Introduction to Cyber-Physical Systems Security

This is for Fall 2025. I really enjoyed CS-6263 and found the projects fun…but that could be due to my background in logic and circuit design. I echo the same advice others have given — start the projects early.

Project 1 took about 25 hours total and consisted of a part A and B. Part A only took about 5 hours, including reading up on how to use the tool and watching tutorials. Part B was more challenging but in a fun way — I actually completed it in 15 hours but spent another 5 hours fine-tuning things.

Project 2 took about 15 hours. Ladder Logic is a breeze if you’re familiar with logic gates and parallel signal propagation. If not, then it could take 2-3x longer to finish the project while you brush up on related concepts.

Project 3 was different from past semesters and only took about 5 hours to practice sniffing for ICS devices.

Project 4 gave brief exposure to machine learning. It seemed daunting at first but turned out easier than I expected. It helps if you’re familiar with Python or object-oriented programming. You are provided with a working skeleton model and have to fill in additional portions of code to make the project functional. Once you get your ML model to run properly, then you further refine and optimize your machine learning algorithm to hit the grading targets for accuracy and relevancy.

I was a little worried at the beginning of the semester after reading some of the other reviews because the difficulty level can be deceiving. Fortunately, my background in computer engineering served as a great foundation for all four projects and I finished each project with anywhere from 5-9 days to spare (primarily because I started projects early). I actually struggled more with the exams.

It is true, the lectures are completely independent of the projects. I didn’t mind this as I could focus more on the projects early on and come back to the lecture material later when it came closer to the midterm/final. You are allowed one page single-sided notes for the midterm and one page double-sided for the final. The lectures are all done well, some of the best production values I’ve seen in OMSCS so far, and I found the material all very interesting. Still, I was thrown off by the wording of some exam questions and received a C on the midterm and a B on the final. I still finished with an A overall in the course by averaging 98% across all projects.

There is also a 20-minute video presentation you have to do based on a research article. It is an easy 100 points. You get to select your presentation date and I quickly picked the latest available week for due dates. I suggest you do the same so the presentation doesn’t interfere with your first or second project. By the time you’re on project 3 and 4, the pace of the course really slows down and you’re in a lull in the semester so it’s a perfect period to then focus on your presentation.

I recommend this class for any of the OMS specializations, either as a requirement or elective, because the course is interesting, the projects are neat and fun, and the difficulty level/time commitment is very manageable for balancing family and career.

One last remark, I have to give credit to the amazing TA support team. The TAs ran Ed Discussion superbly and were responsive and gave helpful advice. Office hours were also extremely helpful. I was kind of shocked at how few people attend office hours; sometimes it was just me and the TA one-on-one (which was great for getting personalized help). Maybe everybody else knew what they were doing and didn’t need the help but I was grateful for how accessible the TAs were. Whenever I was in a quandary, or found the project instructions unclear, it was quick and easy to get clarity in office hours or through the discussion board.

I took this course because I saw the low average difficulty assigned. Boy was that a mistake! I eventually found out a majority of students who take this course drop it.

If you don't have a solid understanding of ladder logic, do not start here. You will ne expected to have a decent understanding before you start.

I took Intro to InfoSec prior and the difference in student participation is striking! Very little communication in Ed. Probably because everyone either knew this stuff already or was as lost as I was.

I dropped this class after a couple weeks when it was obvious I was not going to get it after two projects.

I hope more people who drop this course give their surveys so this isn't the shock for others that it was for me.

This course is difficult to judge. Project 1 - 3 were pretty interesting but the lectures didn't really give me a deep understanding of the subject matter and were hard to sit through. The tests were fine but project 4 was not good.

Project 1 (Design and Simulation of Industrial and Control systems): this was a really time consuming project (~40 hours) and I assume what led to the 36% of drops as shown on critique.gatech.edu. It used Factory I/O coupled with Control I/O to create the controls system for a water level controls system and a pallet storage system.

Project 2 (PLC Programming with Ladder Logic): this project was interesting and was much quicker (~15 hours)

Project 3 (Reconnaissance for Attacks on ICS Networks): Analyzing DNP3 traffic using wire shark and answering questions. This project seemed easy on the surface but I ended up spending 30+ hours analyzing the traffic data. By far the best project and I learned a ton.

