A coalition between Iowa State University, the University of Illinois at Urbana-Champaign and industry and government partners aims to be more than a “Kitchen Cabinet” of advisors — the National Security Agency wants results in developing cybersecurity talent in the Midwest.
“Kitchen Cabinet” is the term given to then-President Andrew Jackson’s unofficial group of advisors. There’s no kitchen directly involved with the cybersecurity coalition that Iowa State is a part of, but there is a ReCIPE — a Regional Coalition for Critical Infrastructure Protection, Education and Practice.
That’s the name of the coalition led by Iowa State and the University of Illinois that has received $2 million in two-year grant funding from the NSA, focused on developing a cybersecurity workforce that can protect critical infrastructure from attack — and, in particular, defend the nation’s electrical grid.
Doug Jacobson, an electrical and computer engineering professor at Iowa State, said the NSA — through the agency’s National Centers of Academic Excellence in Cybersecurity — is funding similar cybersecurity coalitions across the country that are also looking at the security of the electrical grid, of elections and the financial sector.
Cyberattacks have affected Iowa industry: Iowa pork plant among those affected by ransomware attack on JBS
Jacobsen is also the director of the university’s Center for Cybersecurity Innovation and Outreach and the leader of ReCIPE.
He explained that the coalitions exist to help form a community between industry and academia of shared expertise and to provide educational resources and workforce development to industry.
He said the NSA wants the partnerships to exist past the funding, “that these people who come together stay together and are working as a group to make sure, in our case, that the lights stay on.”
In practice, the recipe for expanding the Midwest’s cybersecurity workforce and providing new or updated skills to existing professionals will include “hands-on training, realistic tabletop and testbed exercises, capstone design projects, cyber defense competitions and technical materials for students and professionals,” according to a news release from Iowa State.
Jacobsen said the coalition would probably not directly lead to any new undergraduate degree programs at Iowa State — the university already has a cybersecurity program — but could lead to new elective courses on critical infrastructure protection and credentialing options for people already in the workforce.
He said there’s a shortage of cybersecurity professionals, particularly in rural parts of the country that have difficulty attracting or retaining professionals — even though there are small utility companies there that also need protection. “It’s not so much that there isn’t money to pay them, there’s not enough of them to be paid.”
As a workaround, he said existing workforces can receive more training.
Jacobsen explained that critical infrastructure has three main sides that need protection: a business side — customers’ personal information in billing departments — but also internal management systems and control systems.
Colonial Pipeline Co. being forced to pay a multi-million dollar ransom earlier this year to get its fuel-supplying pipeline system running again was a recent example of a compromised management system leaving operators without access.
The hijacking of a control system might involve a cyber-attacker deliberately over-pressurizing a pipeline, causing it to explode, Jacobsen said.
A cybersecurity job can be done remotely, and that’s becoming more common on the business side, Jacobsen said, but remote access to a more sensitive internal network, such as a control system, could also open up a pathway over the internet for a would-be attacker to gain access.
A hacker earlier this year used remote access software used by workers at a Florida water treatment plant to unsuccessfully try to poison a city’s water supply with lye. A supervisor caught the tampering as it was happening and was able to stop it.
How vulnerable are U.S. electrical grids to cyberattacks?
The Congressional Budget Office in March 2020 placed the likelihood and potential economic impact of a large cyberattack against the electrical grid somewhere between a major earthquake or hurricane and a severe solar storm or a nuclear weapon being exploded high up in the atmosphere.
On average, a major hurricane could threaten the electrical grid every 10 years and a major earthquake every 50 years, each capable of causing tens of billions of dollars in damage just by its impacts to the grid. Much more widespread damage from a power surge caused by a solar storm or a nuclear explosion hundreds of miles above the ground is less likely to happen — about once every century for a damaging solar storm — but the damage could cost trillions of dollars.
Jacobson said electrical grid operators have tried and true processes and procedures for getting power back on after a natural event such as a thunder or ice storm.
However, he said utility companies don’t usually have to continue fighting their adversaries after an event. “The derecho blew through, you’re done. The tornado went through, you’re done. In cyber, there’s a potential of a persistent adversary that won’t let you bring it back.”
Jacobsen also said a cyberattack could affect a much larger portion of a grid than a local natural disaster.
The Congressional Budget Office cited a March 2019 cyberattack as the first on record for the U.S. electrical grid, though the disruptions to control system communications at several small generating sites in the West did not lead to any blackouts.
A December 2015 attack in Ukraine, suspected to have originated in Russia, knocked out power for six hours, according to the budget office.
On the one hand, the U.S. power grid is decentralized and dispersed — a plus for cybersecurity, although other researchers, including at Iowa State, have found that further connecting eastern and western grids in the U.S. could create a more resilient and efficient system that would be better at getting power to where it’s most needed.
However, the grid is also increasingly digitized, too, opening up more possibilities for would-be attackers to exploit.
Fortunately, Jacobsen said it’s not as simple to hack an electrical generator in a power plant, for instance, as someone might see in a movie or TV show where a hacker directly connects to the equipment wirelessly from their laptop.
“The industry does a fairly good job of separating those three systems that I mentioned,” so it usually takes multiple steps for an attacker to get into a control system, he said.
“Several things have to break down, from a security standpoint, to let you get in. But, as with any time you’re trying to protect anything and you have to be perfect, nobody is. So, things occasionally do happen, and that’s a lot of what cybersecurity is about — trying to figure out how to deal with that, how to hopefully prevent that, but in the case of even if you can’t prevent it, do you know what to do,” Jacobsen said.
Phillip Sitter covers education for the Ames Tribune, including Iowa State University and PreK-12 schools in Ames and elsewhere in Story County. Phillip can be reached via email at firstname.lastname@example.org. He is on Twitter @pslifeisabeauty.