1. Introduction
The IoT (Internet of Things) paradigm has gained importance in recent years, mainly because of the benefits it provides, as it can improve our quality of life by helping us make difficult decisions more efficiently, or provide intelligence to the devices around us to perform daily tasks with minimal human intervention. IoT turns homes, buildings, hospitals, cities, and industries, among others, into intelligent systems capable of obtaining knowledge of the environment, and applying it for adaptation according to the needs of the inhabitants.
In order to obtain these benefits, IoT interconnects people, objects, and devices (vehicles, appliances, sensors, actuators, work equipment, laptops, smartphones, PDAs, etc.) so that they can communicate smartly with each other, or with people. IoT devices acquire data from the environment, understand what is happening, and respond according to current needs. Therefore, it is necessary to process the data which can be carried out on the devices themselves or more commonly in spaces such as the Cloud, where computing power is higher (necessary if there is a lot of information to process in a short time). As a result of processing this data, devices are able to make autonomous decisions or provide information to people so that they can make better decisions about their daily activities (whether in a work or personal environment).
Interconnected ‘Things’ can collect very sensitive information from people or work environments and, therefore, the privacy of data and the security of all their traffic on the Internet has become a major concern. For this reason, cybersecurity in the IoT environment has become increasingly important in recent times.
IoT has come to stay, and given the importance it currently has, along with the complexity of the environment needed to obtain the aforementioned features, learning how to develop secure IoT systems has become a significant challenge. There is a high demand for professionals with both IoT and cybersecurity skills in today’s world.
In order to prepare university students with these new technologies and their use, education needs to be able to incorporate effective learning techniques.
Teaching these two topics is a challenge today, given the variety of existing techniques that can be applied.
Various techniques and approaches have been used to transfer the necessary IoT and cybersecurity skills to university students. In [
1], a model is proposed for conducting IoT classes based on a web-service oriented cloud platform. The pilot provides students with knowledge about IoT concepts, possibilities, and business models, and allows them to develop basic system prototypes using general-purpose microdevices and a cloud and service infrastructure. This approach reflects the vast current trend of class virtualization and access to content at any time and from anywhere that other areas of study have also taken place. In [
2], an approach is proposed as well as the framework for teaching wireless sensor networks and related technologies with the Arduino platform. This framework explains and reviews the critical communication elements of IoT architecture and communication networks, but it has also been shown that there may be some reluctance to teach IoT through practice. As mentioned in [
3], “the main goal of university-level education is to teach long-lived principles and concepts, and not short-lived systems or tools”. Here, researchers show another perspective on the same problem, but focus on providing students with needed knowledge, concepts, and principles of IoT, without using one particular hardware or software. They think that “since the students learn many different platforms and abstract away from their details, they might not become aware of all concepts and properties of the Internet of Things”. So, they identify a list of the most important concepts and properties and how they could integrate them into the syllabus. They also incorporate some hands-on labs to support essential concepts.
Regarding cybersecurity, different approaches for teaching and learning exist. Authors in [
4] present an insight into current approaches taken in the practical education of cybersecurity, and give requirements and best practices for future training platforms based on the defined teaching process. This teaching process presents real-world problems to students, to demonstrate their technical skills, to solve problems implemented into physical laboratories, simulation laboratories (video game, scenario-based), or virtual laboratories (desktop-based, Cloud-based with a single virtual machine (VM) or multiples VMs). In this case, the relevant contribution of researchers is to establish the requirements of the practical exercises to be profitable.
The participation and motivation of students in their learning process are some of the great challenges to be achieved by instructors. Thus, gaming experiences are gaining ground for the teaching of cybersecurity. Researchers in [
5] present an experiment to measure the validity of an immersive gaming experience derived from Escape the Room (ETR) challenges of similar composition. A week-long experience is prepared with different activities to perform, where participants locked in a physical location must solve different probes to escape, based on cybersecurity concepts. Researchers state that these methods are effective for cybersecurity education. Other researches prove that applying initiatives such as CTF (Capture The Flag) competitions encourages students to achieve the desired learning objectives, as stated in [
6].
Acquiring cybersecurity competencies is not only attractive in higher education. Secondary education institutions are also beginning to incorporate initiatives so that younger students begin to gain knowledge on this topic. Authors in [
7,
8] present good results when using a networked robotics environment to accompany cybersecurity learning, such as RoboScape [
8], using NetsBlox as a visual programming environment to introduce students to distributed computation and computer networking.
There are multiple alternatives to training university students in IoT and cybersecurity. Still, most of them detail specific methodologies to address specific concepts and objectives during a subject or a short period of time. At La Salle (Ramon Llull University) [
9], we conceive IoT cybersecurity learning on all stages of the learning process and through a comprehensive strategy that addresses both specific competencies for IoT and cybersecurity and generic competencies or soft skills. We consider that these soft skills (like making decisions, commitment, interpersonal communication, flexibility, time management, leadership, creativity and problem solving, teamwork, responsibility, and capability to work under pressure) are also essential to obtain the valuable engineer profile that the market demands.
This paper presents an integral pedagogical strategy for teaching and learning IoT cybersecurity for network architectures in a higher education institution. In
Section 2, the pedagogical strategy, based on the acquisition of competencies, is presented. Moreover, the specific and generic competencies (technical and soft skills) are defined, and the learning methodologies and outcomes are exposed, distributing all of them between stages of the learning process. In
Section 3, the methodology of the two subjects employed to acquire IoT cybersecurity knowledge in early stages is explained, and some examples of tasks performed are provided. Additionally, competencies and learning outcomes are redistributed between the two subjects, to clearly expose which ones are related to each subject. In
Section 4, activities performed in medium stages are explained, and competencies and learning outcomes are divided between the two main activities, collaboration in research groups and undergraduate program final thesis elaboration. In
Section 5, the Master as a Service (MaaS) initiative is presented as the advanced stage activity performed to acquire new competencies, mostly soft skills that help to shape valuable engineers. In
Section 6, the results and feedback of students in each stage are discussed. Finally, in
Section 7, conclusions of the work developed are drawn.
