Search for: All records

This study presents qualitative findings from a larger instrument validation study. Undergraduates and subject matter experts (SMEs) were pivotal in early-stage development of a survey focusing on the four domains of Validation Theory (academic-in-class, academic-out-of-class, interpersonal-in-class, interpersonal-out-of-class). An iterative approach allowed for a more rigorously constructed survey refined through multiple phases. The research team met regularly to determine how feedback from undergraduates and SMEs could improve items and if certain populations were potentially being excluded. To date, the research team has expanded on the original 47 items up to 51 to address feedback provided by SMEs and undergraduate participants. Numerous item wording revisions have been made. Support for content, response process, and consequential validity evidence is strong. 

Existing literature has established that interpersonal and academic validating experiences help provide college students with the necessary personal and scholastic skillsets to thrive in higher education (e.g., Coronella, 2018; Ekal et al., 2011). This intrinsic mixed methods case study explores the extent to which undergraduate students perceived academic and interpersonal validation within a science, technology, engineering, and mathematics (STEM) pipeline program (CMSP) can empower students and influence their attitudes towards their learning environment. 

Mitigating vulnerabilities in industrial control systems (ICSs) represents a highly complex task. ICSs may contain an abundance of device types, all with unique software and hardware components. Upon discovering vulnerabilities on ICS devices, cyber defenders must determine which mitigations to implement, and which mitigations can apply across multiple vulnerabilities. Cyber defenders need techniques to optimize mitigation selection. This exploratory research paper shows how ontologies, also known as linked-data models, can potentially be used to model ICS devices, vulnerabilities, and mitigations, as well as to identify mitigations that can remediate or mitigate multiple vulnerabilities. Ontologies can be used to reduce the complexity of a cyber defender’s role by allowing for insights to be drawn, especially in the ICS domain. Data are modelled from the Common Platform Enumeration (CPE), the National Vulnerability Database (NVD), standardized list of controls from the National Institute of Standards and Technology (NIST), and ICS Cyber Emergency Response Team (CERT) advisories. Semantic queries provide the techniques for mitigation prioritization. A case study is described for a selected programmable logic controller (PLC), its known vulnerabilities from the NVD, and recommended mitigations from ICS CERT. Overall, this research shows how ontologies can be used to link together existing data sources, to run queries over the linked data, and to allow for new insights to be drawn for mitigation selection. 

Ethical hacking consists of scanning for targets, evaluating the targets, gaining access, maintaining access, and clearing tracks. The evaluation of targets represents a complex task due to the number of IP addresses, domain names, open ports, vulnerabilities, and exploits that must be examined. Ethical hackers synthesize data from various hacking tools to determine targets that are of high value and that are highly susceptible to cyber-attacks. These tasks represent situation assessment tasks. Previous research considers situation assessment tasks to be tasks that involve viewing an initial set of information about a problem and subsequently piecing together more information to solve the problem. Our research used semantic-web technologies, including ontologies, natural language processing (NLP), and semantic queries, to automate the situation assessment tasks conducted by ethical hackers when evaluating targets. More specifically, our research focused on automatically identifying education organizations that use industrial control system protocols which in turn have highly exploitable vulnerabilities and known exploits. We used semantic-web technologies to reduce an initial dataset of 126,636 potential targets to 155 distinct targets with these characteristics. Our research adds to previous research on situation assessment by showing how semantic-web technologies can be used to reduce the complexity of situation assessment tasks. 

Industrial control systems (ICS) include systems that control industrial processes in critical infrastructure such as electric grids, nuclear power plants, manufacturing plans, water treatment systems, pharmaceutical plants, and building automation systems. ICS represent complex systems that contain an abundance of unique devices all of which may hold different types of software, including applications, firmware and operating systems. Due to their ability to control physical infrastructure, ICS have more and more become targets of cyber-attacks, increasing the risk of serious damage, negative financial impact, disruption to business operations, disruption to communities, and even the loss of life. Ethical hacking represents one way to test the security of ICS. Ethical hacking consists of using a cyber-attacker's perspective and a variety of cybersecurity tools to actively discover vulnerabilities and entry points for potential cyber-attacks. However, ICS ethical hacking represents a difficult task due to the wide variety of devices found on ICS networks. Most ethical hackers do not hold expertise or knowledge about ICS hardware, device computing elements, protocols, vulnerabilities found on these elements, and exploits used to exploit these vulnerabilities. Effective approaches are needed to reduce the complexity of ICS ethical hacking tasks. In this study, we use ontology modeling, a knowledge representation approach in artificial intelligence (AI), to model data that represent ethical hacking tasks of building automation systems. With ontology modeling, information is stored and represented in the form of semantic graphs that express individuals, their properties, and the relations between multiple individuals. Data are drawn from sources such as the National Vulnerability Database, ExploitDB, Common Weakness Enumeration (CWE), the Common Attack Pattern and Enumeration Classification (CAPEC), and others. We show, through semantic queries, how the ontology model can automatically link together entities such as software names and versions of ICS software, vulnerabilities found on those software instances, vulnerabilities found on the protocols used by the software, exploits found on those vulnerabilities, weaknesses that represent those vulnerabilities, and attacks that can exploit those weaknesses. The ontology modeling of ICS ethical hacking and the semantic queries run over the model can reduce the complexity of ICS hacking tasks.