Developing Pedagogy to Optimise Forensic Training in Safety-Related Industrial Control Systems (ICS)

Summary

Pedagogy

Developing Pedagogy to Optimise Forensic Training in Safety-Related Industrial Control Systems (ICS)

Pedagogy deals with the theory and practice of teaching and how these influence student learning. Research in computing science has begun to develop an evidence base to guide the teaching of key concepts, see for example the Royal Society report on computing education ‘After the Reboot’. First steps have also been taken to develop the pedagogy of cyber security.  A recent RISCS workshop stressed the role that the GCHQ Research Institutes must play in influencing best practices in pedagogy. However, most existing guidance focuses on schools and Universities. There is little or no empirical work on effective approaches for training professional systems engineers. We sought to address this omission.

To facilitate this we created an environment and a training structure to provide training to several organisations in critical national infrastructure sectors, i.e. civil nuclear, defence and energy, that operated or worked with safety-critical ICS.

Three training testbeds were developed and used at different times across the project: 1) a lab-based training testbed, 2) a portable training testbed, and 3) a remote access training testbed. The latter two were developed to deal with different constraints we faced environmentally in delivering the training. The portable testbed sort to provide a training testbed that was not restricted to our lab at the University of Glasgow, that only had a certain capacity. The remote access training testbed, provided training when we were unable to provide training in person and developed on the portable training testbed with regards to capacity. A key finding from our training was ICS devices such as PLCs and HMIs cannot cope with requests coming from different individuals and so to provide a better and more efficient training environment we strove to provide each trainee with access to their own ICS device. Consequently, in the future, this would either increase the cost of the training or limit the capacity of the training.

A key outcome of our project was the understanding that the structure of ICS forensic training should provide a combination of theoretical, practical, and reflective elements. This recommendation was drawn out of relevant literature on educating adults and also the literature on requirements for training individuals in ICSs, which placed a heavy emphasis on the requirement for practical as well as theoretical training. The specific training structure we observed was the Experiential Learning Model.

Additionally, we noticed ICS forensics requires a baseline of two types of knowledge, ICSs and cyber security to effectively understand ICS forensics. This had a major implication for how we created the training; as all the organisations we worked with had an existing approach in place for the upskilling of their workforce in ICS cyber security and forensics. These approaches could be broadly categorised as 1) complete retraining of individuals in ICS and cyber security; 2) upskilling those that currently worked with ICSs; 3) upskilling those that currently worked in IT cyber security. Thus, the training was approached modularly and an effort was made to ensure groups involved in the training contained individuals from similar backgrounds (ICS or cyber security). This enabled us to address the relevant gaps in knowledge and it also provided training that was much better received than when groups were more diverse.

A strong limiting factor in developing an advanced level of ICS forensic training was the lack of ICS specific forensic tools that we knew organisations could be using or might be able to use once they left the training. Until relevant tools are available for these organisations, delivering training with a greater level of technical detail – as you would see in IT forensics courses – would be extremely difficult in safety-related ICSs. However, for most ICS, forensics is such a new area for organisations to try to implement, the training provided a valuable insight into types of forensic data they could expect to see when tools are more widely available, along with the type of data that they might expect to find but as of yet is not accessible. For those that attended in more senior roles, they provided feedback that the training provided them with, a baseline understanding to keep up with the advancements as they come, and gave them a better idea of how they can go about breaching the knowledge gap on ICS forensics and cyber security.

Project members

The main focus for Chris’ research is at the interface between safety and security – for example, developing techniques so that we can continue to ensure safety while gathering forensic evidence in the aftermath of a cyber-attack:

Civil Nuclear: he has worked with the United Nations (UNICRI) on improving the cyber-security of Chemical, Biological, Radiological and Nuclear facilities, including facilities in Africa and Asia, with the US Pacific Northwestern Labs and the UK National Nuclear Laboratory. He helps to lead a forensic and cyber security lab on behalf of the UK Civil Nuclear License holders; focussing on SCADA and Industrial Control Systems.

Aviation: Chris is the software specialist on the SESAR scientific board advising the European Commission on the future of Air Traffic Management, comparable to the US NextGen programme. He also works on the cyber security of airport operations with the UK Department for Transport, EUROCONTROL, AdP and Helios.

Space: His research improves the resilience of space missions with NASA, the European Space Agency and the US Air Force.

He has advised a wide range of companies including EDF (UK), DFS (Germany), Frequentis (Austria), LVNL (Netherlands), Skyguide (Switzerland) and Thales (UK).