Curriculum Guidance for Industrial Control System Security
Subia Ansari, Marlo Basil-Camino, Douglas C. Rapp, Isslam Alhasan, Ida Ngambeki, Eugene H. Spafford
Deciding on a set of concepts or content areas to be covered is one of the first tasks of any curriculum development effort. Sources of content can include accepted textbooks or existing standards. There are several standards that cover some of what should be in an ICSS educational program: the NICE Framework, the NSA Centers of Academic Excellence in Cybersecurity (NCAE-C) Knowledge Units, and the Association for Computing Machinery (ACM)/ Institute of Electrical and Electronics Engineers Computer Society (IEEE CS)/Association for Information Systems Special Interest Group on Security (AIS SIGSEC)/International Federation for Information Processing Technical Committee on Information Security Education (IFIP WG 11.8) Joint Task Force Cybersecurity Curriculum Guidance Document. These were all consulted to determine the content areas to be covered by an ICSS curriculum. However, none of these were written with the full integration of ICS and cybersecurity in mind. We therefore used these as a basis to outline the major concepts in ICSS and then conducted a Delphi study to further refine the content area. The Delphi technique seeks to obtain consensus on the opinions of experts, termed panel members, through iterative structured questioning. As part of the process, the responses from each round are fed back in summarized form to the participants who are then given an opportunity to respond again to the emerging data. The Delphi is therefore an iterative multi‐stage process designed to combine individual opinions into group consensus. In this case we consulted 25 experts from academia, industry, and government in three rounds. Most of these individuals were members of a national Community of Practice in ICSS mentioned previously (https://inl.gov/icscop).