Industrial control systems (ICS) manage our everyday water, electricity, and gas resources. The same interconnectedness and automation that makes these systems effective and efficient also increases their vulnerability to dangerous attacks that could leave cities and states without essential resources.
A cybersecurity engineering senior design team is testing a scaled-down ICS system provided by Dragos, Inc. to help the company shore up its cybersecurity infrastructure.
Seniors Marissa Costa, Natalie Sebastian, Kyle Simmons, Andrew Smith, Santiago Taboada Patino, and Zaine Wilson are working together to address the problem “Our whole job is to poke around and complete a security assessment on the ICS that Dragos, Inc. provided. We are attacking it and creating detection rules for them to implement,” says Patino.
The team is penetration testing numerous components of the system Dragos, Inc. provided them to use. Penetration testing simulates a cyber-attack and pinpoints vulnerabilities. “The penetration testing we are doing is the best way possible to gain an understanding of how a cyber-attack could be carried out. Pen testing is like rating a bridge for how much weight it can support versus actually building a test bridge and driving progressively heavier trucks over it until it collapses,” says Wilson.
Ensuring ICS security like the one the students are working on safeguards our world’s critical infrastructure. Power plants, water distributors, and gas companies all use ICS to protect the delivery of their customers’ essential resources. “Power, water, gas—they all start at one point and end at another, typically people’s homes or businesses. ICS provides the security to safeguard those processes, and without security measures, entire power plants could be shut down by malicious cyber attackers,” says Simmons.
Dragos, Inc. delivered the system to the Fairfax Campus last fall. The team is spending their senior year penetration testing and using the vulnerabilities they find to create detection rules that can be included in future updates. Working with their faculty advisor, Assistant Professor Thomas G. Winston, and a subject matter expert from Dragos, Inc. makes the process as efficient as possible.
The Department of Cyber Security Engineering forges partnerships with companies like Dragos, Inc. to provide real-world projects for students. But this project has a specific impact that made the team excited to start. “Industrial control systems have cyber-physical effects. People can understand it easier as opposed to more obscure cyber-attacks. In this case, a system could be breached, and lives could be lost,” says Wilson.
Attacks like these have occurred across the globe and even close to home. Costa points to a recent attack in the United States that illustrated the vulnerabilities in the system. In February, a cyber attacker hacked a water treatment plant in Florida and remotely adjusted sodium hydroxide levels to more than 100 times the normal level, news outlets reported. Luckily, the system operator noticed the intrusion and immediately reduced the level back, but left unchanged, the water would have been toxic.
Dangerous attacks like those in Florida are why the team’s work is valuable to society.
The team jumped on the chance to work on this project because of its importance. They are excited they are contributing to protecting everyday life. “Industrial control systems like this one involve real people in their homes, people in a community who can be harmed by attacks on these systems," says Costa.