Guardians of the Grid
Two engineering professors are at the forefront of solving cyber threats.
Safeguard the country’s power grid from terrorist attack? CHECK.
Help people protect their online reputation? CHECK AGAIN.
Hackers cost the U.S. economy $24 billion to $120 billion annually. That’s not even counting the threat they pose to vital infrastructure like transportation systems, drinking water and the electric grid. As the University of Rhode Island seeks ways to keep hackers at bay, two electrical and computer engineering professors are tackling the problem from power outlet to Amazon purchase.
Together, Associate Professor Haibo He and Associate Professor Yan “Lindsay” Sun are encouraging students to confront real-world threats while pursuing research to protect our infrastructure and online reputations.
“A lot of people hear these scary cyberattack stories on the news,” Sun says. “As professors, the question we ask ourselves is, how do we protect the community from these attacks?”
It starts by teaching the next generation of computer engineers to build more secure systems. Both professors make it a point to discuss the latest threats in class. When researchers unveiled the Heartbleed Bug in April, Sun rearranged her teaching schedule to present the malware that exposed passwords and other private information.
“I asked them to discuss, if you’re a decision maker, what policies are you going to make?” she says.
Her students proposed keeping the bug’s existence hidden from the public. However, they would fix the problem covertly by including a patch in inconspicuous software updates. By limiting the updates to U.S. computers, American consumers would be protected but national security agencies could exploit the flaw against enemies.
“I’m very proud of them,” Sun says. “It shows they learned that you have to think about cybersecurity not only from a consumer’s point of view.”
Engineers are increasingly faced with the intersection of policy, implementation and national security. The challenge of balancing those while protecting American consumers is no easy task; today it’s hard to find a device that does not connect to the Internet. Besides computers and smartphones, we’re linking refrigerators, garage doors, drones, traffic cameras, and even eyeglasses to the World Wide Web. Security experts call it the “Internet of Things.” The two professors call it the “Internet of Vulnerability.”
Keeping the Lights On
The computer monitor in front of Yihai Zhu ’14 shows a map of the San Francisco Bay area, home to some of the country’s most prominent companies and 825,000 people. Zhu, a graduate student in electrical engineering, clicks a substation in Berkeley, a bustling city on the eastern shore of San Francisco Bay. Then he waits. The initial substation turns black. A few moments later, the lines emanating from the station start to turn black one by one. Soon other substations go dark as a major power failure drapes the region in darkness.
“Recently in the news, they said if you took down nine power substations you could take down the nation’s power grid,” Zhu says. “This may sound ridiculous, but to me it sounds very possible.”
Professors He and Sun advise a team of students, including Zhu, studying the emerging threats to critical infrastructure systems reliant on computer controls. By pooling their knowledge of computer networks and power engineering, the duo forms a powerful offense against hackers.
“People are really excited to see two fields combine to tackle this very important challenge,” Professor He says.
The professor says their work has shown that a coordinated attack could devastate the electric grid. The biggest threat stems from an attack that disables multiple substations and transmission lines in a specific order. If done correctly, the problems would initially be small. By the time operators discovered the attack, it would be too late and a cascading failure would occur. To make matters worse, the built-in “fix” of rerouting power around affected areas would overload systems and create additional damage. Blackouts could last for days or weeks. People would quickly find themselves lacking heating and cooling systems, driving on roadways without traffic lights, and facing an economy crippled by the inability to conduct any online transactions, from processing credit cards to buying stocks.
“Hackers will not cause random failures,” Sun says. “They will carefully choose substations and transmission lines. That kind of failure was not considered by traditional power engineers.”
Their work has garnered national attention and won research funding from the National Science Foundation.
“It’s the next wave of cybersecurity research,” explains Victor Fay-Wolfe, head of the University’s Digital Forensics and Cyber Security Center (see Cyber Nexus, below).
For electrical engineering graduate student Jun Yan M.S. ’13, riding that wave is a thrill. After completing his master’s degree here in 2013, he stayed on for the doctoral program and a chance to continue studying the security of infrastructure systems.
“There is something exciting about the research that gets me,” Yan says. “We are working on theory, models, mathematics. It’s new and it’s not just one discipline.”
On TV crime shows it takes just a few minutes for the geeky lab technician to uncover the damning evidence on the suspect’s computer or stop an attack that could bring down the government. Experts at URI’s Digital Forensics and Cyber Security Center know that’s far from reality.
“It’s never that easy,” Director Victor Fay-Wolfe says. “There are always dead ends that can take days to resolve.”
Since 2004, the center has sought to outfox increasingly sophisticated hackers by consulting for police, attorneys and corporations, including the Rhode Island Cyber Disruption Team—the state’s first responders in a major hack to critical infrastucture—and the State Police’s Computer Crimes Unit.
Fay-Wolfe, a computer science professor, founded the Center. Faculty and staff now number eight, it serves about 75 students annually in academic programs, and it has generated $5 million in grants in the last six years.
Researchers have been very successful, Fay-Wolfe says, but there’s one problem they just can’t seem to crack.
“On TV shows, they always look a lot younger than we are,” he says with a laugh.
—Chris Barrett ’08
Private industry is paying attention. Providence-based Utilidata designs systems that make the electric grid more efficient. The company wants to ensure that those efficiency controls do not inadvertently open the grid to attacks.
Utilidata Chief Information Security Officer Siobhan MacDermott says the work of academic researchers often proves vital.
“Our greatest collaborators come out of universities,” she says. “When you’re working in an academic environment, you’re not constrained in your thinking.”
MacDermott says Professor He’s research has already produced a powerful tool in its easy-to-understand modeling (right). Such models help companies like Utilidata explain the threat to policymakers and senior executives who may lack engineering backgrounds.
