magic wand, I think really using it to increase employer demand of students with these skill sets. Because I think if you had stronger employer demand, then we could expand on this program. We can get more technical. We can kind of look at more hybrid positions between that IT-OT crossover. We can look at management. There’s a lot more we could do from the academic side if our students were getting picked up and moving into living wage jobs more aggressively. I think that that’s what I really need to be successful in expanding this program in any sort of training.
All right. You’ve waved your magic wand. Now, look into the crystal wall, five year prediction, one good thing and one bad thing that you think is going to happen in society with critical infrastructure.
Ooh, this is a good one. So one good thing is I feel that by having our program up and running and being successful, that it could be replicated across the fifty states. Because other community colleges would see this need and those employers that kind of like work with those respected colleges are also hiring students.
So I see the security of these systems, everything from small manufacturers to water, electrical, starting to actually make significant improvements from the bottom up. And that has long-lasting impact to these organizations because those students entering it are moving up and becoming decision makers themselves.
So at five years, I see students really kind of building on these skills within their different employment sectors and moving up in different leadership roles or moving across different organizations as they kind of grow and expand on these different skill sets.
The negative to that, I think it might be difficult to scale. There’s a shortage of people with a good understanding of ICS security and experience here in the United States. And I think that in order to scale up instructors, that we also need a similar model to, how do we train the trainers as well? And how do we do that in academia?
Do we have a hub-and-spoke model for community colleges across the United States? Do we do that through our centers of academic excellence? How do we actually scale this up and make sure that students are getting access to real-world experience and not an instructor that was handed some material and some trainers and told that they need to teach this.
They may not be passionate about it and just doing compliance teaching versus actually really passionate and into the material. So I think the five-year challenge would be, how do you scale success and ensure that all the experience gained from the ICS security community is also being passed on to all these colleges that now have to obstruct it.
Every single time I’ve had the opportunity to talk at ICS village or within a paper or whatever is anything where I’m public facing, I get a great deal of support through LinkedIn and Twitter from other professionals who want to help, who want to support, like, coming to me, “How can I help you? This is awesome. You’re doing great things. How do we ensure that it is successful and we solve this together?”
And that has been extremely helpful for my overall morale, knowing that I’m not kind of alone in this space. And then our students see it and that inspires them to work harder and to pursue this space, knowing that there are professionals out there who see the value of what it is that they’re doing.
And I think that the instructors I have been working at different community colleges and universities are very supportive of collaborating versus kind of community colleges and universities sometimes can be a little bit kind of protective over programs that they’re developing. But it’s been the exact opposite within the space.
We’re all working behind the scenes on how we can support each other, how we can feed into each other. How can we compliment each other? How can we share information? How can we make what we have in our own little world part of the bigger fabric of a workforce development to ensure that we’re adequately preparing the workforce to solve these complex problems.
- “Spotify”: https://open.spotify.com/show/1gpbeima7ivtaPQN6UHy3c
- “Apple”: https://podcasts.apple.com/us/podcast/hack-the-plant/id1528852909
- “RSS feed”: https://feeds.simplecast.com/iTYwWFdE