AMES, Iowa – Iowa State University faculty members and graduate students recently powered up their cybersecurity test bed and dissected the December 2015 cyberattack that hijacked and took down dozens of power substations across western Ukraine.
That cyberattack left some 230,000 Ukrainians without power for up to six hours.
Eight electric utility regulators from Ukraine and three other Black Sea countries – Armenia, Georgia and Moldova – paid very close attention to what Iowa State’s test bed showed them.
“It had a huge impact,” said David Jiles, an Iowa State Anson Marston Distinguished Professor in Engineering and Palmer Professor in Electrical and Computer Engineering and Stanley Chair in Interdisciplinary Engineering. “Seeing what we can do was enormously important to them.”
The Black Sea electricity regulators were on campus in September as part of a cybersecurity study tour sponsored by the U.S. Agency for International Development (USAID) and organized by the National Association of Regulatory Utility Commissioners.
The study tour featured three days of meetings, presentations and training sessions in Washington, D.C. Those were followed by two days of cybersecurity demonstrations and presentations at Iowa State, all organized by the university’s department of electrical and computer engineering, its Electric Power Research Center and its Information Assurance Center organized the Iowa State sessions. The Iowa leg of the tour also featured a field trip to MidAmerican Energy Co.’s control center in Urbandale.
The agency’s Cybersecurity Initiative began three years ago, said Steve Burns, the chief of USAID’s Energy and Infrastructure Division in the Bureau for Europe and Eurasia. The initiative is all about reducing the region’s vulnerabilities to cyberattacks, drafting cybersecurity strategies, boosting economic growth and increasing the region’s energy security.
The study tour in Washington and Ames followed two previous sessions in Ukraine and Estonia.
Burns said Iowa State’s expertise was brought into the program after meeting and working with Jiles during his recently completed one-year term as a Jefferson Science Fellow and scientific adviser to the U.S. State Department and USAID.
Jiles, while using his fellowship to develop a triage tool to help countries fight off cyberattacks, suggested that U.S. officials working to promote international cybersecurity should take advantage of a test bed developed at Iowa State.
The test bed is called “PowerCyber” and it’s part of grid cybersecurity studies led by Manimaran Govindarasu, Iowa State’s Ross Martin Mehl and Marylyne Munas Mehl Computer Engineering Professor; and Doug Jacobson, a University Professor of Electrical and Computer Engineering at Iowa State.
PowerCyber is a high-fidelity, remote-access tool for research and development to help train industry professionals and educate students to protect power grids. The test bed is designed to do vulnerability analysis, risk assessment, attack-defense evaluations and other tests.
The study tour’s visit to Iowa State featured several demonstrations in the PowerCyber lab, including a case study of the power grid attack in Ukraine. The visit also featured discussions of threats, lessons learned, best practices, strategy development and cybersecurity literacy.
“After 30 years of designing and using technology to protect systems, we still have problems and maybe we need to look at how to make the users more secure,” Jacobson said. “And so I talked about using security literacy as a way to educate users about cybersecurity concepts, threats and mitigations.”
Govindarasu said highlights of the study tour were strategic discussions of cybersecurity among academic researchers, government experts and representatives from several U.S. Department of Energy national laboratories.
One clear message to the visitors from the Black Sea countries:
“Cybersecurity is a journey,” Govindarasu said. “There’s no end to it.”
So what to do?
Govindarasu said defense measures can start with better training for engineers to help them keep up with dynamic and evolving situations.
“A lot of this is trying to keep one step ahead,” Jiles said. “If you don’t, someone will figure out how to hack in and we’ll have problems.”
Helping the Black Sea regulators protect the power grids in their countries could also have benefits around the world.
“Cyberattacks in the region are growing in complexity and are a potential test bed for attacks in western Europe and here in the United States,” said Burns of USAID. “By working with the utilities and regulators throughout the region, we are better able to understand energy sector vulnerabilities and apply those lessons learned at home.”
After all, Jacobson said, “They are on the front line of cyberattacks against critical infrastructure.”