Unlocking the Future: Hands-On Learning and AI's Role in Cybersecurity Education with Philip Huff

Episode 13 June 24, 2024 01:00:58
Unlocking the Future: Hands-On Learning and AI's Role in Cybersecurity Education with Philip Huff
PrOTect It All
Unlocking the Future: Hands-On Learning and AI's Role in Cybersecurity Education with Philip Huff

Jun 24 2024 | 01:00:58

/

Hosted By

Aaron Crow

Show Notes

Welcome to Episode 13 of Protect It All! This episode features Philip Huff, a professor at UA Little Rock and a cybersecurity expert. He explores the promise of AI in education, especially for robotics and automation, while cautioning against the erosion of educational rigor.

Philip and host Aaron Crow discuss the importance of hands-on learning and real-world experience in aligning educational standards with industry needs. They delve into the role of industry partnerships, the necessity of embedding cybersecurity education at the community college level, and the growing skills gap in technology due to retiring experts.

The conversation also covers the advantages of competency-based education and flexible training programs in enhancing social mobility. Throughout, they stress the critical role of human involvement in AI and cybersecurity and the need for innovative, resilient systems.

Tune in for an engaging discussion on the future of education and workforce development in the tech and cybersecurity sectors.

 

Key Moments: 

00:10 Early career challenges prepare for real-world demands.

04:35 Degree's purpose is knowledge and skill acquisition.

08:17 Promoting cyber-informed engineering principles in community colleges.

11:32 Small private school in Texas prioritizes practical engineering.

14:48 Trade skills in high demand, apprenticeships offered.

17:33 Community colleges offer efficient curriculum changes for workforce.

23:12 Team's success attributed to aligning schedules with peers.

26:57 Company and employee benefit from long-term commitment.

28:46 Aligning learning outcomes with career competencies is crucial.

31:44 Retooling professionals for new careers and skills.

36:13 Value education based on future job prospects.

37:35 Integration of AI in education needs balancing.

42:52 Transforming education to align with real learning.

46:28 Transforming classroom for positive shared learning experiences.

49:57 Unused industrial equipment turned into educational tools.

52:10 Learn troubleshooting, not just following instructions.

56:07 Excitement and fear about accessible AI advancements.

59:12 Developing cyber engineering education standards at Idaho National Labs.

About the guest : 

Philip Huff is an Associate Professor of Cybersecurity at the University of Arkansas in Little Rock and serves as the Director of Cybersecurity Research in the Emerging Analytics Center. Dr. Huff is also chief scientist and co-founder of Bastazo, a company specializing in cybersecurity solutions for industrial technology. He leads the National Cyber Teaching Academy, the Department of Energy’s Emerging Threat Information Sharing and Analysis Center, and the Cybersecurity Consortium for Innovation which all focus on driving work-force development and innovation for cybersecurity in the region. He is also a CISSP.

How to connect with Philip: https://www.linkedin.com/in/philip-huff-65012621/

Connect With Aaron Crow:

 

Learn more about PrOTect IT All:

 

To be a guest or suggest a guest/episode, please email us at [email protected]

