NSA-funded cybersecurity workforce training programs


(TNS) – Coalition between Iowa State University, University of Illinois at Urbana-Champaign, and industry and government partners aims to be more than a “kitchen cabinet” of advisers – National Security Agency wants results in developing cybersecurity talent in the Midwest.

“Kitchen cabinet” is the term given to the unofficial group of advisers to then-President Andrew Jackson. There is no kitchen directly involved in the cybersecurity coalition that the state of Iowa is a part of, but there is a ReCIPE – a regional coalition for the protection, education and practice of critical infrastructure.

It’s the name of the Iowa State-University of Illinois-led coalition that received a two-year, $ 2 million grant from the NSA focused on building a workforce. cybersecurity work capable of protecting critical infrastructures against attacks – and, in particular, of defending the country’s electricity grid.

Doug Jacobson, professor of electrical and computer engineering at Iowa State, said the NSA – through the agency’s National Centers of Academic Excellence in Cybersecurity – is funding similar cybersecurity coalitions across the country that are examining also security of the electricity grid, elections and the financial sector.

Jacobsen is also the director of the university’s Center for Cybersecurity Innovation and Outreach and the leader of ReCIPE.

He explained that coalitions exist to help form a community between industry and academia of shared expertise and to provide educational resources and workforce development to the industry.

He said the NSA wants partnerships to exist beyond funding, “that those people who come together stay together and work as a group to make sure, in our case, that the lights stay on.”

In practice, the recipe for expanding the Midwestern cybersecurity workforce and providing new or updated skills to existing professionals will include “hands-on training, realistic bench-top and bench-top exercises, projects design synthesis, cyber defense competitions and technical material for students and professionals. according to an Iowa state press release.

Jacobsen said the coalition is unlikely to lead directly to new undergraduate programs in the state of Iowa – the university already has a cybersecurity program – but could lead to new electives on the protection of critical infrastructure and accreditation options for those already active.

He said there was a shortage of cybersecurity professionals, especially in rural parts of the country who are struggling to attract or retain professionals – although there are small utility companies that have also need protection. “It’s not that there’s no money to pay them, there’s not enough to be paid.”

As a workaround, he said the existing workforce can receive more training.

Jacobsen explained that critical infrastructure has three main sides that need to be protected: a business side – customers’ personal information in billing departments – but also internal management systems and control systems.

Colonial Pipeline Co. forced to pay a multi-million dollar ransom earlier this year to restart its fuel supply pipeline system was a recent example of a compromised management system leaving operators without access.

Hijacking a control system could involve a cyber attacker purposely overpressurizing a pipeline, causing it to explode, Jacobsen said.

Cybersecurity work can be done remotely, and this is becoming more and more common on the business side, Jacobsen said, but remote access to a more sensitive internal network, such as a control system, could also. pave the way on the Internet for one. be an attacker to access.

A hacker earlier this year remote access software used used by workers at a Florida water treatment plant in unsuccessful attempts to poison a city’s water supply with lye. A supervisor detected the tampering as it occurred and was able to stop it.


In March 2020, the Congressional Budget Office placed the likelihood and potential economic impact a large cyberattack on the power grid somewhere between an earthquake or a major hurricane and a severe solar storm or the explosion of a nuclear weapon high in the atmosphere.

On average, a major hurricane could threaten the power grid every 10 years and a major earthquake every 50 years, each of which could cause tens of billions of dollars in damage just through its impacts on the grid. Much more extensive damage from a surge caused by a solar storm or nuclear explosion hundreds of miles above the ground is less likely to occur – about once a century for a damaging solar storm – but the damage could cost billions of dollars.

Jacobson said power grid operators have proven processes and procedures in place to restore power after a natural event such as thunder or an ice storm.

However, he said utility companies generally don’t have to keep fighting their opponents after an event. “The derecho has blown, you’re done. The tornado has passed, you’re done. In cyber, there is a lingering adversary potential that won’t let you bring it back.”

Jacobsen also said that a cyber attack could affect a much larger part of a network than a local natural disaster.

The Congressional Budget Office cited a March 2019 cyberattack as the first on record for the U.S. electricity grid, although disruption to control system communications at several small production sites in the West did not result in any outages.

A December 2015 attack in Ukraine, believed to have originated in Russia, cut off the power for six hours, according to the budget office.

On the one hand, the U.S. electricity grid is decentralized and dispersed – a plus for cybersecurity, although other researchers, including at Iowa State, have found that further linking the east and west networks in the United States could create a more resilient and efficient system that would better deliver electricity to where it is needed most.

However, the grid is also increasingly digitized, opening up more possibilities for potential attackers to exploit.

Fortunately, Jacobsen said it isn’t as straightforward to hack an electric generator in a power plant, for example, as someone might see in a movie or TV show where a hacker connects directly to the wireless equipment from his laptop.

“The industry is doing a pretty good job of segregating the three systems that I mentioned,” he said. It usually takes several steps for an attacker to enter a control system.

“Several things have to break down, from a security standpoint, to let you in. But, like every time you’re trying to protect anything and you have to be perfect, no one is. , things do happen sometimes, and that’s largely what cybersecurity is – trying to figure out how to deal with it, how to prevent it, hopefully, but in case even if you can’t prevent it , do you know what to do, ”Jacobsen said.

© 2021 www.amestrib.com. Distributed by Tribune Content Agency, LLC.


About Author

Comments are closed.