Project 4 (Secure System Analysis Using Machine Learning): this was the project that dropped the rating of the class for me. I completed the project in 10 hours and learned nothing about ML or security.

This was my 8th class in the whole degree program and it was my least favorite class so far. It wasn't because of the subject matter, it was because how the class was run and the general lack of help from the TAs. My issues are as follows:

1. 2 out of the 4 projects are incompatible with M1 chip computers and as far as I can tell, there was literally no warning about this issue anywhere in the class materials.
2. When asking for help the TAs are very unhelpful. When I asked about an issue I had setting up some packages on my computer, a TA responded by suggesting I google around for an answer. When another student asked about how to compute coordinates from binary locations, the response was "Not sure if you took a course called digital logic design. If you read about that subject, then the answer will be very straightforward."
3. The prerequisites for this course are C and Python. You will have to teach yourself a PLC ladder logic and a whole new manufacturing program that has really terrible documentation.

A lot of the time I spent on this class was not on learning core concepts for security and cyber physical systems but was instead used to decipher what little help the TAs, teaching myself programs that weren't prerequisites, and dealing with technology incompatibility issues I was blindsided. If you have an apple chip computer, don't take this class. The concepts aren't hard but the projects are a lot of work. If you are interested in security and have a windows machine, knock your socks off.

Lectures - Echoing what others have said, the lectures are incredibly dry. All fourteen weeks could have been summarized in an hour lecture. I was expecting each lesson to get more detailed and in depth, but it’s the exact same principles repeated over and over every week. All of the exam content comes from the lectures. The content is not technical and nothing that an undergrad or grad student from a non-CS background couldn’t pick up.

Exam - There are two exams and they’re not hard. 20-25 question multiple choice tests. You can have a note sheet but you won’t need it. The questions can be figured out by using a little bit of reasoning after watching the lectures.

Projects - The projects are the core of the workload and you should start them early. There are four projects and you have about two weeks to do each. The first two projects took about 35 hours and the second two took about 20 hours. No prior coding experience is required, two of the projects are in a language you’ll learn on the fly and the other two are in very basic python with starter code. I found the projects to be tedious and a test of my ability to follow niche instructions more than an application of the course content or learning a tool/language/concept that I’ll need in the future. Most of the projects have a autograder and the ones that don’t have clear instructions for what is needed to get full marks. The projects are varied and don’t build on each other. They felt like busy work and artificial examples of very small industrial control systems. I never had any “a ha” moments where a concept clicked for me, and nothing from this course would prepare you to work at a factory securing real ICS systems.

Paper Presentation - Throughout the semester you’ll have to read an academic paper, prepare slides on them, and record a video of you presenting it. It took me about 6 hours total to read the paper, come up with a script and slides, and then record and upload it. You’ll also have to watch other students videos and participate in discussions with them.

Workload - This class is not challenging but it is tedious. Start the projects early because they do take a significant amount of time.

Overall - This was my first class in the program and I was disappointed in its rigor and content. The basics of securing ICS systems are pretty obvious and it never gets more complicated than what is introduced in the first two lectures. I would have preferred it go much deeper into the topics and have less trivial projects to work on.

This class was pretty easy/light workload (two caveats to that) but also frankly kind of bad. I wish I had taken something else.

The good: -Although lectures were very broad/high level and repetitive, I thought they were fairly clear. -I learned a good survey about industrial control systems and threats to those systems that I really knew nothing about before. Now I see attacks on ICS systems in the news and it means something to me. -It was novel to me to do functional block diagrams (which sucked, but still a new way to think) and ladder diagrams. -I learned a few cool things from having to do the paper presentation and watch other people's presentations.

The bad: -Very low quality exams worth a high percent of your score. -At some point lectures and projects completely diverge so that you are basically watching lectures solely for the exams and then on a completely separate track are doing the projects. -Lectures start to become very repetitive. -The first project felt like a (very tedious) game and wasn't clear to me what it was actually teaching me about security or ICSes. -The course VM for Project 2 was very buggy. -There was no autograder.