2. Competency-Based Learning for IoT Cybersecurity
2.1. Evaluation of Academic Competencies
Within the European Higher Education Area (EHEA), all undergraduate or postgraduate university programs must have, in their study plans, a set of competencies that must be practiced and evaluated. In fact, the competency model should be the pillar where all the degrees develop their teaching-learning programs [
10,
11,
12]. If we analyze the competency model, we find two types of competencies: generic and specific ones. Generic competencies are the capacities that can be acquired in any kind of study, while the specific ones are those of the scope of knowledge of the program.
The evaluation by competencies has gained more traction in teaching as an important element to be able to have a more in-depth knowledge of the student and their aptitudes and abilities. The competencies have been implemented as an evaluation method both in primary and secondary education, as well as in university studies. Quality agencies, those performing the evaluation, accreditation, and certification of quality in the field of universities and higher education institutions, have published a lot of documentation, with guidelines on how to apply a competency-based assessment. For example, in Spain, there are guides for evaluation by competencies in areas as diverse as Technology and Architecture [
13], Social Education [
14], Humanities [
15], the Science of Physical Activity and Sports, the Social Sciences [
16], or Medicine [
17] to cite some of the relevant ones. A competency-based teaching model is presented in [
18].
Although much work has been done in the development of competencies within the curricula of undergraduate and postgraduate university programs, their evaluation continues to be an unsolved aspect. Probably, there are different causes that lead to this situation. Perhaps the main one is that the emergence of competencies and learning objectives clashes head-on with the heritage of curricula that are content-centered. Additionally, most undergraduate and postgraduate programs focus on the development and evaluation of the specific competencies of their degree. If the focus is on postgraduate programs, where most of these have a professionalization character and are oriented to good job placement, we should ask ourselves if these specific competencies defined in each of them are those that the market demands.
2.1.1. Types of Generic Competencies
As stated before, Project Tuning [
19], since it is one of the most widespread in the university field, it classifies the competencies into two broad groups: generic and specific. The generic competencies are divided into three types: instrumental, interpersonal, and systemic. The most outstanding capacities for each type of generic competency are the following:
- ●
Generic instrumental competencies; this type of competencies includes cognitive, methodological, technological, and linguistic abilities.
- ●
Generic interpersonal competencies; these competencies describe social skills related to personal skills and ethical commitment.
- ●
Generic systemic competencies; this type of competencies combine the understanding, the awareness, and the knowledge that allow students to see how the different parts of a whole are related and grouped.
One of the main challenges that exist in university studies is the need to transmit and evaluate these competencies accurately. Many of the technical degrees are focused on specific contents closely linked to the curricula, while leaving aside this type of more transversal skills. However, many of the jobs offered in the market require people trained in not only the most technical aspects but also employees with transversal skills that help the successful development of the different projects carried out in an industry. It is going to be analyzed in the following section.
2.1.2. Transversal Competencies
Once the different typologies of competencies are explained, some references are presented to see what is demanded from the industrial sector and what future perspectives exist in this sense. If the competencies that graduate degrees could offer are to be contrasted with the so-called transversal skills most valued by employers, also known as soft skills, we find many reference reports that can indicate future trends in the sector.
The National Career Service, the government agency of the United Kingdom, released a report that cited the transversal skills most valued by employers. Reports like “Trabajar en 2033” [
20], or the Adecco Report on the future of work in Spain 2016 [
21] allow us to make a synthesis of the skills demanded from the business world.
Transversal skills are related to making decisions, commitment, interpersonal communication, flexibility, time management, leadership, creativity and problem solving, teamwork, responsibility, and capability to work under pressure. In other words, the ability to make decisions in an agile, informed and consistent manner is an essential skill for any job. Highly committed profiles do not usually require a lot of supervision to give the best and fulfill their tasks with reliability. Likewise, communication skills, oral and written, are highly valued qualities.
At the same time, knowing how to adapt to the circumstances and not fear new challenges is evidence of a flexible nature, capable of leaving one’s comfort zone and facing difficulties with a positive attitude. In this sense, the capability to know how to prioritize the most important tasks and delegate those that are not so important and the ability to understand how to respect deadlines, deal with crises and face the changes that may arise at the last moment are also well-valued by the employers.
Regardless of the job position, it is also positively valued to know how to motivate colleagues to give the best of themselves, how to work in a team, in an open, transparent and constructive way, and knowing how to assume one’s own mistakes, as well as successes. Finally, related to creativity and problem solving, the ability to address problems by trying to find solutions in a logical and creative way is an important factor in the recruitment stages.
If we cross the demands that come from the labor sector with the competencies described in the academic model, it is observed that there is a huge correlation between the two. So, why do we not face programs that focus on the capacities that the industry demands beyond the technical or specific capabilities that are considered to be included in the degree itself?
Universities are facing significant challenges. On the one hand, students should not stop acquiring the specific competencies related to their field of knowledge, but on the other hand, it is necessary that other qualities, many of them represented in transversal competencies, can be developed in class.
2.2. An Integral Pedagogical Strategy for Teaching and Learning IoT Cybersecurity
As explained in the previous section, university education grapples with the challenge of preparing professionals for a technological world in more competitive and globalized work environments. This new paradigm will require cross-disciplinary skills, such as critical thinking, problem-solving, resilience, and agile work in teams formed in a heterogeneous way. University must prepare our students for this looming scenario, for example, by strengthening the connection between what students learn and what the outside world is going to require from them (paraphrasing our founder, St. Jean-Baptiste de La Salle, “You cannot educate them better than giving them a good example”).
To achieve this goal of teaching IoT cybersecurity and assure that our students acquire the needed competencies for this globalized world, a complete pedagogical strategy that involves several learning methodologies is defined. These methodologies are applied through several subjects and activities performed inside the curricula programs.
As we can see in
Figure 1, the pedagogical strategy includes a continuous and step-by-step learning path, starting in the early stages, where undergraduate program subjects provide students with fundamental and technical IoT and cybersecurity knowledge, continuing in medium stages, where students collaborate with research groups for their final thesis elaboration or their interest in a deeper learning, and finishing in the advanced stages, where they take part in initiatives, sharing work activities with university mates of several disciplines.