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. Awesome. Thanks for joining me. Philip. Why don't you introduce yourself, tell us who you are and what it is that you do. [00:00:23] Speaker B: Hi, my name is Phil Puff. I'm a professor at UA Little Rock in cybersecurity, also a researcher, and my background is in the electric sector. So I spent 15 years at a generation transmission cooperative. Worked a lot on the NuRQ SIP standards, and really that transitioned me over into academia. So now I'm working on new programs, new educational programs that help benefit resilience and national security. [00:00:55] Speaker A: That's awesome. It's funny because similar background, right. I spent a lot of my career working at a power utility, doing a lot of stuff in SiP. I also volunteer with an organization called ICS Village, where they're spending a lot of time doing the same thing from a different perspective of all about education. It's another reason why I do this podcast, because I know that there's a vast amount of knowledge that we need people to be able to come in and start taking the reins, and we need the next generation of cyber enthusiasts to come behind us to take the baton, as many of the older generation is going to start retiring and moving into different roles. And there's a big gap there. So I love to dive into that. It's exciting to hear. Before we started recording, we talked a little bit about cyber informed engineering. And I told you that I'll be going to InL today. So I'm actually on the way to Idaho today. So, yeah, let's dig in and kind of what is it that you guys work on and what are you trying to get the message out and build programs around? [00:01:54] Speaker B: Yeah, sure. So I moved over to academia after, you know, working with people that are coming out with a degree, hitting the workforce, transitioning right, right out of school. And really just, there's a lot of work to be done in higher ed to align what we need in the profession with. With the education they're receiving. I mean, it's not all bad, it's not a disaster, but there are a lot of things that students can be learning along the way that they're just not getting. A lot of times in cybersecurity and certainly in operational technology, it's kind of a hodgepodge. You end up chasing the workforce, the higher ed will chase the workforce, and the programs are kind of half baked. You take some of your existing coursework, throw it together and throw it at the student and say, okay, you're done. You have a certificate, go forth and. And do good things. And unfortunately, it doesn't work that way. There's so many things that you find yourself in front of early in your profession that a lot of times other people are like, if you're coming out as a programmer, you may be assigned this task and it may take you a few years to get up to the point where, hey, I'm developing. I'm at the cusp of innovation at my company, but you have this time to grow and make mistakes. And in OT, in cyber security, you're faced with a lot of real world situations that are high risk, high stakes. And the education you're coming out of a school with is not preparing you for what you're being thrust into, the changes you make, the things that you do. You don't have a lot of time to learn and make mistakes because the stakes are so high. So that's what brought me into looking at, okay, how can we truly transform our educational programs to align with what the students need coming into the workforce? [00:04:08] Speaker A: Well, you even see it in job requirements. Like when you see a job posting a lot of the, and it's almost a meme on LinkedIn and entry level job, but it needs ten years of experience at CISSP. And like, those are not entry level jobs, those are mid level jobs. Like, you can't. You can't have experience without getting experience. And I get, obviously with the podcast and all the posts that I do, I get a lot of folks reaching out to me, hey, I'm interested in getting an OT cyber, but I have no experience. Like, where can I get started? And it's really hard because obviously getting that first job is difficult. And obviously a degree is supposed to be that replacing some of that experience. I don't have the experience, but I have the knowledge. Right? That's. That that degree is supposed to get you. Yes. This is the things that this person has, and this is the skill set they're going to have. And then they can build, they can get the experience once they're there. But you can't have both. Like, you can't have these entry level jobs where you're requiring a master's degree, ten years experience for an entry level role like that. Those people don't exist. And the pay is entry level pay. Like, the things just aren't aligning in that way. [00:05:13] Speaker B: Right, exactly. And both sides really, both the workforce and higher Ed need to come closer together. And I get it. On the workforce side, when you're hiring, you get your position approved after spending months and months or years of justifying, this is why we need this position. And so you're not thinking about the global workforce needs, and you're part in the global workforce. You're thinking about your position, even if it's entry level. You want the best person in the world. Yeah, everybody's writing their own individual job posting, and they want the best. And it's like, you know, I get it. Like, you're not thinking, oh, we have 3 million, you know, 300 million shortage workforce. You know, you're thinking, not 300 million, but 3 million. And so you're thinking, I want the best out there. And that's what everybody's doing. They're hiring for one position. They're not hiring for the global workforce. There needs to be some thought given to that. That's a hard conversation. You got to get with HR and align those job postings to what's really needed. And at the same time, higher ed, we need to meet. If you're going to change those job postings, we need to meet you with candidates that we're teaching, the skills and abilities and knowledge that you're looking for, certificates that are meaningful for your workforce. And I think we can get there. Cyber informed engineering is one of those approaches. [00:06:53] Speaker A: So I've talked about this. Obviously, I'm going to a training this week, but why don't you just take a minute and explain what cyber informed engineering is and why it is so important to really incorporate into everything that we're doing in a cyber and an OT, specifically in critical infrastructure, but really for everything. And why. What's the value in it? [00:07:13] Speaker B: Yeah. So, in higher ed, we have courses that in engineering, and we have a full slate of courses that have many decades long syllabi that have been written and almost sacrosanct. And then you have. You also have computer science, you have cybersecurity programs. Same thing. Like, these programs are developed, and there's no. There's no real interdisciplinary learning that goes on. Those are in separate departments. And you have your curriculum that are built in different stovepipes and outcomes that segregation that we move right into the workforce. What cyber informed engineering does is take a set of principles that exist outside of cybersecurity. So it's not just about things you need to know with cybersecurity from risk based thinking, adversarial thinking, CIA principles, things like that. But looking at, if I'm working on an engineering problem in an engineering lifecycle, what are the things that can apply to make the system more resilient? Very system centric. It's not even security centric, but looking at the goal being a resilient system and the process being an improved security. So that's cyber informed engineering. One of the near term goals that we have is we, as in our institute, kind of a region, and more so, the nation working with inlaid is looking at the community colleges. And so let's say we don't get full coverage into the engineering programs. Very difficult to do. But if you look at all of the degree programs and certificate programs coming out of community colleges that deal with operational technology and industrial automation, there's a huge workforce that can be upskilled into understanding the cyber informed engineering principles and not necessarily the full lifecycle. But if you're working in operations and maintenance on a system, there's a lot that you