On many programs, security gets considered late. A product is designed, built, and nearly ready to ship before anyone steps back to ask a basic question: is this platform secure against the ways an adversary would actually go after it? By the time that question comes up, the room to answer it well has narrowed, and the inexpensive fixes are mostly gone. In 2021, Boeing set out to move that question earlier, and we were glad to help build the course that makes the shift stick.
Boeing developed its Cybersecurity Maturation Methodology, or CMM, to pull security evaluation forward into product development rather than leaving it for the end. The idea is simple to say and hard to instill: treat cyber-risk as part of the job from the start. Boeing frames evaluating cyber-risk as an extension of evaluating safety, a discipline that belongs inside engineering rather than a box to check once the product is nearly done. Getting engineers to feel that, not just hear it, takes more than a briefing.
Learning by attacking something real
That is where MOUSE comes in. The Mobile Optical Ultrasonic Sensor Explorer, in this course the MOUSE MKII, is a low-cost unmanned rover built as a training platform. It looks like a game, and that is the point. Students work through a realistic mission scenario, sensors, radios, controls, and all, learning how an adversary would find and exploit weaknesses in an embedded system, and how to design those weaknesses out.
CT Cubed built the hands-on course around MOUSE for Boeing's Product Security team. Product Security Engineer is Boeing's term for what the broader field calls a Systems Security Engineer. Over the span of one week, engineers move through embedded systems threats, real adversary tactics, and the security controls that hold up against them. The course runs virtually or in person, using the physical or virtual MOUSE MKII rover, so it fits how teams actually work. It is not a slideshow about risk. It is a controlled environment where you get to be the attacker, and then the defender.
From a pilot to a program
The response spoke for itself. To date, more than 115 Boeing engineers completed the interactive course, a number that reflects real appetite for training that treats them like practitioners rather than an audience.
Underneath the game is the point we keep coming back to. Security is not a test you run at the end. It is a property you design in from the beginning, and the best way to teach that is to let people feel what happens when it is missing.
You can read Boeing's own writeup of the course here, and if you want the hands-on CMM training for your own team, that is available on our site.