In our university, we have a wide range of undergraduate programs in the field of engineering, in total seven different specialties (Computer, Telematics, Telecommunication Systems, Electronic Systems and Robotics, ICT Management, Audiovisual and Multimedia and Videogames). All curricula are designed so that students acquire both general competencies desirable for a valued engineer in the global market and specific competencies associated with their field of knowledge. Among all the programs, three stand out, to which the competencies for IoT and cybersecurity are directly associated; Computer Engineering, Network (Telematics) Engineering and ICT Management Engineering. Moreover, being somewhat more precise, Network Engineering students are those who acquire more competencies for IoT and cybersecurity learning since it is the program that prepares students to work specifically in the Network and Internet Technologies sector. In the early stages, apart from achieving technical competencies, the strategy proposes the assimilation of transversal competencies through joint work, in groups, between students from these three different specialties.
Moreover, at our university, different research groups are dealing with several technological fields; internet technologies, data science, storage and big data, technologies applied to learning, and multimedia technologies, among others. Within the proposed pedagogical strategy, in the medium stages, the collaboration with the Research Group on Internet Technologies and Storage (GRITS) is very effective for the acquisition of some specific competencies, but especially for the acquisition of valuable transversal competencies. The GRITS research group (specialized in areas such as future internet architectures, cybersecurity, data storage, big data, social IoT and IoT remote communications) collaborates in a series of projects, both European and national, in which students participate intending to acquire a more profound knowledge of a specific area of interest. Then, they use this knowledge to elaborate on their final undergraduate thesis. This joint work provides the student with general competencies, such as the ability to make decisions, improve their interpersonal communications, manage the suitable scheduling of tasks, prioritize and/or delegate tasks meeting delivery deadlines, perform qualified oral and written communication, among others.
Additionally, in the advanced stages, due to the close relationship of La Salle (Ramon Llull University) with companies, the university provides the opportunity of collaboration activities where these companies propose competitive challenges to students (requiring different student profiles and disciplines to be solved). These challenges reveal to postgraduates the real needs of the job market and, therefore, the competencies to be acquired, especially from the group of transversal competencies.
2.2.1. Definition of Competencies for IoT Cybersecurity Learning
The specific competencies associated with IoT cybersecurity that the university wants students to acquire are defined taking the IoT World Forum Reference Model as a starting point [
22]. This reference model is based on the premise that:
DEVICES send and receive data interacting with the NETWORK where the data is transmitted, normalized, and filtered using EDGE COMPUTING before landing in DATA STORAGE/DATABASES accessible by APPLICATIONS which process it and provide it to people who will ACT AND COLLABORATE. As shown in
Figure 2, this premise is directly transferred to a layered model based on knowledge areas. With these areas in mind, it is more affordable to achieve an effective allocation of competencies that covers the different areas.
As mentioned above, the preparation of the curricula includes the definition of the technical competencies that the students must assume. These competencies are detailed so that they are able to adapt to technological changes. This gives rise to the definition of a subset of specific competencies for IoT cybersecurity (as is done with the rest of the technologies and concepts taught in university programs). Specific competencies are detailed below (SC.XY indicates specific competencies as they are defined in curricula, and SC.XY-Z indicates specific competencies fine-tuned to accommodate IoT cybersecurity learning. The relevant changes are highlighted using italics):
- ●
SC.01: Ability to build, exploit and manage telecommunications networks, services, processes and applications, understood as systems for capturing, transporting, representing, processing, storing, managing and presenting multimedia information, from the point of view of telematic services.
- ○
SC.01-1: Ability to build, exploit and manage IoT network architectures, services, processes and applications, understood as systems for capturing, transporting, representing, processing, storing, managing and presenting information, from the point of view of telematic services.
- ●
SC.02: Ability to apply the techniques, on which the telematic networks, services and applications are based, such as management, signaling and switching systems, routing, security (cryptographic protocols, tunneling, firewalls, collection mechanisms, authentication and protection of content), traffic engineering (graph theory, queuing theory and teletraffic), pricing and reliability and quality of service, both in fixed, mobile, personal, local and long-distance environments, with different bandwidths, including telephony and data.
- ○
SC.02-1: Ability to apply management, signaling, switching and routing techniques on which IoT network architectures, services and applications are based.
- ○
SC.02-2: Ability to apply security techniques to IoT network architectures, services and applications (like cryptographic protocols, tunneling, firewalls, gathering mechanisms, authentication and protection of content).
- ●
SC.03: Ability to design network architectures and telematic services.
- ○
SC.03-1: Ability to design IoT network architectures.
- ●
SC.04: Ability to program telematic, networked and distributed applications and services.
- ○
SC.04-1: Ability to program telematic, networked and distributed applications and services for IoT environments.
- ●
SC.05: Conceive and develop centralized or distributed computer systems or architectures integrating hardware, software and networks.
- ○
SC.05-1: Conceive and develop centralized or distributed computer systems or architectures, integrating IoT hardware, software and networks.
- ●
SC.06: Original exercise to be carried out individually and presented and defended before a university court, consisting of a project in the field of specific technologies of Telecommunications Engineering of a professional nature in which the skills acquired in the learning process are synthesized and integrated.
- ○
SC.06-1: Original exercise to be carried out individually and presented and defended before a university court, consisting of a project in the field of IoT technologies, in which the skills acquired in the learning process are synthesized and integrated.
- ●
SC.07: Ability to function in contexts that provide imprecise specific information.
- ●
SC.08: Ability to identify key issues that need to be addressed to solve a complex problem.
- ○
SC.08-1: Ability to identify key issues that need to be addressed to solve a complex problem in IoT environments.
- ●
SC.09: Ability to design, create, develop and carry out new and innovative projects in the relevant areas of specialization.
- ○
SC.09-1: Ability to design, create, develop and carry out new and innovative projects in the IoT technological area.
- ●
SC.10: Ability to integrate knowledge, deal with complexity, and formulate opinions with limited information.
As shown in the definition of the above competencies, they are defined so that different subjects or activities may fulfill them. For this reason, all subjects in one curriculum of a university program define their subset of specific competencies, adapting to the learning that is transmitted to the student. This is the exercise carried out for the acquisition of IoT cybersecurity competencies within the presented strategy.
The following table (
Table 1) shows the mapping between the specific competencies and the IoT World Forum Reference Model.
Some of the reference model levels have no competencies assigned because our main learning objective is focused on network architectures that support IoT environments considering cybersecurity in communications.
