Boise State University is developing a cyber- and physical security certificate that isn’t predicated on people being computer scientists or engineers.
While the details aren’t finalized, the CPS2ALL certificate, intended for full-time and part-time degree-seeking students, can be earned online, on campus or both. It will consist of a series of 2-week, 4-week or 8-week courses and training modules that will let students earn badges in topics such as networking basics, threat modeling and understanding firewalls.
Boise State representatives discussed the program during a cybersecurity event on Nov. 30, where representatives from organizations such as Cisco and the Federal Bureau of Investigation spoke.
Several audience members commented that many cybersecurity professionals and programs are missing “soft skills,” ranging from communication and business awareness to understanding the various compliance requirements of industries such as financial services and health care. Presenters acknowledged that the interdisciplinary part of cybersecurity instruction needs to be built up. For example, the social sciences are a valuable source of information on human factors such as the user interface and how humans respond to falsified information, said presenter Wayne Austad, technical director for the Cyber Core Integration Center at Idaho National Laboratory.
Similarly, “phishing” emails – where a hacker sends an email message purporting to be a trusted sender but which then asks for passwords or installs malware – is still the biggest single cybersecurity vulnerability, said Clark Harshbarger, special agent for the Federal Bureau of Investigation in Boise.
“Most often, it’s an intervention of humans, not a technical innovation” that results in a successful attack, he said. “Relationships are as important, or more important, than the technical solutions.”
Boise State already offers cybersecurity training programs, but they are all heavily technical. For example, the university has just started offering a cybersecurity certificate intended for computer science students. It includes classes such as power systems analysis, digital hardware design and algebraic cryptology. So far, the program has 30 students, all taking its introductory class, said Sin Ming Loo, a professor in the department of electrical and computer engineering, who is spearheading the project.
In addition, the university is revising its cybersecurity minor, last offered in 2014, but which is also technical.
An advantage of a certificate program, as opposed to a major or a minor, is that it’s much quicker to get a certificate program approved, Loo said.
As the world becomes more automated, there is increasing attention being paid to the security of this automation, which includes the physical security of the devices themselves as well as cybersecurity. Especially in older devices, as well as in manufacturing and industrial devices, control protocols may not have the level of security monitoring that computer and networking protocols have, Austad said.
Consequently, because sensors are becoming more prevalent, they are more often being used as a vector for attack. “If I can access your hardware, I own it,” Harshbarger said. “Did you hear that a high-roller database in a casino got broken into through a thermostat in a fish tank?” he said. “Isn’t that cool?”
The physical aspect consists of sensors that monitor physical components and actuators to manipulate them – the cyber-physical aspect links the cyber and physical worlds and uses embedded intelligence, while the cybersecurity aspect is purely through wired or wireless communication and doesn’t directly interact with physical devices, Loo said.
As part of the work to develop the less-technical certificate program, Boise State is also developing a hacking lab that will give students hands-on experience, particularly with physical devices such as the Internet of Things and industrial machinery. It could include virtual machines that can be reset after hacking sessions, wireless access points, actuators and sensors, programmable logic controllers, portable and smart devices and appliances, and industry control devices such as robots. In addition, the lab will include a virtual private network that will be available as a hacking target 24 hours a day, seven days a week.