have responsibility for in cybersecurity. And a lot of times, the cybersecurity, real cybersecurity, where the rubber meets the road, occurs in the operations and maintenance phases, and that occurs in the mind of the technician, not the engineer. And so meeting that need at the community college level, that's almost a better launching point than trying to ram rob this into an engineering program which doesn't have any additional credits anyway. [00:10:21] Speaker A: Sure. [00:10:21] Speaker B: So we're trying to make some major shifts and get it to where it is just a part of any type of societal, educational program that you have these principles that, you know, what, how does this impact, impact the systems that I work on? But starting with community college, I think that's something that is certainly doable. An interesting place to start. [00:10:49] Speaker A: Yeah, absolutely. I mean, I think back, I went to a small, small engineering school, and it was different than most of them in that even though. So electrical engineering. Right. I didn't. It was an electrical engineering degree. It was an engineering degree with an emphasis in electrical. And the difference was, is in my electrical engineering path, I had to take mechanical classes and welding classes and all of these different engineering classes that had nothing to do. Like, if I went to University of Texas in Austin, I would have only taken electrical classes. Right. And maybe I took an elective because I chose to, but it wasn't part of it. And the reason that the school that I went to is called Letourneau. It's a small school in Longview, Texas. It's a private school. And the reason they did that is, in the beginning, our engineering professors said, we want. Like, we don't want you to design a system that works electrically on paper, but won't work mechanically in the field when it's actually built. Right. So we need you to understand enough about all of the other disciplines of engineering so that you're not designing something that looks great on paper but doesn't actually work in the real world. And I think that's what a lot of our engineering has done over the years, trying to bolt on cybersecurity into these systems after the fact. Yes, some of our systems are 40 years old, and you having to do that. But as we're designing these new systems, we have to start putting that as part of the discipline that is part of designing the overall system, not because we're worried only because we're worried about nation states attacking us, but because it impacts the overall operation of the system, which is the most important part of it anyways. [00:12:33] Speaker B: Right, right. No, yeah, I appreciate that. The innovative process for your school. That sounds. Sounds like the way to do it. And unfortunately, there is this bolt on mentality with security. If you even look at the textbooks, if they talk about security as a constraint in engineering, it's usually the last chapter of the book, or it's special topics that we may get to on the very last week of the course. And so that's where you kind of view security. And this is this. It's the last thing to think about. Right. Like, if you have time, it's the last. And that's. We teach that that way in school, and it is a constraint. You know, you're dealing with all sorts of constraints in engineering, real world constraints, and certainly cybersecurity needs to be part of it. The challenge is you have an intelligent constraint that is adversarially working against you. That's not as simple to address. There are not mathematical models that can overcome this problem, but still, it's a constraint that is. That needs to be considered as part of the engineering development lifecycle. [00:13:58] Speaker A: Yeah. And even back all the way down to, you know, back in the day, we had all of these apprenticeships, and you had all these opportunities to grow and learn a trade and a craft in an area. And we've really, in the past 20 plus years, I know my previous generation, my parents, it was all about getting a degree, and degrees are great, but that was the way out of the lower class to get into the middle class. Right. As you get a degree. And that's the answer. Unfortunately, I think that too many people now, and I'm not talking about engineering, obviously, this is a general overall education. Thing is, there's a lot of people that just get degrees because they think that's going to get them to the next level. But the degree matters like what you get it in. Matters like getting a degree. Just a piece of paper used to be enough to open those doors. It's not anymore. On the flip side, people that go out and get a two year degree, or they get a certificate in a trade, an electrician, a plumber, a welder, all these skills, these crafts are highly sought after right now, and it's part of the reason why everything's so expensive, because we don't have enough of them either. Right. So. So, like, for instance, my kids, I'm putting them into a private school that's socratic based. And focus. It's. It's a. It's a school called Acton, um, and, you know, they. They make them. You know, they have socratic conversations every day, and they don't have teachers. They have guides. And the kids are more. They're setting their own rules and structure, but they also have apprenticeships. Part of this thing, when you're in high school, half of the year, they're spent pursuing and winning and working in apprenticeships, getting paid to work in jobs. And obviously, it's a 1315 year old kid. They don't necessarily know what they want to do with their life. But I think part of the problem is, is that not enough people know, and they haven't gotten to try it. Right. You know, cyber sounds really cool, but you may get into it and hate it, but you may be really good at project management or electrical engineering. There's a lot of things, but all these things bolt together in this education system of, how do we make it better for the end product to help us get more reliable systems, get cyber informed? Engineering have all of these things. As you said, it's really hard to change the engineering credits that are there today, the engineering 401 class. But how do we have these other things that bolt on, that don't take away from that, but do the other. So community colleges and trade schools and all these other things that we can start training these people to have these disciplines that we're needing in the workforce? [00:16:34] Speaker B: Right, right. Well, and I want to touch on apprenticeships, but I want to go back to something you said about the number of degree earners. The value of a degree is diminishing, and we are in higher ed. We're about to hit the cliff where the enrollment cliff is coming. And so it is evident that the number of degree earners are decreasing across the United States. However, some of the hope is that you start to see a lot more innovation and education. Certificate earners are increasing, actually, and from lower income parts of society where the workforce is highly underrepresented. So the social mobility with some of these community college and stackable certificates into degree programs I think is a very, very intriguing and offers a lot of hope for the future. The other nice thing about the community colleges is that they move faster. I mean, if you try to take in your, from yours and my former state, Texas, try to take in University of Texas and push through curriculum changes, same with my program. It takes an unbelievable. We don't have time on this podcast to go through the process both inside the institution and the state level processes to just change that curriculum. But community colleges work at a much, much faster level. That's why you see, like green energy jobs, solar jobs, they hit the program, the degree programs, they're offerings very quickly to meet the workforce needs. So they're a great place to start with. This gap of knowledge that exists in the profession and that is soon to exist even even more with all the people retiring, is that we have. Let's work with our community college partnerships. They're all over the nation, unbelievable network, and start embedding that curriculum there. And what, what first got me thinking about this is, you know, I've worked in the operational environment, and I know you have as well. And what pains me is the fear associated with