Two days before Christmas 2015, hackers took down a Ukrainian power grid, leaving a quarter-million people without electricity for hours. Ukrainian officials suspected — but never publicly confirmed — that the Russian government was behind the sophisticated operation.
It was the first known successful cyberattack against an electrical grid. It was also a shot across the bow of utilities, factories and industrial installations everywhere.
Now a team of four graduate students from the University of Washington’s Information School is taking up the challenge of protecting these types of critical infrastructure. They’re working with cybersecurity consulting firm FireEye, headquartered in California.
“Electrical grids, water-treatment plants, waste-management plants, this is the infrastructure that holds cities and society together, right?” said Lovely-Frances Domingo, one of the students. “They’re very important parts of urban life. In any way that they’re disturbed, it’s going to impact so many people.”
The other team members are Elizabeth Crooks, Yini Guan and Hemica Saxena. They’re second-year students in the Master of Science in Information Management (MSIM) program. This is their Capstone project, an end-of academic career requirement for graduation. They started working on the project in the fall.
The technology that runs many of these installations is known as legacy systems, basically outdated computer systems, Saxena said. With a growing threat of cyberattacks, there’s been more of an effort to safeguard these industrial control systems, she said.
“This is the reason that companies like FireEye are helping to protect and provide services — to make these systems secure,” Saxena said.
The threat is exacerbated by the internet of things, the concept of connecting everyday objects online, Crooks said. Public organizations and private companies are doing this to achieve efficiencies and reduce costs, she said, but that’s making infrastructure vulnerable to outside attacks.
“While the goodness of technology is growing, the evilness of the technology world is growing at the same time.”
“If you think about a power plant, that wasn’t likely being networked in any significant way until pretty recently,” Crooks said. “So, the chances of somebody being able to get into their systems was way lower.”
Traditionally, these plants have relied on “security by obscurity,” being at low risk of an attack because they were relatively unknown, Guan said. That’s clearly not the case anymore, she said.
“While the goodness of technology is growing, the evilness of the technology world is growing at the same time,” Guan said.
FireEye is working on ways to combat this threat, including projects to streamline vulnerability management for industrial facilities and critical infrastructure.
With a power plant or water-treatment plant or other installation, keeping things running is often the top priority, Crooks said.
“One of their concerns is knowing what vulnerabilities they have and then being able to internally prioritize them to say, ‘OK, this is something that we actually do need to fix,’ or ‘We’re aware of this, but we know that it’s not as big of a deal,’” Crooks said.
The students are helping FireEye with the platform’s user-experience design for one of its projects, said Daniel Kapellmann Zafra, a FireEye senior cyber threat analyst who is based in Virginia.
FireEye wants to address the challenge of vulnerability management for industrial facilities following user-centered design principles, Kapellmann Zafra said.
The students have been meeting via Skype with the FireEye team once every week or two. FireEye worked with a team from the iSchool on another project in the last academic year at Kapellmann Zafra’s urging. A 2017 graduate of the iSchool’s MSIM program, Kapellmann Zafra was familiar with how the school emphasizes the needs of the technology user.
“Knowing that was the focus of the school, I thought it was a good idea to reach out to students and try to get some fresh ideas,” he said.
The project appealed to the students, because it involved their individual interests and topics that they’re studying in their classes, including information security, user experience and business intelligence. Classes that have stood out to them include cybersecurity function and trends; business intelligence systems; operational risks in public and private sectors; managing enterprise security; and design methods.
During meetings with FireEye, Saxena said, she understands the scenarios discussed, in part because of her coursework.
In the design methods class, the instructor taught students to really dig into the context of situations, to be curious, to ask the extra question, Domingo said.
“So, you see this event, but what happened underneath?” Domingo said. “What are the other factors that are tied to it?”
The students are putting this instruction to use. They hope the concept that they deliver will allow industrial institutions to share information about vulnerabilities and allow people to talk to each other.
“So, they’re not just passively defending against whatever attacks come, but instead taking a more preventative measure,” Guan said. “By building this information system, we’re enabling this information flow so people who need to know can be given the power to do their jobs.”