The 2020 SolarWinds cybersecurity breach potentially compromised millions of servers in the United States, including those managed by the federal government. The breach is so large that months later, the full extent is still not known.
Due to the pandemic, most of us were happy to say goodbye to 2020 as we looked forward to 2021 and the possibilities it might bring. For those in cybersecurity, we look at those possibilities through a critical lens: What are the chances of another SolarWinds-type of attack?
Just two full months into 2021, and there already have been two major breaches and dozens of small breaches. This troubling trend of cyber-data breaches is only going to grow as we move through the year.
The first major data breach occurred when the Washington state Auditor’s Office was notified one of its online service companies, Accellion, had been breached. This incident potentially affected 1.6 million state residents. Authorities are still investigating this sophisticated breach to determine if the origin was possibly a nation-state.
The second major breach occurred Feb. 5 in Oldsmar, Florida. This attack attempted to poison the city’s water supply. Initial fears believed this breach was somehow related to the Super Bowl in Tampa Bay. An observant operator stymied the attack and the system was secured. Authorities are still investigating this incident, believing the perpetrator was fortunately not sophisticated enough to succeed.
Ultimately, the Florida water treatment breach forced every water system in the U.S. to examine the security of their critical infrastructure systems.
The definition of critical infrastructure is, “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” This definition includes transportation, agriculture, public health, telecommunications, critical manufacturing, energy (power grid) and water, including wastewater.
Moving beyond water systems, one has to wonder about the security of the critical infrastructure of our country, and specifically in the state of Washington. Ultimately, this is not an easy question to address because in most cases each city, county or region controls its own systems.
With Gov. Jay Inslee’s move toward green energy, the need is even greater for training cybersecurity professionals to protect our critical infrastructure. As more renewable-energy facilities are constructed each one needs protection. Connecting renewable-energy facilities to the power grid creates attackable cybersecurity opportunities. A successful cyberattack on an attached renewable-energy device has the potential to create cascading failures affecting the entire power grid. Properly securing renewable-energy facilities requires special training. This need is being met right here in our own backyard by Eastern Washington University, in collaboration with other innovative programs.
For instance, more than 70 high school teams from around Eastern Washington have already participated in the Air Force Association Cyber Patriot program. This program is designed to direct high school students toward higher education and careers in cybersecurity or STEM-related disciplines. Also, a series of GenCyber summer camps tailored to middle and high school students will soon be coming to the region.
At EWU, we are taking a lead role in this effort. Eastern’s computer science cybersecurity students are participating in the Public Infrastructure Security Education System, or PISCES, which trains university students as cybersecurity analysts. EWU students are monitoring the incoming network traffic of communities like Kittitas and Port Townsend, specifically looking for cybersecurity threats. Recently, EWU students were successful in detecting and blocking intrusion attempts from a nation-state.
The university is also leading the way in this field through successes in our computer science and cybersecurity programs. Last year, an EWU computer science student placed fifth out of more than 3,000 students in a national cybersecurity competition.
EWU Computer Science will also soon be recognized as a four-year National Center for Academic in Cyber Defense Education (NCAE-C). As an NCAE-C designated program, EWU’s Computer Science cybersecurity program meets the criteria to train and graduate students equipped with the knowledge to secure the nation’s computers and networks.
Eastern is also leading in educating future professionals specifically trained for securing critical infrastructure. We have built a virtual training environment so students can experience securing critical infrastructure without having to purchase expensive equipment. This “test bed” teaches EWU students the skills to protect the power grid and water systems.
Just as the Seattle region led the computer revolution through strong partnerships between business, higher education and the state, the next great evolution in the tech industry will be led by the state’s universities, industries and public agencies working together to provide real-world, real-time protection for our critical infrastructure.