cybersecurity. You have incredibly brilliant technicians who have, I mean, they have spent their life with that environment, their system. They know the system better than anyone else, but then cybersecurity comes along and throws a lot of NRC SIP acronyms at them, a lot of regulatory, a lot of new computing terms, and just kind of confuses the whole. Confuses that whole environment, that whole system, and not really working with the operators and technicians to understand, okay, here's what the consequences are if you do that. And that's where I think the future workforce, my fear, is not the senior level engineers that are retiring. It's the people that are working at the plant that have been there for 30 plus years that are retiring. That knowledge gap is what affects resilience more than anything. And if we can start bringing in, like, bring in people that, that can learn from, learn what the system does and how it impacts society and, and everything, and then work, work in knowledge of cyber security, that's, that's a pretty powerful, that's powerful knowledge. To go into the workforce. What I hated was just fear to move. Like if you're, if you're working in that plant and somebody's throwing all of these things at you, very confusing nurks it by itself is very confusing. And you just feel like you can't do anything with that system anymore because you're gonna get your hand slapped. Yeah. And you don't know, like you may know the network paths in, but then there's these other connections. There's, you know, maybe we buy a new solution. It's a multimillion dollar solution. We drop it into your plant and then we leave. So there you go. There's your security. And nevermind the fact that I can't print the reports that are required to be printed on this line printer. I can no longer, you know, work. I have to get to these devices in the six four, y'all shut everything. You know, I've got to do my job and so I've got to get that, I have to re engineer that somewhere because you're not coming back. [00:21:35] Speaker A: Right. [00:21:35] Speaker B: And so, so they are responsible for these decisions on a day to day basis. And if we can inject more knowledge and understanding of the operational. What, what operational changes, how those affect the system security, that's not, that's not a PhD level thing to do. I mean, we're. That that's something that is feasible, that's something that education we can do better at. [00:22:03] Speaker A: Yeah, absolutely. I mean, I think back at all, all of the things that, you know, my team has done, and one of the reasons I've been so successful in my career is because I've had enough understanding of the operational side working in power plants and, you know, wearing those hard hats and steel toe boots. I understand their concerns. Right. Because when my team left, because, you know, I worked in Dallas, my office is in Dallas, but the power plants were never in Dallas. They're always in the middle of nowhere in Texas, right. They're 4 hours away or 6 hours away, depending on where it is. And it's 03:00 in the morning on a Saturday when it breaks, my team's at home, right. They're sleeping in their bed and they're 4 hours at minimum, away. These guys are the ones responsible. They're also the ones that their bonuses are tied to it. Like all. There's a lot of factors that make them hesitant to accept these changes specifically because they've probably been burned a hundred times from, you know, I actually had a, I was going to have a t shirt made that says, I'm from, I'm from corporate and I'm here to help. And then on the back, on the back it said, see, see on Monday. Right, because that I'm not there. That was, again, one of the reasons I was so successful. [00:23:08] Speaker B: Yeah, unless Monday's a holiday. Right, then I'll see you on Tuesday. [00:23:13] Speaker A: But that's one of the reasons my team was so successful, because we worked in outages. Like we worked the same schedule that the teams did. So we were working, you know, three month, 16 hours day outage schedules right next to those people. So we built that camaraderie and that trust because they knew we would be there at the same time as them. We weren't just going to drop something in on Monday or Friday at 04:00 in the afternoon and then go home for beers and then we'll see, like you said, either Monday, unless it's a holiday, and then we'll be back on Tuesday. Like they worked on weekends, they worked on Christmas. You want your electricity to work every day of the week, especially Christmas. And so somebody's got to be there working. Right, right. [00:23:49] Speaker B: And you know, the people that are working, working in these environments are very proud of what they do. And it's not just that it's not a job to them. They are providing value to societies, you know, very similar, like a healthcare. And so tapping into that sense of duty and pride, I think, is just an incredible credible opportunity. [00:24:14] Speaker A: And roughly so, these are some of the smartest people I've ever worked with in my life. Like these, these are, this is not a knowledge or an intellect problem. It's, it's a problem of they know how, what it takes to work and they, they know that you met, you probably don't know what it takes to work. Yes. You're really good at the cyber you. I'm pointing at myself, you know, I'm good at the cyber stuff. But do you really understand what it takes to run this plant? Because when you're gone, I have to support it. And if I don't believe that you understand it, then I'm not going to let you plug your thing onto my network because it can cause problems and I'm going to be the one left holding the bag when you're at home, you know, drinking a margarita and I'm the one sitting here at the plant having to make this thing work and my boss and everybody else is screaming at me. [00:24:51] Speaker B: Yeah, yeah, exactly. And that's what we want the workforce coming in to have that empowerment, to have that upskilling of knowledge that not only this, you know, if this new device or this new security solutions coming in, that you can ask thoughtful questions, but you can guide them in the process of integrating that technology appropriately and you understand the true risk and can't really be duped by the theatrics. [00:25:26] Speaker A: Well, my dad worked in power industry for 40 years. It's why I did it. He supported power plants and it paid for my college. It put food on my table and all the things. He joined the company. He was 18. He graduated high school, I think, on Friday, he says, and Monday morning he was working at the company. So he did a co op program. So basically he would do six months working at the company, and then he would go to a semester of college, and then he'd go back and work for six months, and then he'd do a semester of college. So he was full time. So it was almost like an internship. They were paying for his college and they were paying for the degree that he was going to, but he was also getting on the job training at the same time. So it was kind of a best of both worlds because they were training him to be a good employee and business processes and all the things that you don't necessarily learn in the books. Right? And then the school was teaching him the ins and outs, the ones and zeros, and, you know, electrical theory and all that kind of stuff, the book side of things. So he was able to do both things. And also he was extremely poor. And he was able to go to college without having debt. Again, this was, you know, he grabbed. He was born in 48, so this would have been way back in the sixties, but still he was able to get a degree without being able to afford it. Like, he wasn't the smartest. He didn't have, you know, athletic scholarships or anything else, but he was able to get a job, and both the company and he were able to get out of it what they needed by doing this co op program. Now, it took him longer to get a degree, but he didn't care. Like, it doesn't matter how long it takes you. If I've got a job and the company's working with and it's both benefit, if it takes us four years or eight, as long as I'm employed during this time, I don't care. Like, the company doesn't care. As long as they're growing and they're getting this different product at the end, that's gonna uplift that person, the people resource as well as the company overall, by having a really