National Cyber Warfare Foundation (NCWF)

The Top 10 Things I’d Like to See in University OT Cybersecurity Curriculum (2025 Edition)
0 user ratings		2025-09-11 03:03:04
milo
Red Team (CNA)
Most of you who have been following me for a while know that I have a very strange and unusual job in cybersecurity. I’m one of maybe a hundred or so people on earth who does full time incident response and forensics for industrial devices and networks that are hacked. Things like power plants, trains, […

Most of you who have been following me for a while know that I have a very strange and unusual job in cybersecurity. I’m one of maybe a hundred or so people on earth who does full time incident response and forensics for industrial devices and networks that are hacked. Things like power plants, trains, aircraft, mining equipment, agricultural equipment, and so forth. In cybersecurity, we refer to these industrial control environments as “operational technology” or “OT” systems.





I love what I do. I’ve written about it before in a few blogs, like So You Want to Learn ICS Security…, What’s My Daily Life Like (in OT DFIR)?, and in a lot of articles and podcasts I share on here as well. I have no ethical concerns about what I do for a living every day. If industrial systems break in unexpected ways, there are real life, safety, and environmental repercussions for innocent people. Its the most real of the real in the “cyber” space. The work is endlessly fascinating and exposes me to the inner workings of the entire world.





And it is tremendously, hideously, terrifyingly hard to hire people.





In one of the worst markets I have seen in my entire career, we still have trouble finding newcomers who are interested in and capable of learning to secure these systems. There are a few key reasons:






  • This is a relatively new field to work in and is rapidly growing. So there’s not a lot of existing books or work to pull from and a lot of senior practitioners themselves are not familiar with the space.




  • There are tons of misunderstandings about what OT cybersecurity is and is not, and a lot of IT companies trying to incorrectly pitch they are interchangeable to make sales. They are very different due to life, safety, process, and the different devices.




  • OT networks often rely on old, legacy devices, and don’t involve the “cool, fun” tech like AI, blockchain, and quantum computing that are hot topics in universities and hacker meetups. It’s not sexy. It’s not pitched as cool by schools.




  • Cybersecurity curricula typically feed into only two granular cybersecurity roles: security analyst, and penetration testing. A lot of other important roles are not covered in detail, or even introduced to students as an option. As a result, those two entry markets are saturated, while others still have job openings.




  • Securing OT requires a lot of unique exposure to “systems of systems” and industrial process environments that are often not familiar to computer science professors and curriculum developers themselves. It is not a matter of building a better lab to hack a PLC or two.




  • Working with a variety of non-standard, legacy, and low-level devices requires great foundational knowledge of computer science and network engineering. Many of those fundamentals are not taught in high school. They are also often missing from cybersecurity degree programs and technical training. I can teach a young person with good foundations and critical thinking to use any tools, but I cannot teach a young person who has only learned tools years of foundations and critical thinking.





The result is that we get less applicants for these positions, and very, very few of them are people we feel we can train even with a dedicated pipeline and a lot invested in the next generation. It’s not a matter of gatekeeping. We really want to see young people learn and love OT cybersecurity too. It’s critically important to keep society safe. These problems are only getting worse and our case load is constantly increasing.





To counter this problem, I try to do outreach to universities and trade schools, in order to make a difference in what is being taught and bring more attention to the problem of OT security. As a component of this, I’ve decided to maintain a list of the top 10 things I would like covered in cybersecurity curriculum related to OT. Here’s the list:






  1. Don’t skip the fundamentals. Young people today are getting far less early exposure to the inner workings of computers than millennials and gen x. Devices they grow up with are more intuitive and “break-and-replace”. Don’t assume students understand a basic file structure or network addressing. Every single cybersecurity program (from Associates to Masters) should require essential computer science coursework which covers operating systems, networking to a packet level, scripting, command line, and hardware. Passing these courses with adequate tested knowledge should be a hard requirement to proceed. The foundations last, tools become obsolete before a degree is even completed.




  2. Students should understand process loops and “systems of systems” from a high level engineering standpoint. What are the components of a process loop? How do they fail? How can they be interdependent? What is a sensor, and what does it do? What types of industrial control devices (analog and digital) exist? What types of physical, electronic, human, and digital safety controls prevent disasters? How do industrial processes fail outside of a cybersecurity context, and what are some of the worst examples of this?




  3. Students should be introduced to the Purdue Model. They should understand the function of each level of operation and the typical systems, protocols, and devices at each level.




  4. If at all possible, students should get a tour of (or job shadowing opportunity in) a real process environment. This opportunity allows students to learn what roles exist in the facility. They can see what day-to-day work looks like. It shows what the priorities of the operators and engineers are. Additionally, it emphasizes the focus on safety and uptime. This is a powerful teaching tool and a rare opportunity for students. At a bare minimum, have process engineer guest speakers.




  5. A few common and documented industrial protocols should be introduced. Students should be able to understand their function using a packet analysis tool like Wireshark. Focus on parent-child relationships between industrial devices and how function codes work. Also discuss encapsulation of legacy serial protocols. Finally, ensure students are equipped to deal with unfamiliar or modified versions of protocols which do not have Wireshark dissectors pre-made.




  6. Stuxnet is a fine case study to talk about the intrigue and complexity of launching a very reliable and specific attack in an air-gapped environment, but it is not at all exemplary of more recent and common industrial cyber incidents. It’s fine to include in your course, but cover cases like the Ukraine 2015 attack, TRISIS, and FrostyGoop in more detail. Most successful attacks today do not involve multiple states committing years into malware research and development. Most environments today are not remotely air-gapped. Ransomware is impactful to control and visibility. Attackers will take the path of least resistance to achieve their goals, and that often requires more system knowledge than fancy hacking.




  7. Focus less on hacking individual devices like PLCs, and more on how an attacker would purposefully or accidentally impact a real process full of safety controls and redundancies. The only things that really matter are process consequences. PLCs are simple computers and a lot of the ones in production are very old and very vulnerable. They are not the thing protecting the process.




  8. Students should understand the fundamentals of ladder logic. They should also get some exposure to engineering workstation tools. This knowledge is necessary for understanding how industrial devices are configured (and manipulated).




  9. Make sure there is a focus on cybersecurity personnel not causing a worse consequence than a piece of malware or an adversary. Every role and task in cybersecurity must be performed with that in mind in OT. It requires as lot of adaptation and creativity. Systems can only come down during rare and limited windows. Unapproved or poorly vetted system modifications can have life or safety consequences.




  10. Legacy, legacy, legacy. The Windows 11 based industrial systems being developed today won’t be widespread for several years. They will remain in production long after my peers and I retire. Students should expect to see lots of Windows XP SP0 Embedded that supports no modern AV or EDR, and be ready for and comfortable with dealing with that without an upgrade. That means different forensic tools, different monitoring tactics, and even different asset inventories.







Source: Lesley Carhart
Source Link: https://tisiphone.net/2025/09/10/the-top-10-things-id-like-to-see-in-university-ot-cybersecurity-curriculum-2025-edition/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.