NEIT IT/Cybersecurity Associate Level course in the risk management of connected and intelligent consumer and industrial appliances that control our world.
Background Information
The internet of things (IoT) is now a ubiquitous part of our homes, healthcare systems, and work environments. Humanity quickly recognizes the benefits of interactive systems that automate our comfort and productivity. Less apparent are the risks that these sometimes-porous systems expose our security and privacy to.
This course was designed for emerging cybersecurity professionals so that they might understand these risks and explore the “best practices” for ensuring that our digital networks cannot harm the world and that the world cannot harm us.
The reader of this case study should come away with an understanding of why the course was designed the way it was for the audience it was intended.
Cybersecurity Student
The demand for cybersecurity practitioners has been outstripping the supply for several years.
The increase in the spectrum of applications, vulnerabilities, and exploits will push this demand for the foreseeable future. The key qualities of cybersecurity professionals are curiosity, tenacity, attention to detail, and a passion for technology. NEIT’s hands-on experiential learning environment is an ideal match for students with those traits. Likewise, the scrappy nature of smart, connected devices like Raspberry Pi makes for an affordable and scalable model of the wider array of cybersecurity technology.
A student taking this course will be able to rapidly explore the terrain of hacking and defending technical resources without exposing their households or the Institute to risks.
Right-Sizing a Complex Problem
The challenges of safeguarding a simple device from bad actors are deceptively simple. The risks branch out through the world-wide-web to a multitude of priceless data and power structures.
To tackle the terrain of IoT too small is to miss the greater objective of the program. To sweep across the universe of all IoT opportunities and risks would quickly evolve into its degree program. I needed to design a practical infrastructure that could be quickly understood and could scale as a metaphor for the larger picture of the security discipline.
A Happy Accident
IoT devices range from tiny chipsets to large-scale industrial machines. The implication of safety is not limited to data privacy. A compromised device used in a hospital intensive care unit could cause death or injury. A sabotaged code base in a food storage warehouse could cause sickness and disrupt the supply chain. To reduce complexity, I needed to model an industry that intersected issues like HIPAA and other government regulations while at the same time making sense on a scale that college students might relate to.
While I was researching an integrated processor system known as the Raspberry Pi, a leading supplier kept appearing in my searches, a brand name called CanaKit. This Canadian company warehouses a wide variety of devices that would be ideal for a class on IoT.
One day, I mistakenly entered CanaTech into a google search. This revealed an enormous trove of IoT technology used by the ever-growing and ever more legal cannabis industry. The industry, as I discovered is a perfect solution for my objectives. Medical marijuana is subject to health and safety regulations, and customer data is a critical privacy concern. Likewise, legal industrial growers are a target of black marketers on a regular basis. Finally, IoT technology is used to manage “seeds to sale.” Each industry sector gave the students many ways to explore cybersecurity risks.
Depth and Breadth
This course development took place during the spring of 2020 when a one-week break between winter and spring terms turned into a three-week break that expanded into an eight-week break. It was clear that this course’s inaugural run would involve a distance learning experience. This disruption led to an interesting approach to engagement and assessment. The weekly lesson plan was divided into three parts: pre-session, session, and post-session.
Pre-session: The purpose of the pre-session was to reward the students for reviewing the necessary materials before introducing new materials. The pre-session material presented in mobile-friendly Sway was published 48 hours before the session, and the students were allowed to take a quiz on the material twice. The grade of the first and second attempts would be averaged. The students found this very reasonable and motivating. The result for me as an instructor was very gratifying. Students had a sharp sense of the previous week’s material as they stepped into the next lesson.
Session: I applied a similar approach to the session material. I prepared a session quiz with challenge questions that progressed through the presentation. Every few slides they would be asked to answer the next question on the quiz. This method allowed me to reinforce the critical elements needed for the course objectives and the approaching lab work.
Post-session: Pre-session and Session concepts of learning and assessment were born out of the construct I normally use in the lab work I teach. Students are given a worksheet and must provide evidence of progress. What was different about these lab worksheets is that they featured a role-playing narrative. The students were to imagine themselves as cybersecurity technician for the CanaTech company. Each lab scaffolded through the development of a new IoT monitoring system used to track temperature and humidity around the “grow-op.” The students found this very engaging and were able to write python scripts, build defensive systems, and attempt to penetrate the systems right at their workstations.
Final Project: During the first run of the course, I modified the final project away from a dry policy paper toward the design of a role-playing game that would teach policy. This team-based project was very popular with the students and reinforced all the necessary knowledge keys they had learned throughout the previous eight weeks.
In this example, the team used an online card game tool and abstracted cybersecurity meanings to the various suits and cards. Some players played as hackers and some as cybersecurity agents.
Outcomes
The course ran in the fall of 2020 and performed very well. All the students met the outcome requirements with most achieving high marks. The few that did not achieve above-average performance were impacted by several outside factors such as child-care, internet connectivity, and attention challenges.