capable person that we've grown into this, this next level, man, that's just a win win. And I just don't see that out there in the marketplace, both either from corporations or even as colleges pushing this, like, hey, why don't you try apprenticeships and co ops and these other alternative ways that we can do this and start getting these, these people that we're missing and getting skilled labor or people resources. [00:27:44] Speaker B: Yeah, that's a great example. So, I mean, there's two areas. I think if we take your dad's experience and look at, okay, how could we in education learn from that and the profession? That, and this goes back to apprenticeships. Like, you can't replace that experience of being on the job and having real impacts take place. That's not something that we can reproduce in the classroom. So we have to find a way to get closer to that environment. I think apprenticeships is a great model. I think one of the things we're doing with cyber informed engineering is a competency based. Competency based credit, but competency based education looking at everything, because we build our programs looking at student learning outcomes, but there's no guarantee that those learning outcomes are going to help them at all. And so to better align with what's really going to help them in their career and their profession, in their life, we have to look at those learning outcomes from the perspective of what is the competency that they are going to be able to demonstrate, and it's going to help them in their career. So we really need to transform, not just take the cyber informed engineering and apply those principles to the community college, but look at how can we transform those? And not just here's your learning objectives in the syllabus, but, like, here are the competencies that we're certifying that this individual has then that, I think from your dad's experience, like, that was, that was the intent. Like you, the organization finds value in that certification. We have to do the same thing. I think a lot of the problem is there's not. There's not a perceived value in the certificate, in the education, and that needs to change all that. We invest in education in this country. We have to look at getting that closer to the value proposition for the careers that these people are going into. That's one way. The other is to give them credit for what they know, what they learn on the job. I imagine your dad probably had a lot of education that he already knew. [00:30:23] Speaker A: Yeah. [00:30:24] Speaker B: A lot of lectures that he probably could have given. And so really our role in higher Ed is to certify from a workforce perspective, is to certify that this person has the knowledge, skills, and abilities that you're expecting. And if they already have those, they don't need to come to drive to campus at 06:00 p.m. and sit through my three hour lecture on Monday evening. If they already know, that's not helping anybody. That doesn't help me. It doesn't help them. Let them. If we can come to an understanding of what the competencies are and find a way to assess and certify that, then we're doing our job much better in higher ed. Getting closer to the, to the value that the organization understands. [00:31:15] Speaker A: 100% agree. And that triggers me on the next side of this that I see is we have a lot of skill. You know, we talk about AI, we talk about, you know, the next, you know, technical revolution and how it's going to change the workforce and how we're going to have people that are unemployed. They're going to lose their jobs because the things they're doing is, is no longer required. You know, you think back to the horse and buggy. You think back to the assembly line, like all those things, right? But we have a lot of people that are really skilled, and they have a lot of knowledge in different areas. So how do we use this same process? It's one thing for a high school kid coming into college to go through this process, but how do we retool somebody that's maybe 20 years in their career and they're really good at what they're doing, but they want to do something different. To your point, like, they need to be able to get some credit for the things that they know how to do. They don't need to take, you know, all x number of hours like they're a college freshman? Cause they're not. They spent all of this, this time in their career, and they have all these experiences, so let's give them that. So that way they're not overwhelmed with, well, I don't want to go to school for four years to retool. I can't. It's too long for me to show value. I can't. That's too much of an investment, both time wise and financially. And, you know, then I'm going to take a step down in my career because then I'm a newbie, like all of those things. But, you know, I get people all the time that are reaching out that are, that are programmers that are technical, really good technical people, and they want to get into cyber, the same thing. They can't get an entry level cyber job because they don't have any cyber experience. So they're looking for certifications and things like that. They can check that box and say, yes, this person has this skill set, you know, let him in the front door. Right. And so there's another, you know, kind of avenue to consider with this. As we're going out and this workforce development, we don't just need to focus on 18 year old kids. We also need to have some mid level folks that are changing careers that we want to also be able to give them the certification to say, hey, these people are also good for more than just an entry level type role. [00:33:09] Speaker B: Yeah. Yeah. There may be one or two courses that they see that. I'd really like to. I'd really like to take those. And then if we come back and say, oh, I'm sorry, we have two years of prerequisites you need to take. Your butt needs to be in a seat for this many hours before you can. That doesn't make sense. Right, right. So, yeah, I mean, we need to move a lot faster, be a lot more nimble to come up with new programs of study that allow people to return and find the upskill in the ways that they want. I think cyber informed engineering is a great way to allow that. That, hey, I've been in the field for this long, and there may be two or three courses that, hey, we'll cover these. And. And you don't have to be graduate level. You don't have to have your bachelor's, and you can just come in and get the knowledge that you need. I think. I think that's the. In most programs, that's kind of the ground that we need to hit. That's our target zone. [00:34:24] Speaker A: That's perfect, because, I mean, ultimately, the end goal for us all should be to train people to be able to do the roles that we need them to do. Right. It's not about, like you said, it's not about sitting in the seat for two years to make sure that you sit here, because just sitting in a seat, as, you know, like, it's one thing to be busy, it's another thing to be productive. Right. Yeah. Sitting. Sitting in a seat for two years does not mean that you're actually going to come out the other end with the right knowledge. The same thing on. You can sit in a seat for 30 minutes and be extremely capable and come out and be valuable. So it's all about the value add and adding the skill sets to people to know both give them the confidence that they are ready to do, to take that next step, as well as give the employers something to say to judge what is a degree, it's something to say, hey, if they have this, then I know that they should at least have these capabilities so I can plug them into these types of roles and they should have at least this level of understanding of those type of topics. They should be able to have a conversation, you know, draft a communication and be able to, you know, have a dialogue with somebody. And from like an engineering perspective, they should under understand electrical engineering, you know, principles, at least at some level, because they got a degree in it and they pass their math class and calculus and all that type of stuff. They can do those things even if they're using a calculator. I don't care. They understand the concepts. That's the important piece. [00:35:45] Speaker B: Yeah. [00:35:46] Speaker A: So then I can bolt on our, how we do it. This is the theory and this is how we do it. We need to do that same thing