Earlier in this document, the importance that students assume some transversal competencies is explained, preparing them for the global market.
Generic competencies are detailed below. These are included with the specific ones, although they are not directly related to IoT or cybersecurity, because a professional worker with knowledge in these topics who has no communication skills, does not know how to work in a team, is not self-critical, indecisive, and does not have the most generic skills mentioned in
Section 2.1.1 and
Section 2.1.2, is worthless.
- ●
GC.01: Know and apply basic elements of economics and human resource management, organization and planning of projects, as well as legislation, regulation and standardization in telecommunications.
- ●
GC.02: Ability to work in a multidisciplinary group and a multilingual environment, and to communicate, both in writing and orally, knowledge, procedures, results and ideas, related to telecommunications and electronics.
- ●
GC.03: Know how to apply the knowledge to a job or vocation in a professional way and possess the competencies that are usually demonstrated through the elaboration and defense of arguments and the resolution of problems within the area of study.
- ●
GC.04: Ability to collect and interpret relevant data (usually within ‘students’ area of study) to make judgments that include a reflection on relevant social, scientific, or ethical issues.
- ●
GC.05: Transmit information, ideas, problems and solutions, to both a specialized and non-specialized audience.
- ●
GC.06: Develop those learning skills necessary to undertake further studies with a high degree of autonomy.
- ●
GC.07: Critical ability and intellectual defense of solutions.
These generic competencies are not assigned to the IoT World Forum Reference Model. They are competencies that are not directly related to the IoT and cybersecurity topics, but rather to the creation of valuable engineers, and consequently considering them is important.
2.2.2. Learning Methodologies
The set of defined competencies is acquired through the application of different learning methodologies. For a long time, we have applied methodologies in which the students are jointly responsible for their learning. We introduce students in their own learning context so that they are more aware of the process gaining commitment, dedication, and satisfaction. Below the learning methodologies used in this pedagogical strategy are described.
- ●
LM.01: Laboratory Activities. It involves the student solving a problem or making decisions using the knowledge learned in theory. Specific equipment from a laboratory or workshop is used. Laboratory tutorials, simulation exercises, field study, computer practice, company visits, or field trips are some activities that can be performed.
- ●
LM.02: Self-Paced Learning. Methodologies where the student learns new content on their own, from the teacher’s guidelines or by means of didactic material designed for this purpose. Autonomous learning, self-learning, directed study, tutorials, virtual network work, individual or group work outside the classroom, or personal study are some activities than can be performed.
- ●
LM.03: Challenge-Based Learning. The methodology is focused on five key points: (1) pedagogical approach that actively involves the student, (2) based on a real problem, (3) close to the student environment, (4) demand a specific solution, and (5) within the experiential learning.
- ●
LM.04: Project-Based Learning. It involves the development of the subject, based on solving a project or various projects (in groups or individually) where the student discovers the concepts as they are necessary for its development.
- ●
LM.05: Case Method. It consists of several stages: (1) preliminary phase: reading and study of the case for awareness of individual work, (2) phase of expression of opinions and judgments: individual reflection and the detection of descriptions of individual work, (3) contrast phase: joint analysis of the analyzed data, with work in small groups and sharing in the whole group.
2.2.3. Learning Outcomes
Once the students carry out and successfully pass the activities proposed in the learning methodologies, they obtain the following learning outputs, guaranteeing the acquisition of the defined competencies:
- ●
LO.01: Master the concept of network, its architecture, deployment and services for IoT environments.
- ●
LO.02: Know and differentiate the concepts of transport and access network, including the most important protocols and interfaces.
- ●
LO.03: Mastery of the design, configuration and implementation of the equipment that forms an IoT network architecture.
- ●
LO.04: Master the analysis, diagnosis and resolution of network problems for IoT environments.
- ●
LO.05: Analysis and design of security in networks for IoT systems.
- ●
LO.06: Know the security technologies and their application in data systems and networks.
- ●
LO.07: Have deepened in a specific subject of the area of study of the degree, applying the knowledge learned throughout it, with the ability to analyze and solve problems in an original or novel way.
- ●
LO.08: Have the ability to organize and plan, searching skills and information management.
- ●
LO.09: Having communicated the work performed in writing, and publicly presenting it in front of experts and non-experts in the field.
- ●
LO.10: Have demonstrated the ability to conceive, design, implement, and adopt a research process of considerable scope with academic integrity.
- ●
LO.11: Have demonstrated critical analysis, evaluation and synthesis of new and complex ideas.
To conclude this section, the mapping between stages, competencies, learning methodologies and learning outcomes is presented in
Table 2.
In the following sections, the application of the methodologies used in each stage will be detailed, and the competencies and learning outcomes will be related according to the assessments carried out.
3. Acquisition of Competencies in the Early Stages
In this section, the competency acquisition in the early stages is presented through two subjects used to bring students the basic knowledge about IoT and cybersecurity. Information gathered from IEEE Internet of Things [
23], ISECOM [
24] and OWASP Internet of Things Project [
25], among others, helps us to conform and maintain the knowledge provided to students through these subjects up to date. The subjects are ‘Networking Laboratory’ and ‘Cybersecurity’.
3.1. Networking Laboratory Subject Methodology
This section describes the employed methodology in the ‘Networking Laboratory’ subject. In it, students (in pairs) face a different lab each week during the semester. These students are Telematics Engineering and ICT Management undergraduate students between 20 and 23 years old. They have learnt the basics of networking in the previous courses, and this subject aims to complement their knowledge, with new skills related to advanced routing, advanced architectures like those developed for IoT environments and introduce cybersecurity concepts focusing on networking. Each of the labs focuses on a specific IoT topic, most of them related to the lower layers of the IoT Reference Model (end & network devices, network architecture, and security). Depending on the type of equipment and technologies used, labs can be deployed in one or more of the following ways: (1) physical implementation, where students use real-world devices (i.e., Palo Alto Networks Next-Generation Firewalls and Cisco Nexus 7000); (2) emulation, where students use emulating software to implement more dense and complex scenarios (i.e., Cisco VIRL [
26] and GNS3 [
27]); (3) in-lab virtualization, where students use the university assets to virtualize both end and network devices (i.e., VMWare ESXi and VMWare Workstation); and (4) cloud-based virtualization, where students use the Infrastructure as a Service (IaaS) resources of a cloud platform (Amazon Web Services) to configure and implement their scenarios.
