[BreachExchange] Iowa Universities, Gov. Partner to Train Cybersecurity Workers

[Terrell Byrd]

https://www.governing.com/security/iowa-universities-gov-partner-to-train-cybersecurity-workers

(TNS) — A coalition between Iowa State University, the University of
Illinois at Urbana-Champaign and industry and government partners aims to
be more than a "Kitchen Cabinet" of advisors — the National Security Agency
wants results in developing cybersecurity talent in the Midwest.

"Kitchen Cabinet" is the term given to then-President Andrew Jackson's
unofficial group of advisors. There's no kitchen directly involved with the
cybersecurity coalition that Iowa State is a part of, but there is a ReCIPE
— a Regional Coalition for Critical Infrastructure Protection, Education
and Practice.

That's the name of the coalition led by Iowa State and the University of
Illinois that has received $2 million in two-year grant funding from the
NSA, focused on developing a cybersecurity workforce that can protect
critical infrastructure from attack — and, in particular, defend the
nation's electrical grid.

Doug Jacobson, an electrical and computer engineering professor at Iowa
State, said the NSA — through the agency's National Centers of Academic
Excellence in Cybersecurity — is funding similar cybersecurity coalitions
across the country that are also looking at the security of the electrical
grid, of elections and the financial sector.

Jacobsen is also the director of the university's Center for Cybersecurity
Innovation and Outreach and the leader of ReCIPE.

He explained that the coalitions exist to help form a community between
industry and academia of shared expertise and to provide educational
resources and workforce development to industry.

He said the NSA wants the partnerships to exist past the funding, "that
these people who come together stay together and are working as a group to
make sure, in our case, that the lights stay on."

In practice, the recipe for expanding the Midwest's cybersecurity workforce
and providing new or updated skills to existing professionals will include
"hands-on training, realistic tabletop and testbed exercises, capstone
design projects, cyber defense competitions and technical materials for
students and professionals," according to a news release from Iowa State.

Jacobsen said the coalition would probably not directly lead to any new
undergraduate degree programs at Iowa State — the university already has a
cybersecurity program — but could lead to new elective courses on critical
infrastructure protection and credentialing options for people already in
the workforce.

He said there's a shortage of cybersecurity professionals, particularly in
rural parts of the country that have difficulty attracting or retaining
professionals — even though there are small utility companies there that
also need protection. "It's not so much that there isn't money to pay them,
there's not enough of them to be paid."

As a workaround, he said existing workforces can receive more training.

Jacobsen explained that critical infrastructure has three main sides that
need protection: a business side — customers' personal information in
billing departments — but also internal management systems and control
systems.

Colonial Pipeline Co. being forced to pay a multi-million dollar ransom
earlier this year to get its fuel-supplying pipeline system running again
was a recent example of a compromised management system leaving operators
without access.

The hijacking of a control system might involve a cyber-attacker
deliberately over-pressurizing a pipeline, causing it to explode, Jacobsen
said.

A cybersecurity job can be done remotely, and that's becoming more common
on the business side, Jacobsen said, but remote access to a more sensitive
internal network, such as a control system, could also open up a pathway
over the internet for a would-be attacker to gain access.

A hacker earlier this year used remote access software used by workers at a
Florida water treatment plant to unsuccessfully try to poison a city's
water supply with lye. A supervisor caught the tampering as it was
happening and was able to stop it.

How Vulnerable Are U.S. Electrical Grids to Cyberattacks?

The Congressional Budget Office in March 2020 placed the likelihood and
potential economic impact of a large cyberattack against the electrical
grid somewhere between a major earthquake or hurricane and a severe solar
storm or a nuclear weapon being exploded high up in the atmosphere.

On average, a major hurricane could threaten the electrical grid every 10
years and a major earthquake every 50 years, each capable of causing tens
of billions of dollars in damage just by its impacts to the grid. Much more
widespread damage from a power surge caused by a solar storm or a nuclear
explosion hundreds of miles above the ground is less likely to happen —
about once every century for a damaging solar storm — but the damage could
cost trillions of dollars.

Jacobson said electrical grid operators have tried and true processes and
procedures for getting power back on after a natural event such as a
thunder or ice storm.

However, he said utility companies don't usually have to continue fighting
their adversaries after an event. "The derecho blew through, you're done.
The tornado went through, you're done. In cyber, there's a potential of a
persistent adversary that won't let you bring it back."

Jacobsen also said a cyberattack could affect a much larger portion of a
grid than a local natural disaster.

The Congressional Budget Office cited a March 2019 cyberattack as the first
on record for the U.S. electrical grid, though the disruptions to control
system communications at several small generating sites in the West did not
lead to any blackouts.

A December 2015 attack in Ukraine, suspected to have originated in Russia,
knocked out power for six hours, according to the budget office.

On the one hand, the U.S. power grid is decentralized and dispersed — a
plus for cybersecurity, although other researchers, including at Iowa
State, have found that further connecting eastern and western grids in the
U.S. could create a more resilient and efficient system that would be
better at getting power to where it's most needed.

However, the grid is also increasingly digitized, too, opening up more
possibilities for would-be attackers to exploit.

Fortunately, Jacobsen said it's not as simple to hack an electrical
generator in a power plant, for instance, as someone might see in a movie
or TV show where a hacker directly connects to the equipment wirelessly
from their laptop.

"The industry does a fairly good job of separating those three systems that
I mentioned," so it usually takes multiple steps for an attacker to get
into a control system, he said.

"Several things have to break down, from a security standpoint, to let you
get in. But, as with any time you're trying to protect anything and you
have to be perfect, nobody is. So, things occasionally do happen, and
that's a lot of what cybersecurity is about — trying to figure out how to
deal with that, how to hopefully prevent that, but in the case of even if
you can't prevent it, do you know what to do," Jacobsen said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211207/c1091b1a/attachment.html>