from both entry level folks as well as the mid level. And man, that's exciting. I know ICs Village is doing some works, workforce development stuff with the Doe. I know you guys and Inl, so I see a lot of really good work being done in this area, which is why I'm very appreciative of you coming on here to talk about it because it's very near and dear to my heart. You know, I've got three kids, so I want my kids to have something that, whether it be in engineering or cyber or whatever it is, that they're not just going in. You know, for the first time, I hear so many people, adults, people with kids, you know, that are like, I just don't know if I want my kids to pursue a degree because they see how expensive it is and they see all these kids that have master's level degrees and they're working at Starbucks. And again, I'm not trying to throw any shade on anybody that works at Starbucks, but you don't need a degree to work there. You don't need a degree to be a real estate agent. You don't need a degree to open a business. So it's not to take away value from a degree. It's to say, we need to put value back in and make sure that when you're going after a degree, you're doing something that at the end of it, when you have that piece of paper, it's going to be valuable to you, to open the doors that you want it to open. [00:37:02] Speaker B: Yeah, yeah. It's a confusing time in the workforce, and, I mean, it's hard entering the workforce. I was talking four kids close to you. I was talking with one of them, and they're just watching how, I forget which large language model we were using at the time, but just watching how what they've been learning is just. Is just fully automated. And, you know, it's telling them that very likely your teacher is also using this to assess. And he was, like, sitting there, it's like, so if that's producing the. If that's producing the work product and the AI is assessing the work product, what's my role in all of this? What's my role in education if this is just a dance between the AI? It's sad to see this transform so quickly. Our institutions of higher ed are really meant to help people and to. To provide a space where we can think together and think about some of society's grand challenges. And to do that, I think we need to come up with a way to get people into these institutes in a way that values their experience, values their skills. I think, for instance, with cyber informed engineering, having somebody that's a 30 year, 40 year professional that knows this inside and out coming into the classroom, I mean, that is a huge benefit to the students and a huge benefit to that person. It provides them an avenue to teach, like at community college or local. We have a great infrastructure of institutions of higher ed where this learning can take place. And if we open that up, where these veterans can get into the classroom, and we provide a conduit for their vast amounts of knowledge that some really beautiful things can take place in that environment where students come out with something really, really valuable, really important to their career and to their life. [00:39:23] Speaker A: Yeah. And again, going back to my kids, and one of the reasons we chose, we pulled our kids out of public school, and we were in a good public school. It's not that the public school is bad. It's just, I believe the public school system in general lost its way. Right. And, you know, the kids are. They hated school every day. They dreaded it. They didn't want to be there most of the day. They were sitting around not being productive. You know, there was a lot of punishment. There was a lot of, you know, follow this rule. It doesn't make sense. There was no dialogue. Like, there was no questioning. This is the answer. There's no dialogue of why. None of that. Right. And none of the critical thinking things that makes us valuable in the workforce, honestly, in my perspective. So we pulled them out and put them into something else. And part of that is because if nothing else, learning should be fun. They should be excited to go learn. Like, when I'm working a problem, and I've been doing this a long time, I've been doing technology since the mid, early to mid nineties, when I'm having the biggest problem and struggling the most. I love that my mind is just. I'm in. I'm in. I get in this zone, and everything else just goes away, and I just start. It's like that's all I'm focused on in this thing. And when I solve that thing, it feels amazing. I love it. Like, it's high fives and, you know, break open a beer. But you have to get to a place where you enjoy the learning. You enjoy the process of struggle and difficulty and all those things. But, you know, I have conversations with my wife, and she had such bad experiences with math, for instance, and at some point in her. Her career or her educational career, like, she got out of whack and they didn't teach her a step. And as we know, if you miss this step in math, none of the others are ever going to make sense because you don't understand this foundational thing. If you don't understand multiplication, you're never going to be able to calculus, right? If you don't understand algebra, you're never going to be able to do calculus. Like, it doesn't matter if you can grasp the concept. You missed a piece. And it's a. It's a dependent. It's dependent upon that being able to be there, making learning fun from kids all the way up through high school, college, you know, even as we get older, like, just because I graduated does not mean that there's a reason I have all these books on my shelf back here. I'm. I still read. I read more now than I ever did as a kid ever did in college, right? I'm continual learning. I'm going to a class this week for cyber informed engineering. I've been a CTO. I've done all these things. Learning is never over. Like, I have to continue to be better and learn new because I enjoy it, but we have to make it that much fun for kids and adults and people in education. It shouldn't just be, God, I got to go take this class and be like, I get to go hang out with Philip, and here's his lecture tonight because I'm excited. It's always amazing. And I learn cool stuff every time I'm there, right? [00:42:09] Speaker B: Maybe not me, but yes, somebody else said that has come into our institution. You're absolutely right. Like a lot of education, we've had a sequential path to success and a well defined path to success. I think it's very scary now, as a student, even in education, the things that we thought were bedrock that are being automated, we spend so much of our education on grammar. We spend so some. There's probably two or three years of multiplication facts in our math, right? And they don't align with that love of learning, with the real experience of learning, the trauma of learning something that's exciting that you have to that rigor and the. And just the passion. So there's a lot that I think needs to transform in education. We're often very slow, but the world, the workforce is changing at such a pace that the questions of value and the questions all over that people are asking, why am I doing this? We're really not able to answer those very well sometimes. And so I think we. I love your passion for learning, and that's what. And for your kids, like, that is where we need to help them see, find meaning and find value in what they're doing and find excitement and pushing the boundaries and being able to excel in something well. [00:44:03] Speaker A: And it's funny because, like, building teams along the way, you know, I took people from it that had never been to an OT side or been to a plant, and I took operators that had never done any technology stuff whatsoever. And I built teams with these people. And the cool thing was, is the technology people could teach the operational people all these things on the technology side that they were missing in their, you know, knowledge space. And the operational people could teach them decades of plant experience and understanding of why things are done this way. And it was amazing how well those teams worked. And it was because each of them, they were on the same team working towards the same goal. And this person had different skills and experiences than this person, but they worked together, and together one plus one didn't equal two. It equaled like twelve. Like, I could send those