SMRP Government Relations was invited to participate on the July 25, 2019, ‘Building a Culture of Security: Integrating Cyber into Career and Technical Education (CTE),’ briefing at the Cannon Building in Washington, DC. The briefing was hosted by the Congressional Career and Technical Education Caucus, co-chaired by Rep. Jim Langevin (D-RI) and Rep Glenn ‘GT’ Thompson (R-PA) and the Congressional Cybersecurity Caucus, co-chaired by Rep Langevin and Rep Michael McCaul (R-TX), with the goal of demonstrating the concerns and needs for integrating cybersecurity training and awareness in CTE. With the impact of Internet of Things (IoT) and legacy connected systems on the security of critical infrastructure as well as industrial and commercial organizations, and the fact that SMRP produced the first article in the industry related to concerns surrounding cybersecurity and IoT which was published in the 2016 in Solutions magazine, I was asked to participate by Rep. Thompson’s and Rep Langevin’s offices to represent the skilled trades and technical education.
SMRP’s participation in CTE (vocational education) extends back to our first government relations meetings in DC in which SMRP identified to Senate and Congressional education committees that skilled trades needs were critical and that manufacturing was strong in the USA. There had been a lot of communication with the Hill that the country had very little manufacturing and was primarily a service economy, at the time. Under the SMRP-GR, led by Rick Baldridge (Cargill), and SMRP-GR skilled trades sub-committee, led by Larry Hoing (Bluebunny), SMRP strongly supported the passage of HR2353, ‘Strengthening Career and Technical Education for the 21st Century Act,’ which re-authorized the ‘Carl D Perkins Career and Technical Education Act of 2006,’ through 2024. Following 2018 visits to the Whitehouse and collaboration with organizations such as AdvancedCTE, the Act passed and was signed into law on July 31st, 2018. By summer 2019, over $1.3 Billion Federal grants to the states based upon each state’s needs was processed for the first year.
Cyber-attacks have progressed and have had impacts on connected safety systems with the most significant publicly reported attack, called Triton, occurring against a safety shutdown system for a petro-chemical plant in the Middle East. The goal of the attack was to cause physical harm to personnel and population and accessed through systems that we rely on in the reliability and maintenance community. This, and additional attacks of this type, now place cybersecurity issues firmly in the safety and maintenance realms. This resulted in HR 1592, ‘Cybersecurity Skills Integration Act,’ which is being proposed to direct the Secretary of Education to establish a pilot program to award competitive grants for the integration of cybersecurity education.
In order to emphasise the importance of this and similar legislation the briefing was assembled and included:
- Dr. Davina Pruitt-Mentle, Lead for Academic Engagement, National Initiative for Cybersecurity Education, NIST
- Dr. Howard Penrose, CMRP, Society for Maintenance and Reliability Professionals, and President, MotorDoc LLC
- Kurt John, Chief Cybersecurity Officer, Siemens, USA
- Kevin DJ Nolten, Director of Academic Outreach, Cyber Innovation Center
- Sean Lyngaas, Senior Reporter, Cyberscoop.com, Moderator
The emphasis for all but SMRP was addressing filling the gap for cybersecurity professionals and STEM. Our emphasis was on ensuring cybersecurity awareness training within CTE education. Dr. Pruitt-Mentle discussed NIST’s National Initiative for Cybersecurity Education (NICE) which promotes a robust network and ecosystem of cybersecurity education, training and workforce development including the ‘NICE Cybersecurity Workforce Framework,’ which to date has emphasised STEM education. John and Nolton focused on cybersecurity in STEM education in relation to engineering and the need for more cybersecurity professionals. I emphasised the boots on the ground experiences in relation to cybersecurity and IoT and presented a number of experiences including legacy systems.
One example I used that had an impact on the attendees was experiences surrounding legacy connected elevator systems and extended that to the potential on existing systems. Another example used was the security of the few companies that had trained trades, in particular electricians, in cybersecurity and identifying insecure systems. Most organizations’ trades have limited training or information on the importance of cybersecurity, their potential impact and the identification of insecure systems, which increases the risk of exploitable systems existing or being installed and configured. I also noted that most information that is now being published related to cybersecurity and IoT devices is being provided by suppliers of the IoT devices and not third party organizations and some of this information improperly suggests that cloud systems are secure by nature. An educated skilled trades workforce in cybersecurity awareness is used to combat potential weaknesses in systems as well as the identification of potential ‘insider’ attacks on the systems.
The impact would be highlighted several days after this event when an AWS Cloud server improperly configured by Capitol One was exploited by a former AWS employee. Over 100 million credit applications and related sensitive information was obtained before the hacker was identified to authorities by someone on social media who noted bragging posts. Unfortunately, hacks of this type are normally not identified as quickly as in this case.
Overally, the group agreed that proper IoT connected device strategies and tactics must be coordinated and developed by organizations versus connecting for the sake of connecting devices. For skilled trades and related professions, we pressed that the workforce does not require becoming IT security professionals, but awareness and importance of cybersecurity would reduce the risk of eploited maintenance and process control systems.
It was also noted that professional societies, such as SMRP, become very important in disseminating information such as NICE and other developed documentation, strategic and tactical information developed by the Department of Commerce and Department of Homeland Security (DHS). To date SMRP’s efforts include the NIST Cybersecurity Framework 1.1 and the DHS Stop Think Connect program (https://www.smrp.org/Government-Relations/Issues/Cybersecurity-and-Critical-Infrastructure) as well as having Alan Friedman, Director of Cybersecurity Initiatives US Dept of Commerce, speak at the 2017 SMRP Conference on the importance of cybersecurity with IoT initiatives.
The briefing, originally planned from 2pm to 3pm started on time and finished at about 3:30pm. Rep Langevin and Rep Thompson stopped in during the hearing in order to emphasise the importance of the CTE and Cybersecurity bipartisan bills and Acts that have passed or are in process including HR2353, which passed both the House and Senate unanymously.
My final message was for the attendees to remember CTE, cybersecurity and skilled trades everytime they step on an elevator.
For more information on SMRP government relations, go to https://www.smrp.org/Government-Relations
Howard W Penrose, Ph.D., CMRP, is the President of MotorDoc® LLC, past chair SMRP and SMRP-GR smart grid, cybersecurity and critical infrastructure sub-committee chair. He can be contacted at hpenrose@motordocllc.com.
You must be logged in to post a comment.