Software and Systems Engineers in ICS Security: Graduate-Level Curricula and Industry Needs

1. Introduction

The fourth industrial revolution (Industry 4.0) refers to the technological progress across industries, described as “the organisation of production processes based on technology and devices autonomously communicating with each other along the value chain: a model of the 'smart' factory of the future where computer-driven systems monitor physical processes” (Smit, et al., 2016, p. 20). Digital transformation in Industry 4.0 is the interconnection of information technology (IT) and operation technology (OT)¹. Through the Industrial Internet of Things (IIoT), industries have found new ways to develop, manage, and maintain their operations, e.g., by extensive data collection from the OT environment, remote monitoring of processes, and optimising operations through automation (Belden Corporation, 2020; Lee, 2018). Software is a fundamental part of modern engineering systems, or cyber-physical systems (CPS), and software engineering (SwE) and systems engineering (SE) are both fundamental to the development and maintenance of complex systems (Pyster, Adcock, et al., 2015; Sheard, et al., 2019). Despite their significant roles, exploration of the relationship between SwE and SE is poorly defined (Pyster, Adcock, et al., 2015) and only partially explored in Fairley (2019). This issue has been debated since the 1990s (Wray, 1993), and in 2018, the International Council on Systems Engineering (INCOSE) started a working group exclusively to address these challenges, the Systems and Software Interface Working Group (SaSIWG) (Sheard, et al., 2018).

The study reported on aims to answer the following research questions (RQs): RQ1) What are the skills and competencies required for ICS cybersecurity professionals, and how do they align with the graduate curriculum for IT and OT professionals? RQ2) What are the industry’s needs for skills and competencies in ICS cybersecurity, and how do IT-OT teams collaborate in the industry today? RQ3) Identify potential gaps between the industry and academia by comparing findings from RQ1 and RQ2.

RQ1 focuses on the skills and competencies required for ICS cybersecurity (CS) professionals and how they align with graduate curricula for IT and OT professionals. RQ2 seeks to understand the industry's needs for skills and competencies in ICS CS and how IT-OT teams collaborate in the industry today. Lastly, RQ3 aims to identify potential gaps between industry and academia by comparing findings from RQ1 and RQ2.

As part of the data collection process, two main activities were performed: 1) to identify the competencies required by GSwE2009 (Pyster, 2009) and GRCSE (Pyster, Olwell, et al., 2015) a mapping of graduate curricula within software engineering (SwE) and systems engineering (SE) curricula was performed to uncover potential gaps and overlaps in the educational frameworks of these domains. The disciplines of SwE and SE were chosen due to their requirements in maintaining and developing complex systems (Sheard, et al., 2019). The mapping considers four areas of focus: CS, machine learning (ML), soft skills, and systems engineering. According to previous studies (Chowdhury & Gkioulos, 2021; Karampidis, et al., 2019; Kipper, et al., 2021; Von Solms & Futcher, 2018), skills and competencies within these focus areas contribute to the development of key competences for ICS and Industry 4.0 CS. This was followed by activity 2) interviewing IT and OT professionals to identify industry needs and determine how well curricula support industry needs.

Section 2 presents background literature. Section 3 describes the methodology. Section 4 details the curriculum mapping results, while section 5 presents the interview results and analysis. The discussion follows in section 6, while section 7 presents the concluding remarks.