Each lab consists of a theoretical explanation that students must read prior to class (LM.02 methodology), and a few practical scenarios that must be configured and implemented during the class (LM.01 methodology). Once students complete them, they have learnt and consolidated the concepts of a specific IoT topic in an eminently practical way. Each lab can be seen as a puzzle piece of the IoT network architecture and security, which leverages the consolidation of both theoretical and practical skills upon its completion. These puzzle pieces are combined together at the end of the semester, when students individually face a final hands-on project and a final hands-on exam. Both of them consist of a 100% practical scenario that merges different technologies, equipment, and concepts seen throughout the semester, which the student must correctly combine to make the proposed scenario work. Students prove the acquisition of the required competencies and skills upon the successful completion of both the project and the exam.
As the IoT ecosystem is continuously evolving, the subject’s labs must evolve as well to form state-of-the-art skilled engineers. In order to achieve that, during the last three academic years, 10 of the 21 labs that the subject consists of have been renewed (
Table 3 shows the current lab curriculum). In addition, this course has experienced the highest impact modification, due to the recent crisis that a lot of countries have faced with the COVID-19 emergence. In Spain, all schools and universities had to close their facilities, and all lessons had to be taught virtually by using on-line tools, such as Zoom or Blackboard Collaborate. This fact precluded the continuity of the subject’s methodology as it was initially designed, because all the assets were physically placed on the university campus. Remote access to the lab’s equipment could be achieved, but it was not a feasible solution, due to the continuous change in the wiring, interconnection, and configuration of virtual and physical devices. Despite these difficulties, students had to experience no disruption in their learning process, so instructors decided to migrate all the labs of the semester to the public Cloud. By doing this, all labs had to be redesigned to meet the public Cloud infrastructure requirements and limitations, while keeping the learning skills, objectives, and topics that each lab covered intact. In total, ten labs were redesigned and migrated, and one new lab was created as an introduction to the cloud platform. The main advantage of this solution is that students can have 24/7 access to their scenarios and have total control of it.
On the contrary, before the migration to the Cloud the access was limited to the laboratory availability. Furthermore, the use of a cloud platform introduces new concepts and skills that students learn. This is very relevant if we consider that Cloud computing was the hard skill that companies needed most in 2019, according to LinkedIn data [
28]. Among all the available IaaS cloud platforms, the professors chose Amazon Web Services, based on its ease of use, wide variety of configuration options and their commitment that students would not suffer any economic cost when using their platform to carry out the labs.
The following subsections describe some of the most relevant labs carried out by students in the ‘Networking Laboratory’ subject. For each lab, a description of its contents and scenarios are given.
3.1.1. Wireless Networks for IoT
In this lab, students learn how to design and configure wireless connectivity for IoT end devices.
First of all, a description and a taxonomy of different wireless technologies are presented. These protocols are classified by their coverage area, defining three main groups: PANs (Personal Area Networks), LANs (Local Area Networks) and WANs (Wide Area Networks). Some of the most relevant protocols for IoT presented are Zigbee, Sigfox, 6LoWPAN, LoraWAN, NB-IoT, 802.11, LTE, 5G, and Bluetooth, among others. From all these protocols, a more detailed explanation is given for the 802.11 standard, which will be used for the practical scenarios.
The practical scenarios focus on two approaches for deploying a WLAN (Wireless LAN): using a physical wireless controller to manage the Access Points (APs) (with Netgear equipment) or using a cloud-based wireless controller to control the APs (with Cisco Meraki equipment).
The scenario that students must deploy with the physical wireless controller is shown in
Figure 3. In this scenario, students learn how to configure different SSIDs (Service Set Identifiers) and VLANs (Virtual LANs), each of them with a unique security profile. Additionally, management access is granted to administrators through a captive portal, where every administrator must authenticate themself with their own user credentials. Students successfully complete this scenario when they show the instructor that the whole network is working, and the end devices can communicate between them and send data to the data processing server.
On the other hand, there is the cloud-based wireless controller scenario with the Cisco Meraki AP.
Figure 4 shows the topology for it. With Meraki Cloud Management, students learn how to set different types of wireless profiles, each one with its own security and access settings. Students have to accomplish the same requirements as in the previous scenario to pass this one.
At last, there is a final scenario which merges both topologies and asks students to successfully communicate end devices connected to the Meraki AP with the devices connected to the Netgear APs, as shown in
Figure 5. Additionally, Power Line Communications is introduced to interconnect two gateways without the need for wired UTP/STP infrastructure. When all devices get full connectivity with the rest of the scenario, students pass the lab.
3.1.2. Palo Alto Advanced Firewalling
This lab focuses on the advanced features that Palo Alto firewalls can offer to control and monitor IoT network architectures. The scenarios are composed of three main zones: the External Zone (Internet), where devices must be protected from; the DMZ Zone, where data processing servers are placed; and the Internal Zone, where the IoT devices are connected (see
Figure 6). The basic firewalling concepts are already assimilated from previous labs, so this one focuses on introducing new and advanced ones.
First, the student must be able to interconnect the three zones together, while performing NAT (Network Address Translation). This helps to hide the internal devices and sensors from the outside, so external users cannot know which is the internal topology and the real addressing from these devices. Once inter-zone connection and NAT are configured, students have to apply policies to control which applications and services are permitted (i.e., from the external networks administrators must be able to access the servers for monitoring purposes, while only the end-devices from the internal networks can send data to those servers). In addition, threat detection must be configured to analyze and counteract against possible malicious attacks from both external users and bogus internal devices. Furthermore, SSL inspection policies are added to decrypt the traffic that the firewall must inspect in order to apply policies correctly. When students successfully configure all these requirements, they can pass to the next phase.
