Living Our Mission: Learning is Built into Project Ares, Thanks to Victoria Bowen, Instructional Designer at Circadence

Reading Time: 3 minutes

Victoria Bowen has worked in the instructional design field for about 35 years – primarily developing e-learning with a smattering of web development, SharePoint development, and Learning Management System administration. She holds an undergrad degree is in psychology, a master’s in special education, and doctorate in curriculum, instruction, and supervision with emphasis on instructional design.  What that means is that she knows how people learn and what aids and interferes with learning in training products. Victoria worked an IT security services company and then transitioned to a training role with the Air Force’s Cyberspace Vulnerability Assessment/Hunter (CVAH) weapon system. “I was responsible for the training database and the app store for several versions of CVAH.  I also developed user guides and training materials,” she said. Victoria served in that role for about nine months before joining the Circadence team.

Since September 2013, Victoria’s main job as an instructional designer has been to analyze training needs for Circadence products. She helps assess target audiences for Circadence products to determine learning goals and objectives for the product designers. She establishes the behaviors that a user would be assessed against, after engaging with the product, to ensure learning has occurred. Victoria also suggests ways to evaluate those behaviors to optimize product utility. In doing so, she prepares training outlines and documentation and writes content development processes and learning paths. Mapping Job Qualification Requirements (JQRs) tasks to training tasks is a regular function of Victoria’s job alongside mapping National Institute of Standards and Technology (NIST) standards to training tasks. She ensures the core skills addressed in our curriculum creation tool Orion™ align to defined NIST standards.

Applying instructional design theory to new technology

What keeps Victoria returning to her desk every day is the challenge of learning and applying instructional design theory to cutting edge training technology. Although the old rules still apply, Circadence is leading the way in developing new rules and research on how learning happens and best practices for simulations like Project Ares®. We know a lot about constructivism as an underlying theory, but to apply it gaming environments like Project Ares is new and fascinating,” she says.

The challenge of applying theory to technology is complicated by the fact that new books about instructional design and cognitive analysis and processing are published frequently. And there are new online articles every month. Also, there is a growing emphasis on instructional analysis before beginning training development projects, so there is a growing emphasis on analytical skills for instructional designers. These skills help us design the right training, just enough training, and just in time training for learners.

“Ensuring we are constructing an environment in which the player is constantly learning, not just performing a task or activity is essential.  We need the player to understand the what, when, how, and why related to the tasks they perform in the environment.  For deeper learner and better retrieval from long term memory, we also need the player to understand how their tasks relate to each other.” Victoria says. “Furthermore,” she adds, “we want the player’s understanding and performance to progress from novice to intermediate to expert. That doesn’t happen just by repetition. There must be instruction too.”

Instructional design within Project Ares

For the Project Ares Battle Rooms and Missions, Victoria collaborates with cyber security subject matter experts to write the learning objectives and assessment criteria, provide role-based learning content outlines, identify gaps and redundancies in content, and review product design to ensure high quality instructional design aspects. For inCyt™, she’s written the scripts for several of the cyber security lessons. Finally, Victoria also reviews and identifies instructional design issues such as scrolling text and text display not controlled by the user, “both of which interfere with cognitive processing by the user and adversely affect transfer from short term to long term memory,” she adds.

“I have a different challenge every day and I like challenges. I’m also fascinated by cyber security and enjoy learning more about it every day. Instructional research has consistently supported that interactivity is the most important component of instruction regardless of delivery method. We have a very interactive environment and that’s great for retention and transfer of learning to real world application.”

Victoria’s passion for intelligent learning systems dates back to her time in school. “When I was a poor graduate student at the University of Georgia, I paid around $25 a month in overdue fees to the library so I could keep the AI books I checked out longer. (Once they were turned in, professors usually got them and could keep them up to a year.) There were only about 25 books on that topic at the time. Today, it is remarkable to see what our AI team can do with Athena.”

Why persistent cyber training matters

The cyber world is changing very fast. People need to learn constantly to keep up with their job requirements. Cyber challenges are not about cookie cutter solutions. It’s important that the cyber operator learns cyber problem solving, not just cyber solutions. By jumping into a training program and being able to craft different approaches to solving problems and test those approaches, the cyber professional can learn skills that directly help them do better on the job. Plus – a big plus – the training is fun!

Cyber Attacks and Risk Mitigation in Critical Infrastructure

Reading Time: 4 minutes

Critical infrastructure is a term used by the government to describe assets that are essential for the functioning of a society and economy (think oil and gas, water, electricity, telecommunication, etc.). According to the Department of Homeland Security, there are 16 sectors of critical infrastructure. In the past few years, we’ve seen attacks on departments of transportation, cities, and other network infrastructure that are prompting many cyber security leaders to pay closer attention to their readiness strategy and risk management. With the threat of cyberattacks against public and private sector infrastructure on the rise, it is important to understand the history of these attacks, as well as what critical infrastructure cyber security professionals can do to protect themselves against them. Today, we are going to focus on three sectors: oil and gas, energy and electricity, and transportation.

