Stu Steiner: EWU is committed to securing the critical infrastructure of the state of Washington and U.S.
By Stu Steiner, Ph.D.
EWU is committed to securing the critical infrastructure of the state of Washington and U.S.
The 2020 SolarWinds cybersecurity breach potentially compromised millions of servers in the United States, including those managed by the federal government. The breach is so large that months later, the full extent is still not known.
Due to the pandemic, most of us were happy to say goodbye to 2020 as we looked forward to 2021 and the possibilities it might bring. For those in cybersecurity, we look at those possibilities through a critical lens: What are the chances of another SolarWinds-type of attack?
Just two and a half months into 2021 and there have already been three major breaches and dozens of small breaches. This troubling trend of data breaches is only going to grow as we move through the year.
The first major data breach occurred when the Washington State Auditor’s office was notified one of its online service companies, Accellion, had been breached. This incident potentially affected 1.6 million state residents. Authorities are still investigating this sophisticated breach to determine if the origin was possibly a nation-state.
The second major breach compromised Microsoft’s Exchange email services. The breach started in January 2021 and it compromised hundreds of thousands of email servers. The impact of this attack is similar to the SolarWinds attack, in that the extent of the attack is still unknown, and the attack was from a foreign nation-state.
The third major breach occurred Feb. 5 in Oldsmar, Florida. This attack attempted to poison the city’s water supply. Initial fears believed this breach was somehow related to the Super Bowl in Tampa Bay. An observant operator stymied the attack, and the system was secured. Authorities are still investigating this incident, believing the perpetrator was fortunately not sophisticated enough to succeed.
Ultimately the Florida water treatment breach forced every water system in the U.S. to examine the security of their critical infrastructure systems.
The definition of critical infrastructure is “Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This definition includes transportation, agriculture, public health, telecommunications, critical manufacturing, energy (power grid), and water – including wastewater.
Moving beyond water systems, one has to wonder about the security of the critical infrastructure of our country, and specifically in the state of Washington. Ultimately, this is not an easy question to address because in most cases each city, county or region controls their own system.
With the governor’s overall move toward green energy, the need is even greater for training cybersecurity professionals to protect critical infrastructure.
As more renewable energy facilities are constructed, each one needs to be protected. Connecting renewable energy facilities to the power grid, creates attackable cybersecurity opportunities. A successful cyberattack on an attached renewable energy device, has the potential to create cascading failures affecting the entire power grid. Properly securing renewable energy facilities requires special training. This need is being met right here in our own backyard by Eastern Washington University, in collaboration with other innovative programs.
For instance, more than 70 high school teams from around Eastern Washington have already participated in the Air Force Association Cyber Patriot program. This is designed to direct high school students toward higher education and careers in cybersecurity or STEM related disciplines. Also, a series of GenCyber summer camps tailored to middle and high school students will soon be coming to the region.
As for EWU, we are taking a lead role in this effort. Eastern computer science cybersecurity students are participating in the Public Infrastructure Security Education System, or PISCES, which trains university students as cybersecurity analysts. EWU students are monitoring the incoming network traffic of communities like Kittitas, Port Townsend and Spokane Valley, specifically looking for cybersecurity threats. Recently, EWU students were successful in detecting and blocking scans and intrusion attempts from a nation-state.
The university is also leading the way in this field through successes in our computer science and cybersecurity programs. Last year, an EWU computer science student placed 5th out of over 3,000 students in a national cybersecurity competition.
EWU Computer Science will also soon be recognized as a four-year National Center of Academic Excellence in Cybersecurity (NCAE-C). As a NCAE-C designated program, EWU’s Computer Science cybersecurity program meets the criteria to train and graduate students equipped with the knowledge to secure the nation’s computers and networks.
Eastern is also leading the region in educating future professionals specifically trained for securing critical infrastructure. We have built a virtual training environment so students can experience securing critical infrastructure without having to purchase expensive equipment. This “testbed” teaches EWU students the skills to protect the power grid and water systems.
Just as the Seattle region led the computer revolution through strong partnerships between business, higher education and the state, the next great evolution in the tech industry will be led by the state’s universities, industries and public agencies working together to provide real-world, real-time protection for our critical infrastructure. Protecting our critical infrastructure from cybersecurity attacks will require us to focus like a hawk – or an Eagle.
Stu Steiner, Ph.D. is an assistant professor of computer science at Eastern Washington University.