After that, students are introduced to the concept of High Availability (HA) and how to configure it on the firewall. They learn that, by implementing HA, they remove a single point of failure at the edge of the IoT network and minimize the risks of a critical failure. Once it is configured and its functioning is verified, students move to the next phase, where the concept of Virtual Routing and Forwarding (VRF) is presented. VRF is very useful when the same firewall (or group of firewalls) must connect to independent IoT networks serving different purposes. As these networks do not need to know each other, they must be able to use the same private addressing. Students configure VRF in the firewalls, so these networks are isolated, and the same IPv4 private addresses can be used, learning the main advantages of this technology. To move to the next phase, students must prove that both internal networks can communicate with the DMZ and External zones, but they do not reach each other.
Finally, students have to include the use of a VPN into the scenario. By implementing a VPN, they gain access to internal resources from the external network, and they learn the main advantage of it, which is that there is no need to expose IoT devices or services to the public to access them, minimizing the related potential security risks.
3.1.3. Introduction to Amazon Web Services
As has been mentioned earlier, an important task has been conducted to adapt the’ Networking Laboratory’ subject, due to the health alert caused by COVID-19. The new skills that students gain, learning how to work on a cloud platform, may help them acquiring relevant knowledge for hosting and managing IoT application instances in Cloud environments.
This lab is a key component for all the semester, as students learn how to set up the AWS platform that they have to use for the rest of the labs. Each student has its own account to access AWS, where they can configure their own scenarios. This fact gives students a lot of flexibility, so they can choose when to complete the required activities, and there are not time, availability or resource limitations.
3.2. Cybersecurity Subject Methodology
This section describes the design and implementation of the learning platform for IoT security training that was developed at La Salle (Ramon Llull University), our learning platform that helps IoT security trainers to teach knowledge on security testing and auditing IoT architectures by using hands-on technological training. The IoT learning platform is composed of several parts, including the testbed, the eLearning platform, the management interface, the learning material, and the proposal of challenges offered to students.
The testbed has been designed to replicate real infrastructures where students find and experiment with several and diverse IoT platforms, Operating Systems (OS), network topologies and protection equipment, all organized in several and different scenarios. The students use this testbed to implement the labs proposed in the different lessons of the Learning Materials, where a specific scenario is designed for each of the lessons, to accomplish the defined objectives.
The design and implementation of the testbed are based on the concepts of virtualization and cloud computing on the University Campus’ assets, with three main parts: (1) network virtualization based on Virtual LANs concept to implement the different scenarios, providing the required flexibility to change the topology just by configuration, (2) server virtualization built in a server farm running a hypervisor that supports the needed Virtual Machines (VM), and (3) storage virtualization by using a Network Attached Storage (NAS) to centralize all the VM disks in a single place, allowing the movement of VMs between servers to accomplish the requirements of high availability and flexibility (see
Figure 7).
Our students use the management interface, or front-end, to log into the environment and check the different scenarios that they must implement. Once they are logged in, an access firewall allows them to access the corresponding scenario of the testbed. The access to the testbed is supervised by the instructor, who controls the activity of each student, using the information obtained by a monitoring system. Using this information, the trainer can certify whether each student has accomplished the objectives for each lesson or not. The objectives defined for each scenario are specified in
Table 4.
The teaching process of the ‘Cybersecurity’ subject carried out in the second semester of third academic year, is divided into the following course development phases:
- ●
Training: In the first part of the course, students are trained throughout all the lessons described previously using the “student’s workbook”, composed by around forty different labs (
LM.01 and
LM.02 learning methodologies). These labs are performed in pairs of students from Telematics and Computer Engineering undergraduate programs (between 20 and 23 years old). They have learnt the basics of networking, operating systems, and programming languages in the previous courses.
Table A1 in
Appendix A shows the objectives of the labs performed by using step-by-step learning techniques, methods and tools that will be applied for auditing and protecting an IoT network environment. With the knowledge that they obtain, they are then ready to face up to the second and most challenging part of the course.
- ●
Challenge: After the initial training period, students must demonstrate the knowledge and skills acquired. In order to motivate them and get the best of them, our proposal for the development of the security course is to challenge them in a kind of competition or hacking contest. Based on the Project Based Learning (PBL) methodology (LM.04), we propose them a Challenge Based Learning (CBL) activity (LM.03), where they must compete in groups to demonstrate who the best ethical hackers of the year are.
- ●
Presentations: Before finishing the course, students must present their results, not only to the rest of the groups, but also to trainers and, most importantly, to IoT security experts from external companies. Across this activity, they get in contact with real enterprises, and these corporations could evaluate new candidates to hire.
At the end, the obtained results have been exposed. Moreover, motivated, skilled and valued engineers are obtained through the security course developed. The aim of the ‘Cybersecurity’ subject is to complement students’ knowledge, with new skills related to cybersecurity and ethical hacking to be applied afterwards in IoT and non-IoT environments, and provide a nearby experience to the cybersecurity labor market (also assuring the acquisition of some soft skills). Nevertheless, the IoT platform is in constant evolution and improvement, where not only the students in their last year contribute to its development (via activities like final thesis elaboration), but the students enrolled in the security course also participate, increasing the number of learning materials and resources available on it.
For this subject, no examples are presented, because the labs are made up of a large set of exercises that follow the same methodology (
LM.01 and
LM.02) to meet the objectives defined in
Table 5. All laboratories have great importance within the field of cybersecurity applied to IoT architectures; therefore, each one would be remarkable.
On the other hand, it should be noted that the hacking contest carried represents an incentive challenge for students due to its methodology (LM.03) and implementation.
3.3. Competencies Acquired by Students and Learning Outcomes
The competencies and learning outcomes defined for early stages are distributed between the subjects, as shown in
Table 5.
6. Result Analysis and Discussion
In this section, the results obtained by the students and the feedback provided by them are analyzed to check if the pedagogical strategy proposed is suitable and to collect information needed for continuous improvement of the methodology applied.
6.1. Students Results Analysis
A substantial metric to evaluate the pedagogical strategy is the grades of the students. These grades are obtained through assessments performed using learning methodologies explained in this paper. The application of these methodologies helps students to acquire the desired competencies and therefore, successfully passing subjects implies their acquisition. All the evaluable activities carried out within a subject are graded from 0 to 10, passing them if a mark equal to or greater than 5 is obtained. Additionally, a subject is successfully passed if its final grade is equal to, or greater than, 5.
For the early learning stages, we will analyze the academic results of the ‘Networking Laboratory’ and ‘Cybersecurity’ subjects.