two people together to a room. The operational person got immediate acceptance at all the other plants because he'd been there for, you know, 20 years, and he'd been working in power plants for that entire time. And he brought this technology person with him that completely credentialized on the. On the technology side. And again, it was an unstoppable force, and it was around. They knew what they knew, and they knew what they didn't know. And if it was a technology thing, he'd be like, yeah, that's why I brought him. And I talked the operational stuff and he talks the technical stuff, right? And together they were. It was an unstoppable combo. And how do we bring that into the workforce today, right? And making sure that we're including the right people and admitting when we don't know the answer, that doesn't mean you're less than, you're going to make mistakes. You're going to not know the answer to something, just like anything. Like, know where to look it up, know who to talk to. Like, that's it. That's the most important piece. It doesn't matter. You know, in calculus, I remember my freshman year college, I took an engineering calculus class, like university physics, and had calculus, all this different stuff. And professor was like, I had a ti 92 calculator. It's one of those big ones, you know, had the QWERTY keyboard on it and everything. And he's like, you can use your calculator on absolutely every test, and I'll even give you the calculate, you know, all the formulas, the calculus formulas. But you still have to show your work. So it doesn't matter that you can get the right answer, because if you can't show your work, it doesn't matter. So I knew I could put in the question, I could pop it into my calculator and know what the answer was, but I still had to spend three pages to show the work to get from the question to the answer. Otherwise I got a zero. Right? [00:46:28] Speaker B: Right. Yeah. We have. We really need to transform the way we bring realism into the classroom, because what you're talking about. Exactly, that's the learning environment we desire, where people value these shared experiences or this area that they're not aware of, and they're learning from each other and learning how to listen. And fortunately, a lot of our programs, a lot of what you see in business takes place very early on, maybe even in K twelve, where students are learning in an isolated environment and they're being rewarded and punished in isolation. And so, of course, when they get into the workforce, you create your silos of excellence, if you will. I'm not going to work with those stupid it people. I'm not going to work with those stupid engineering people. And you create these divisions and adversarial relationships that are a detriment to everyone. Nobody likes that. One of the challenges we have in higher Ed is, or in any education, education from K twelve through higher Ed is creating team environments that are meaningful because you've been on teams and you've been through courses, and, okay, we're assigning you a team to work on this toy problem. And what happens is you learn all of the worst parts of humanity because, well, so and so doesn't. They're not doing their work. And then I'm gonna pay this person to do my work for me. I'm gonna beat you up if you don't, if you give me a badass. You know, like all of the. I think students come out, we focus so much on working in teams that they come out of education with these, like, manufactured teams. Like, well, that's not the way to do it. And I think bringing us closer to. Through apprenticeships, through one of the things I want to talk about. I know we're kind of toward the end, but, like clinics, like cybersecurity clinics, I think that's a great place that, let's take our learning environments, tie them with real problems in society that are not being solved by the market. There are a lot of people that are suffering from ransomware attacks and understanding risk assessments, understanding what is at risk in the organization. Tie the learning environment through apprenticeships, through programs that create a sense of realism where teams are working on real things and not on our manufacturer toy problems, that gets that environment where you're like, oh, yeah, this is invigorating. This is the greater human experience that we're able to share and become, have this multiplicative effect of being better together. [00:49:18] Speaker A: Well, and for me, so I've also, in my career, I've built labs, and I say lab. I built physical environments. So at the power utility, I took actual control systems and the same exact hardware and configuration, and I put them in a lab. And the reason I did that was because we could try things in a safe environment because they'd never let me play in production, for obvious reasons. So I've built. The first one I built was about a million dollar lab, which sounds like a big number, but, you know, in ot, in these control systems, it's really not that big. And the second one was like three. And then, you know, I built these very, very large. So I had balance, a plant and Emerson and Foxboro and GE MK six turbo control systems and a full blown, you know, transmission substation with all the sel equipment and all the routers and all the things what that. The thing that they're not even grasping is they have these environments sitting there idle most of the time. So if they come very large, power utility in North Carolina, let's just say that. And if that company, if that company were to partner with the local education and say, allow, you know, it to be used for an education purposes and use these labs, they may get work out of it. They may be able to do, you know, bring, you know, people, workforce into their environment and have an understanding of how they do things already. So that co op program type thing. But also they could get them to solve real problems. Right? You're working with real equipment. And not only that, but from a learning perspective, it's really cool and it's fun because you're playing with real stuff. It's not just, you know, reading a, you know, a word problem and having a dialogue in a hypothetical situation in a classroom. I'm actually looking at real equipment. I'm going to a substation. I'm seeing this stuff in the real world. And that makes it different. Right. It also helps for me. I'm very much a hands on learner. I could read something in a book 50 times and not grasp it. I can do it one time and I'll never forget it. I remember IP addresses from servers from 20 years ago. I don't know why my mind works that way, but it's just the way that it is. [00:51:29] Speaker B: Sounds like a curse. [00:51:32] Speaker A: It kind of is, but. But the flip side of that is that when I'm in that space, man, I can learn anything if I'm, if I just figure it out, right? And it's the same thing I do with my kids. Like when they ask me how to do something, I make them go try it themselves first. Right? It goes back to that socratic learning method, right? [00:51:50] Speaker B: Yeah. [00:51:51] Speaker A: It's one thing to just read something and regurgitate it for a test that maybe you don't remember the next day after the test. But it's another thing to remember something because you figured it out. Like it clicks something else in you. When you figure out how to change your oil, how to change a tire, you know, how to, how to troubleshoot something, not because you, just because you read instructions on YouTube and you just followed ABCD, but because you had to tinker and figure out because nothing worked. And then, oh, all of a sudden you figured out how it worked. Right? It's a different thing that you're learning and that troubleshooting skill from an employer perspective. I can take a mechanic that can troubleshoot things and I can teach them technologies, and he'll be one of the best tech technolog, you know, operators or technologists that you'll ever have, because that skill set of troubleshooting and figuring things out, dealing with ambiguity, a lot of those skills are not. You can't teach that in a book, as you know. Right. It's not something you can teach. You have to experience it to learn how to troubleshoot, how to, how to figure something out. When you don't, when you ask people, I'm like, I don't know, go figure it out. Right. [00:52:55] Speaker B: Yeah. That's why that, I mean, that that