Who will protect the nation’s power grid? Experts involved in the University of Tulsa (TU) Cyber Corps program say the task demands IT workers at all levels with the right combination of education, training, hands-on experience, and just as important, fierce desire to constantly learn and stay steps ahead of would-be attackers.
Attracting talent from the nation’s youngest generation, for whom technology is a way of life, and pro-actively engaging males and females in cybersecurity careers, will help meet that need, they say.
“The security of the nation depends on the power grid,” said Richard "Dickie" George, the technical director of the National Security Agency's (NSA's) Information Assurance Directorate who is NSA liaison to the Cyber Corps program, which produces computer security experts employed by U.S. intelligence agencies. Without power, modern life and modern military defense can screech to a halt. A long-term power outage, even localized, could be catastrophic.
Potential threats to the nation’s electrical distribution system are both physical and cyber. Solar flares or acts of terrorism can damage the grid physically, but government, industry and academia see the increasing need to improve power grid defenses against cyber attacks that could compromise or damage its control systems.
How secure is the nation’s power grid currently? “It’s pretty vulnerable,” said George.
Victor Sheymov, head of InVicta Networks Inc., a Reston, Va., company that develops new technologies for cybersecurity, separately answers: “Not secure at all, and this is an understatement.”
Sheymov, a former KGB officer who defected to the United States in 1980, regularly speaks about cybersecurity industry trends to students in University of Tulsa’s Cyber Corps program, and his company periodically sends new products to Cyber Corps for testing. (“They are the best tester outside of the U.S. government,” Sheymov said.)
Sheymov and University of Tulsa Cyber Corps Director Dr. Sujeet Shenoi agree with the assessment that other nations, and possibly even organized crime or terrorists, are probing the U.S. power grid’s network of private utilities to discover its vulnerabilities and exploit them in the future. “The fact that the malware is already installed and sitting in the network, waiting to be activated, is known among top-levels of national security experts,” Sheymov said.
Potentially accessible via telemetry, satellite connection, SCADA controls and even powerline networking, the nation’s electrical distribution system is “a computer network, and it can be attacked,” said Shenoi. “Viruses, worms—really bad things can happen.”
The grid’s cyber vulnerability will increase as more utilities deploy “smart grid” technologies, he said. “The more complex the system is, the more devices it has, the more catastrophic risk (it has).”
Sheymov, Shenoi and George, who also frequently speaks with Cyber Corps students, look to the U.S. government to act more definitively to defend the power grid and other critical infrastructure from cybersecurity attacks, and they seek increased public awareness of power grid security issues. But just as important, they say, is having enough trained IT personnel to secure the grid.
“Like everything else, the power grid is more and more going to be run by cyber,” said George. “Today what this country needs is a cyber warrior. One who knows how to build protections into our systems to make sure the adversary can’t get into and do things.”
Shenoi wants a long-term focus on science, engineering and mathematics to cultivate the IT workforce needed by critical infrastructure. “We need to focus on community colleges. The largest numbers of people who secure our assets are technical-level people.”
Cybersecurity requires people who are not only knowledgeable about IA topics, but also perform well in real-world situations, he said.
George said, “The advantage is always to the attacker.” He contends a cyberwarrior protecting the power grid, or other critical infrastructure, will need a command of the information assurance and computer security fundamentals, lots hands-on training and the ability to learn how to defend against determined, capable and frequently anonymous adversaries.
Students, from kindergarten to seniors in high school, need to be told that there are “really exciting jobs in computer security and information assurance” where they can tackle very important and very challenging problems.
“The bottom line is that when you come to work in computer security, it’s all about making a difference to the country. People have to understand that this is something that the nation needs,” added George.
And George contends the industry has to do a better job communicating that message to women and girls who could join the current and future IT workforce. “We certainly aren’t going to outnumber the adversary if we aren’t telling half the workforce that cybersecurity is the place to be.”
As part of its mission to grow the IT workforce, CompTIA issued a video to encourage more people to become security heroes. The video is the newest vehicle in a long list of career tools that CompTIA offers online to help more people join the IT workforce and navigate their way from training and certification to initial employment and career advancement.