Figure 11 shows a box plot for the ‘Networking Laboratory’ marks’ evolution from the academic years 2015–2016 to 2018–2019. The figure also displays the average grade for each one. Throughout all academic years, the minimum grade is 5, except for 2017–2018, where the worst mark was a 6. While in the academic year 2015–2016, 75% of grades were equal or below 7, students achieve remarkably better results in the following years, with 75% of marks being equal or greater than 6. The best academic year in these parameters is 2018–2019, with 50% of grades between 7 and 9 and 25% between 9 and 10. Furthermore, the average grade increases by 10.52% from 2015–2016 (6.56) to 2016–2017 (7.25) and maintains similar numbers (7.20 and 7.19) during the following academic years. This increase in the average grade and the redistribution of marks to higher numbers coincide with the introduction of the pedagogical strategy described in this paper to the classrooms, beginning in the 2016–2017 academic year.
Figure 12 shows the same statistics for the ‘Cybersecurity’ subject. At first sight, we can observe similar results. We can see that the minimum grade is always 5, except for the last year, which is 7. Students achieve better results beginning in the academic year 2016–2017, which is the first time that lecturers introduced the described active learning methodologies. Observing the last three years, it is remarkable that 75% of the marks were equal to or greater than 8. This fact is a substantial change compared to the academic year 2015–2016, when 75% of grades were equal to or below 8. Moreover, during the last three years, the average grade was between 7.91 and 8.19, while in the academic year 2015–2016, the average was 6.63. If we compare the year 2015–2016 with the year 2016–2017, the average grade increased by 21.27%.
Another essential aspect of analyzing the new active learning methodology is to consider the evaluations made by stakeholders external to the university. During the early learning stages, companies have the opportunity to evaluate the final project done in the ‘Cybersecurity’ subject. From the 2015–2016 academic year, to the 2018–2019 academic year, 29 companies participated in this activity (some of them are big companies which are globally recognized, like KPMG, PwC, Deloitte and Ernst & Young, and IT or cybersecurity consulting companies, like Accenture, GMV, Be12, Blueliv, and Brightsight, among others). These companies perform individual interviews to evaluate technical skills (proven technical abilities to work in the cybersecurity labor market through the results obtained and the documentation presented in the final project), and soft skills (communication skills, empathy, ability to teamwork, language used, presence, among others).
Figure 13 shows the results of these evaluations. First of all, it is interesting to note that the obtained marks are good over the course of all the academic years, since the minimum grade is always higher than 6.1, and the average is above 7.7. In addition, we see that over the last three years in which active methodologies were introduced into the subject, the evaluations’ trend is rising. During the last two years, students obtained, in general, better marks from the companies, so that both the mean and median values of them are greater than 8. Moreover, in the 2018–2019 academic year, nearly 75% of students got a grade above 8.
These results fit with the feedback that companies gave to the professors of the subject. They showed immense satisfaction, both with the activity and the skills and competencies acquired by the students, and their desire to repeat the experience in the following years.
Regarding medium stages, 12 undergraduate program final theses about IoT and cybersecurity topics have been presented since 2016. These final theses were focused on auditing methodologies applied to smart environments, monitoring and management of IoT environments, applying blockchain to social IoT, firewalling and security event management, and improving IoT security training platform of ‘Cybersecurity’ subject, with new labs and updated scenarios, among others. Some projects were performed in collaboration with the GRITS research group, but not the totality of them.
The evaluation of the project presented is based on the following criteria (the mentor of the project and a tribunal of three people evaluate each criterion):
- ●
Have studied, in depth, a specific subject of the area of study of the degree, applying the knowledge learned throughout it, with the ability to analyze and solve problems. The evaluation of this criterion depends on the originality of the way the student addresses the problem and how the work is orally presented.
- ●
Have the ability to organize and plan, search and manage information skills. The evaluation of this criterion depends on the tracking performed by the mentor and the project report presented.
- ●
Have communicated the work performed in writing and publicly presenting it in front of experts and non-experts in the field. The evaluation of this criterion depends on the project report presented and how the work is orally presented.
All students obtained marks above 8.5, except one who obtained a 7 three of them graduated with honors (the highest mark), and three other students with a mark of 10. The average grade of all these final theses is 9.25. These results are those expected according to the effort done by every student. Some topics addressed are quite novel, and students now have more specific knowledge about IoT and cybersecurity.
Finally, regarding the advanced stages and the MaaS initiative, the most relevant activity done in the last three years related to IoT and cybersecurity is the mentioned example of the SPRINT 4.0. Other MaaS initiatives have been performed, but these topics were addressed separately. So, we consider that the results of the SPRINT 4.0 are the important ones to be shown.
The final evaluation of the SPRINT 4.0 course was the presentation of the solution of the Selettra challenge. To solve this challenge, the 21 students of different postgraduate programs (Big Data, Cybersecurity and Smart Cities) participating in the SPRINT 4.0 course were divided into five groups, mixing these profiles inside each group. The following aspects (
Table 7) were taken into account, in order to evaluate the learning outcomes (see
Section 5.2):
The grades obtained for the items evaluated are presented in
Figure 14, differentiated by groups. Moreover, the average for each item is shown. All the groups presented a correct description of the problem and, especially, three of them fully understood and explained the Selettra challenge, obtaining an average mark of 9.20. There was also a good perception of the requirements that the solution to be provided by the students must meet, with an average grade of 8.70. Each group suggested an appropriate technical solution, explaining the technologies, systems and resources necessary to carry it out (average mark of 8.29). Only one group did not elaborate on the technical explanation of their solution and therefore obtained a regular grade of 5.70. The proposed solutions have a high degree of innovation (average mark of 8.53), using new generation technologies and advanced systems. Finally, only two groups made an appropriate analysis of possible solutions, and presented the pros and cons of each one, justifying their final decision, causing a low average rating of 5.40 on this item. The time to present the solution was quite limited, and the groups that were fairer in time possibly focused on those parts of the solution with a higher weighting (leaving the alternatives for the end without being able to solve them with good quality). Nevertheless, knowing how to divide the work effort to obtain the maximum profit if there are limitations (like time) is also important.
