Knowledge Gaps in Curricular Guidance for ICS Security

Abstract

Industrial Control Systems are an essential mechanism to manage complex computer systems necessary for modern life. These include everything from water treatment and transportation to energy systems and manufacturing. These systems are becoming increasingly integrated and more complex, and they are being used to manage even more of the elements that make our everyday lives possible. They are therefore becoming both more attractive to cyber criminals and more vulnerable to cyber-attacks. More attention needs to be paid to increasing resources and capability in industrial cybersecurity (ICSS). A major element of this is to significantly improve both the quality and availability of education in this area. The process of development of these educational initiatives is aided by curriculum guidance documents. Of necessity ICSS has largely evolved in industrial settings. This exploratory study examines the curricular guidance available for ICSS research and compares it to industry requirements to identify gaps in curricular guidance. Specifically, this paper looks at the three leading guiding documents, the NICE Cybersecurity Workforce Framework, the Joint Task Force on Cybersecurity Education curriculum guidance, and the NSA CAE knowledge units. These are then compared to requirements identified from ICSS related job postings. We found that the primary cybersecurity curriculum guidance documents do not sufficiently address industry requirements for ICSS.