partnership with industry is so important because that's not something that we can manufacture in the classroom. Even our top performers, those students are, they're looking to do meaningful things. Regurgitating content is, nobody wants that. As the university, we don't want to create assessments that are regurgitating facts. And the students don't like that. We do that because we don't have those connections in place. And it's a profound waste of human intellect to manufacture assessments that regurgitate facts. And so if we can tie our assessment to a competency that's valuable to them, then that's where we need to be. Find ways to ICS Village. How do you make an ICS village? You know, the 9000 community colleges across the nation, right? [00:53:56] Speaker A: Absolutely. And that hands on pieces is so impactful. You know, I got into this industry. You know, I told you I was doing electrical engineering, and I started doing computers because I just tinkered in it and I was good at it, and I started working in it. And it's really what took me down this path of doing networking and it, and technology and then onto ot and cybersecurity and. And all the things that I did, it had nothing to do with what I learned in a book. It was all things that I learned. You know, I was sitting in a job and they needed some work done, and nobody was staying around. They said, you do it. And I'm like, I don't know how. And they're like, nobody else does either. Figure it out. Right? And almost every core, every part of my career I can point back to, any major jump from here to there in my career was because of something like that, because I just stepped up and had to do something because nobody else could do it either. Right? And I, and I just took the opportunity. And because of that, I learned something new, and it became a valuable skill set. And we're sitting there with AI, with cybersecurity, with cyber informed engineering, like all of these spaces, it's a great opportunity for people that are interested. Now is a great time because there's this large gap, this void of spots and people that we need to fill them. So cyber's not going anywhere. Engineering is not going anywhere. It's a great space to be and to. And to pivot into whether you're an 18 year old kid, you know, or 20 something or whatever, you know, in the beginning of your career or you're mid level or maybe you're even at the end of the career or towards the end of your career and you still want to pivot. Like, it's still a great. We need all of those levels and people, diversity and differences of thoughts and experiences are just all going to help us all around. [00:55:34] Speaker B: Yeah. AI is not removing the human vice. I think we're injecting our human vice into. Into AI. And because that cyber, cybersecurity is going to be here for the long term. [00:55:45] Speaker A: Exactly. Exactly. Well, awesome. Hey, so kind of my wrap up question here is the next. And we've talked about a lot of this, so it may just align with the conversation we've already had. But the next five to ten years, what's something that you're excited about coming up over the horizon and maybe something that's a little concerning that we need to take action or make a pivot if we don't make a change. [00:56:07] Speaker B: I love the things that are accessible to us now through AI. I think the shift in AI is exciting to me to see reading, writing more levelized and accessible to everyone. I see a lot of changes in education that could really improve, just improve that knowledge gap, improve us being able to give access to and to be able to explore some interesting things that we just haven't been able to before. I'm excited about robotics. I'm excited about where we're going with automation and the same. All that scares me as well. I think it scares me from the educational perspective, because if everything is so accessible and there's no rigor, then are we cheating our young people, our students, out of an education without kind of guiding them through? Because we have. I'll be honest, we don't have really great ideas of how to navigate AI right now in education. And so that's fearful to me. If you've ever played an instrument, ever done anything that just. It's painful, and you have to go through that terrible process of education. Do we cheat ourselves out of it so much that we're not. We're not doing, we're not pushing ourselves, we're not driving to the next level? [00:57:51] Speaker A: Yeah, it reminds me of the. Was it Sheldon or whatever. Where, you know, he tried to learn to swim by reading the book. You can read a lot. You can read and learn a lot of things in books, but it's really hard to take, you know, something like swimming or riding a bike and read a book about it and then go actually do it in the real world. [00:58:10] Speaker B: Yeah. Yeah. There's. There's a level of rigor that you have to be deep, deep into the problem to see the innovation. [00:58:19] Speaker A: Right. [00:58:20] Speaker B: And if we. If we don't get. If. If we're teaching our students to stay surface level. [00:58:25] Speaker A: Right. [00:58:26] Speaker B: Do the hard work, then are we getting deep enough to really see the innovation? [00:58:31] Speaker A: Yeah. And what are we going to miss because of that? Because we don't have anybody diving in and doing those deep level conversations. So that's awesome, man. I appreciate you guys and the work you all are doing. I think it's super important. The next generations are pivotal, depending upon us figuring this out and finding a way to make it, you know, approachable and valuable for not only the educator, but also the educatee, as well as, you know, the industry. Right. And people hiring and being able to fill these voids that we have and that we will have and continue to have in the marketplace. So, awesome. So how do people find out? How do they learn more? Like, what is the call to action for you? [00:59:12] Speaker B: Yeah. So you're going out to Idaho national labs. They run a cyber informed engineer, a few groups, but the cyber informed engineering education working group, that's where I'm spending most of my time working on standards of, because we don't have this developed out yet. This is something we need help with. What competencies do we want to see in the next generation? So get engaged with that initiative. Let's push these programs. Let's look at what certificates. How can we hire, how can we associate our learning with how we hire what we want out of our education system? You have to put into your job postings. Yeah, exactly. And let's get those aligned. But, yeah, take a look at that. Idaho national lab, their cyber informed engineering education working group. They also have a industry working group. And let's try to implement some of these changes. [01:00:13] Speaker A: Awesome. Hey, well, thank you so much for your time, everybody. All the. All the links we'll put in in the show notes here. Definitely reach out to me or Philip for any questions that you have on that. Definitely check out INL. Thank you for the time, Philip. I really appreciate your time today and look forward to helping any way I can and help them push the. Push this forward for you guys. [01:00:31] Speaker B: Likewise. Thank you, Aaron. [01:00:32] Speaker A: All right. Thanks for joining us on protect it all, where we explore the crossroads of I it and ot cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time.
Previous Episode
Next Episode

Other Episodes

Episode 19

July 29, 2024 00:15:43
Episode Cover

Lessons from CrowdStrike: Managing Risks in IT and OT Environments

In Episode 19 of "Protect It All," titled "Lessons from CrowdStrike: Managing Risks in IT and OT Environments," Host Aaron Crow gets into the...

Listen

Episode 8

April 04, 2024 01:07:45
Episode Cover

Securing Our Future: The Cyber Challenge in Aging Infrastructure

Summary The conversation covers the challenges and risks associated with aging infrastructure, particularly in critical sectors such as power generation and water treatment. The...

Listen

Episode 11

June 10, 2024 00:52:31
Episode Cover

Cybersecurity and Safety Risks of Modern Vehicles: Understanding Vulnerabilities and Solutions with Kevin Walter

In this episode, host Aaron Crow interviews Kevin Walter, an expert in vehicle security, about the growing cybersecurity and safety risks in modern vehicles....

Listen