The final grades of the project are shown in
Figure 15. These grades represent a solid acquisition of objectives. Four groups obtained a grade of 8 or higher. Only one group was evaluated below 8. Probably, this group was negatively affected by not having any student from the Smart Cities postgraduate program: a student profile that provided an interesting point of view regarding the viability of the solution and innovation to the rest of the groups.
6.2. Student Feedback Analysis
Feedback is an essential part of the learning process and helps to improve the learning experience, by considering the opinion of the students about the subjects they have taken. This feedback allows professors to improve their subjects year by year, and it is a fundamental part of the quality system of our institution.
Students from undergraduate program subjects answer a feedback survey for each subject they take. This feedback includes several questions regarding their satisfaction with the subject, the innovation and practical application of its content, and about the dynamics of the sessions. The following figures show a comparison of the last four-year feedbacks regarding these questions. The rating values range from 1 to 5, 1 being not at all satisfied, 2 being slightly satisfied, 3 being satisfied, 4 being very satisfied, and 5 being completely satisfied.
The feedback results of the ‘Networking Laboratory’ subject, shown in
Figure 16, are mostly around 4 out of 5. These results show how students are very satisfied with the subject. There was a turning point regarding the innovation of the subject in the course 2017–2018. In this sense, several case studies were created and included in the subject, and the feedback results significantly improved the following year. The practical application of the content is highly rated too, and the mark grows year after year.
The feedback results of the ‘Cybersecurity’ subject shown in
Figure 17, are between 4 and 5, apart from the innovation rate. These results show how students are very satisfied with the subject. There was also a turning point regarding the innovation of the subject in the course 2017–2018. In this sense, the subject was updated the following year, and the feedback results significantly improved the following year. The practical application of the content is highly rated, and the mark grows year after year. Additionally, the methodology is very well rated, starting at 4.4 four years ago, and increasing year after year.
Students from advanced stages in a multidisciplinary group were also requested to give feedback about their learning experience. The evaluation forms were mainly addressed to measure the satisfaction of the participants, the fulfillment of their expectations, and the usefulness of the training received in the Data & Security course SPRINT 4.0.
The presentation of common parts was considered not very interactive, perhaps due to the master class methodology. Regarding the question: “How interactive was the lesson today?”, 75% of the students answered that it had been interactive enough, whereas 25% of the students responded that it had not been very interactive. However, this methodology was confirmed to be very useful in delivering contents. Regarding the question: “How clear were the course objectives?”, 30% of the students answered that they were super clear, 50% answered that they were clear, and the rest responded that they were clear enough.
The audit methodology reached excellent results both in terms of clarity, results achieved, and competencies learned. The Trial explanation was evaluated as an excellent and stimulating case too.
The three seminars, Management systems in Industry 4.0; The Big Data lifecycle; and The Cybersecurity challenges in Industry 4.0, reached a good level of satisfaction, a 65% rating. The work project dedicated to the challenge was evaluated very positively: overall, the evaluation was around 70% satisfaction, as
Figure 18 shows.
Generally, the activities, contents, and effectiveness reached a high level of satisfaction among participants. Among the success factors, the origin of students from different backgrounds and the possibility to confront real and concrete cases, linking theory and practice, was emphasized. The most critical issue was a theoretical part that was too long, so mixing theory with more hands-on training will be considered for the next courses.
7. Conclusions
IoT has become a crucial part of curricula in any engineering curricula related to information and communication technologies, not only in undergraduate programs, but also in master’s courses or any other courses. The cross-cutting nature of IoT needs a different learning approach, capable of fostering the ability to relate different concepts, technologies, and disciplines in an environment in constant evolution.
An integral pedagogical strategy for learning IoT cybersecurity has been designed and presented in this paper. This strategy takes into consideration the different learning stages of students, depending on their knowledge level of the IoT and their learning maturity. Following the path across the different learning stages will let students gradually improve their knowledge about IoT, and will let them acquire not only technical, but also soft skills. Each stage has been designed to acquire different competencies regarding IoT cybersecurity, by implementing the most suitable learning methodologies. These specific competencies have been carefully designed and included in the learning outcomes of the related programs. The designed mapping between the specific competencies and the IoT reference model has also been presented in this paper, to show the close relationship between these two domains.
This proposed pedagogical strategy needs the definition of the different competencies, but also must go hand in hand with the most appropriate learning methodologies. Therefore, different learning methodologies have been analyzed, and the most suitable learning methodologies have been selected and implemented. Moreover, the learning outcomes expected for each stage have also been defined. Finally, a mapping between the different stages, the IoT cybersecurity competencies, the most suitable learning methodologies, and the expected learning outcomes, has been detailed.
Different subjects and courses involved in the programs are described in this paper in order to illustrate the effectiveness of this pedagogical strategy. Two different subjects included in the undergraduate degrees, classified in the early stage category, have been detailed: ‘Networking Laboratory’ and ‘Cybersecurity’ subjects. The content, related competencies, the applied learning methodologies, and the expected learning outcomes are specified in-depth for each subject. The student gradebook for the last four years has been analyzed. Student results are very good in both subjects and improve each year. Additionally, the satisfaction feedback provided by the students is included. It can be seen that these subjects are very highly rated, not only regarding the overall satisfaction, but also regarding the innovation, the practical learning outcomes, and the applied methodologies. Moreover, the assessment from other stakeholders, like the companies that are possible future employers and have interviewed the students, has been detailed. Companies marked students with very high grades and revealed an outstanding satisfaction, both with the interviews and the competencies acquired by the students.
The acquisition of competencies in the medium stage is also detailed with the description of the undergraduate program’s final thesis related to IoT cybersecurity and the student collaboration in the Research Group of Internet Technologies and Storage, due to their integration in the different funded research projects of this research group. Finally, an example of an advanced stage experience is presented in the framework of the European Project SPRINT 4.0. The competencies and learning outcomes acquired in this advance stage are detailed. The satisfaction feedback shows very good results in terms of learning outcomes and methodologies. Additionally, the evaluation of the student results of the Selettra challenge shows a very good performance.
The detailed learning experiences show that the presented integral pedagogical strategy for learning IoT cybersecurity adapts to the IoT reference model and integrates the most suitable competencies, methodologies, and learning outcomes.