Oil & Gas Cyber Security

Much of how we live and work is dependent upon the energy produced from oil and gas production, including cooking, heating/cooling, driving, and use of electronic devices and appliances. There have been several successful attacks on this industry already:

  • One of the most famous noted attacks came in 2010 with Stuxnet, a malicious computer worm used to hijack industrial control systems (ICS) around the globe, including computers used to manage oil refineries, gas pipelines, and power plants. It reportedly destroyed a fifth of Iran’s nuclear centrifuges. The worm was delivered through a worker’s thumb drive.
  • In August 2012, an unauthorized user with privileged access to one of the world’s leading National Oil Companies’ (NOCs’) computers unleashed a computer virus called Shamoon (disk-wiping malware). This virus erased three quarters (30,000) of the company’s corporate personal computer data and resulted in an immediate shutdown of the company’s internal network.
  • National Security Authority Norway said 50 companies in the oil sector were hacked and 250 more were warned to check their systems, in one of the biggest hacks in Norway’s history.
  • Ugly Gorilla, a Chinese attacker who invaded the control systems of utilities in the United States, gained cyber keys necessary to access systems that regulate flow of natural gas. In January 2015, a device used to monitor the gasoline levels at refueling stations was remotely accessed by online attackers, manipulated to cause alerts, and set to shut down the flow of fuel. Several gas-tank-monitoring systems suffered electronic attacks thought to be instigated by hacktivist groups.
  • In December 2018, Sapeim fell victim to a cyberattack that hit servers based in the Middle East, India, Aberdeen and Italy.The attack led to cancellation of important data and infrastructures.

Energy & Electricity Cyber Security

While we may not think of the energy sector as being a large cyber vulnerability, it is not only of intrinsic importance to a functioning society but necessary for all other sectors that make up the nation’s critical infrastructure.

There are not many documented cases of a successful power grid attack but that doesn’t mean they don’t occur! The first known instance taking place on December 23, 2015 in Ukraine. Hackers were able to compromise information systems of three energy distribution companies in the Ukraine and temporarily disrupt electric supply to end customers. A year later, Russian hackers targeted a transmission level substation, blacking out part of Kiev.

Although there may not be many examples of historical energy utility hacks, these kinds of attacks are no longer a theoretical concern. In 2014, Admiral Michael Rogers, director of the National Security Agency, testified before Congress that China and other countries likely had the capability to shut down the U.S. power grid. An adversary with the capability to exploit vulnerabilities within the electric utility silo may be motivated to carry out such an attack under a variety of circumstances, and it seems increasingly likely that the next war will be cyber.

Transportation Cyber Security

Via plane, train, or automobile, the transportation sector supports nearly 10 percent of the U.S. GDP (gross domestic product), which includes monetary value of all goods and services produced within the United States. Over the past couple of years, the industry has grown in operational complexity with logistical chains, production, facility and manufacturing partners and plant management. As a result of this growth, it has become an even more alluring and accessible hacking playground for cybercriminals. There have been a few noteworthy attacks on this silo of infrastructure in the last few years:

  • Maersk: Petyamalware variant infected the IT systems of the world’s largest shipping company with 600 container vessels handling 15% of the world’s seaborne trade in June 2017.
  • LOT: A Polish airline canceled 10 flights due to an attack against the airline’s ground computer systems at Warsaw’s Okecieairport in June 2015.
  • Jeep Cherokee: A coordinated attack in 2015 by Charlie Miller and Chris Valasek demonstrated the ease by which a connected car can be remotely hacked into, in this case, using Uconnect.

 

You can see that attacks on these silos of industry have already begun (and show no signs of stopping) and we need to be prepared for what the future holds. To lessen the attack surface vulnerabilities and protect critical infrastructure against cyber threats, teams need to be prepared to address all possible scenarios that can occur on said attack surface in order to effectively protect and defend IT and OT critical infrastructures.

Reducing Risk in Critical Infrastructure Cyber Security

Project Ares® cyber security learning platform can prepare cyber teams with the right skills in immersive environments that emulate their own IT and OT networks to be most effective. In fact, there are exercises within the cyber range platform that have players detect threats on a water treatment plant and in an oil and gas refinery. It is designed for continuous learning, meaning it is constantly evolving with new missions rapidly added to address the latest threats in any critical infrastructure sector. Further, targeted training can be achieved from the library of battle room scenarios to work on specific skill sets like digital forensics, scripting and Linux.

Training in cyber ranges is a great way to foster collaboration, accountability, and communication skills among your cyber team as well as cross-departmentally. Persistent and hands-on learning will help take your cyber team to the next level. Benefits of this kinds of learning include:

  • Increased engagement – by keeping learners engaged they are able to stay focused on the subject matter at hand
  • Opportunities to close gaps immediately – instant feedback, instruction, and critique make it easy for learners to benefit from interaction with the instructor and peers and immediately implement this feedback to improve
  • Risk mitigation and improved problem solving – hands-on training allows learners to master skills prior to working in real-world environments. People can work through tough scenarios in a safe training environment – developing problem-solving skills without risk.

By placing the power of security in human hands, cyber security teams can proactively improve a company’s ability to detect cyber-related security breaches or anomalous behavior, resulting in earlier detection and less impact of such incidence on energy delivery, thereby lowering overall business risk. Humans are the last line of defense against today’s adversary, so prioritizing gamified training for teams will foster the level of collaboration, transparency, and expertise needed to connect the dots for cyber security across these critical infrastructure sectors.

Photo by Ian Simmonds on Unsplash