For Utilidata, there is also the appeal of having an expert just 45 minutes away. MacDermott says in-person meetings can drive faster innovation and keep the good guys ahead of rapidly evolving hacks.
And hackers can find new targets on the electric grid. As government officials encourage development of renewable energy systems like solar panels and wind turbines around the country, more access points to the grid appear. The system has become the largest network on the planet.
Yet, cybersecurity was not a concern when engineers first built the grid a century ago. Thousands of miles of key transmission lines stand unprotected and chain link fences are the only defense for many substations. Grid computer systems were designed for monitoring, not protection.
There is hope. Media and congressional attention on the issue motivated federal agencies to start crafting more stringent regulations for protecting the electric grid from physical and cyber attacks.
At the University of Rhode Island, work is shifting from analyzing the problem to developing defensive strategies. Traditionally, researchers would conduct an experiment, but Professor He notes that he can’t shut down a substation to see what happens. Research is relegated to computer models. The professor hopes one day to outfit a lab with a small power generator and transmission network.
“There is always the question of how close your research is to reality,” He says. “If you could show in a lab that if you switch off this switch or cut this line, here’s what happens—that would be great.”
For now, the professor meets with fellow researchers and others in his second floor office in Kelley Hall straddling the Engineering Quad. Down one story sits Professor Sun, who is building much different computer models.
Taming the Online Wild West
Many Internet surfers take online reviews and their corresponding star rankings at face value and assume real people provided honest feedback. The truth is murkier. Online merchants or their hired guns sometimes place false reviews in an effort to boost sales. Professionals take liberties with résumés. Yet these online reputations increasingly drive our decisions about where we spend our money.
“In the broadest sense, our research will help you establish your cyber reputation, protect it and prevent others from manipulating it,” Sun says.
Sun and her students are tackling reputation protection on a number of fronts. She is building a system that automatically scans product reviews in the U.S. online retail industry—expected to reach $370 billion by 2017—for sham posts. Sun discovered that if reviews lack a pattern, they are probably genuine. Reviews with similar patterns were likely generated by a computer or bulk technique. Sun’s goal is to create a system in which a Web surfer can copy the address of a page containing reviews into an online form and immediately see the legitimacy of the reviews.
By using Sun’s work as a foundation, researchers could also analyze the reputations of individuals. Sun sees a day when voters could search for political candidates and, with the help of an online tool, gauge the accuracy of their online reputations.
Sun also wants to protect voters who make campaign donations online or purchase a bumper sticker with a digital wallet. Stored payment information like credit card numbers serves as an attractive target to criminals. Recently, criminals have stolen credit card numbers from several major retailers now scrambling to restore their reputations and placate investors.
“Last time the target was Target,” Sun says. “There’s a lot of research showing small businesses may have far more problems.”
A locally owned coffee shop or corner gas station might be vulnerable because its owners lack the expertise to protect digital systems. Some may not even realize a theft occurred.
And small business owners may only compound their problems if they grouse about their vulnerability on social media. Sun says few users realize how quickly their posts can spread across the Internet and garner thousands of views.
Her team is developing a system to rank the probability of social media posts developing a life of their own. The algorithm will analyze the user’s privacy settings and those of others connected to the post. It will then return a simple number showing the probability that people outside of your immediate circle may see the post. The system will also display the “weakest link,” or the person most likely to be the conduit for additional people to see the post.
The system could help social media users keep their posts private and educate parents and children about the reach of an online post. Sun will highlight the topics of online reputations, privacy and security as she helps organize this year’s Honors Colloquium. (See below.)
Both Sun and He say that to be effective, researchers must reach across traditional academic disciplines. Cybersecurity requires understanding the physical wires and equipment, the latest software, and—yes—human psychology.
The University took a major step toward encouraging cross-disciplinary research by establishing the Digital Forensics and Cyber Security Center in 2004. Both Sun and He are members of the Center, along with professors from computer science and staff from the University’s Information Technology Services.
“Because URI has one identity to represent cybersecurity research, you get a lot of voice,” Sun says. “And inside the center, you have different strengths.”
The Center and individual professors are finding willing partners. Professor Sun works with researchers at other universities and has run a major hacking competition for students across the country.
Professor He says because URI was one of the first institutions to study electric grid security, calls are coming from far and wide. Government officials want to see his models, universities are seeking recent Ph.D. graduates to fill faculty positions, and conferences want speakers. Private industry is also knocking at the door. MacDermott, the chief information security officer at Utilidata, says that’s to be expected.
“They get to do all the fun thinking,” she says, “and we get to implement the solution.”
—Chris Barrett ’08
Join the Discussion
Honors Colloquium 2014
In the age of WikiLeaks and Edward Snowden, many feel it’s time for the country to re-evaluate the balance between technology’s convenience and its potential for abuse. This fall, the University of Rhode Island’s annual Honors Colloquium will explore just that topic. Cybersecurity and Privacy in the Digital Age kicks off in September and features a series of public talks by experts in the field.
“Most people are unaware of the vast amount of personal data about themselves that is available, and how this information is mined by corporations and government agencies to create an amazingly detailed picture of their lives,” says computer science Professor Ed Lamagna, who is spearheading the Colloquium. “The Colloquium will raise awareness about this loss of privacy, and explore the delicate balance between individual freedom and the need to protect our national security.”
Speakers will include U.S. Rep. James Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus; James Bamford, an author who has written about the National Security Agency; and Heidi Boghosian, executive director of the National Lawyers Guild and author of the best-seller Spying on Democracy.
The colloquium is held on the Kingston campus and is free and open to the public. More information at uri.edu/hc.
—Chris Barrett ’08
What’s on Associate Professor Haibo He’s summer reading list? Check out our summer reading feature to find out!
Leave a Comment
Most comments will be posted within 24 hours of submission.