Mostly the workload was very light and the class was almost over by Thanksgiving break. The caveats about why it's maybe not easy are (1) the first 2 projects were extremely tedious and time-consuming, so that part isn't easy and (2) this class has a multiple choice midterm and a final that are together 30% of your grade. Both are very low-quality multiple-choice exams with no study guide to speak of which consist mostly of random trivia from the lectures. On top of that, the questions are often phrased very ambiguously. In other words, it is very easy to miss questions on these exams and lose a lot of points. I can imagine someone understanding the material well but not getting an A because of the weighting and quality of the exams. (Similar in quality to Computer Networks exams if I recall correctly.)

Workload estimate for the projects: Mini Project 1 Factory I/O: 27 hours Mini Project 2 LD: 17 hours Mini Project 3 Modbus: 6 hours Mini Project 4 Buffer Overflow Attack: 9 hours

One last note: They state some hardware requirements on projects 1 and 2 which were higher than what OMSCS itself suggests. This briefly freaked me out, because those requirements were not listed in the course description itself anywhere, and I had just bought a new laptop for school that didn't meet the requirements. However, my new laptop with 8GB RAM and no dedicated video card proved to be completely fine.

The projects were engaging and kept the class interesting. Although frustrating, you have to use trial and error to get it working correctly. Boolean logic will help with the first project, YouTube videos on how ladder logic works helps on the second. Especially the 'order of operations' in ladder logic, eg how it assigns variables can mess up your program. The third project wasn't too intensive. As soon as you know where to look for the modbus values and filtering the Wireshark, it was straight forward. The last overflow project was definitely tricky and some good GDB debugging will help find the overflow. Really look at the write up FAQ and visualize the read write registers.

Exams were decently challenging. Most came from the lectures however, I recommend reading the text because the lectures are just an abbreviations of what the text covers. So, the text might reiterate a topic multiple times and the lectures hit on it once and of course, a question is on the exam of that glosses over topic from the lectures. Some questions did get into the weeds of the project and lectures so take good notes on your one/two sided paper.

Solid class. Lectures are good. They follow the Intro to Network Security Textbook very closely. I watched all of the lectures week by week and then read the textbook chapters to review for the final. I think it was a good strategy.

The lectures combine the topics of IT/networking/cybersecurity with the topic of industrial automation. I definitely wish I had reviewed more networking material before taking the course. I hadn't taken a formal networking course and although there was a background lecture on it, I found the networking topics to be the most difficult.

I really enjoyed the mini-projects. I highly recommend starting them early, since the time they take can vary drastically depending on your background knowledge in industrial controls and cybersecurity.

The paper presentation assignment would have been a lot more enjoyable if it were as well organized as the mini-projects. There wasn't a written instruction document, just a post on Piazza and the announcements section of Canvas. The way to sign up for a time slot and claim a paper to present on was also not great. It was just a big spreadsheet that everyone had edit access to. We were told that our grade on the assignment would be significantly docked if we chose a paper that someone else had already claimed or if we messed up the spreadsheet. I think there could have been some sort of form or signup webpage to do this. The spreadsheet was kind of messy and I could see how someone could accidentally mess it up or choose a paper that was already chosen. I also don't see much reason why the submission deadlines for this assignment were staggered. I would have preferred if the assignment was due at the same time for everyone.

All in all, it was an interesting course. I hope the course staff figure out a better way of handling the paper presentation assignment, but besides that I was a big fan of the material and the way the class was run.

A good course with some challenging projects, and as with everything in Cybersecurity you need to be familiar with Python. You can pair this with another class, but be warned that the first and second (perhaps even the fourth) projects will take up all your time. Project 1 took me 100 hours, Project 2 took about 60 hours, Project 3 & 4 about 20 hours each. The mid term and final are well outlined in Piazza when they release them, and there is a presentation project that was actually fun to create. The TAs are quick to respond in Piazza, and some will respond in the Slack.

Project 1 is heavy on system resources, and if you run Mac or Linux you're going to have a bad time as it only runs on Windows. The project tasks are straight forward but the project will easily suck up the two weeks to complete it. The difficulty is learning the program (read the entire manual!), and your own logic will work against you. Keep things simple and organized. For Project 2, I found the PLC Editor was far better on Windows, the Linux one is sluggish and doesn't do highlighting.

The lectures are OK. Halfway through the course the professor started talking fast and dropped a lot of heavy information to digest, expect to rewind multiple times. The books are useless, don't get them unless you'll be working around ICS or enjoy doing embedded projects.