Two engineering professors are at theforefront of solving cyber threats.
CheckCheck againHackers cost the U.S. economy $24 billion to $120 billion annually. That’s not even counting the threat they pose to vital infrastructure like transportation systems, drinking water and the electric grid. As the University of Rhode Island seeks ways to keep hackers at bay, two electrical and computer engineering professors are tackling the problem from power outlet to Amazon purchase.
Together, Associate Professor Haibo He and Associate Professor Yan “Lindsay” Sun are encouraging students to confront real-world threats while pursuing research to protect our infrastructure and online reputations.
“A lot of people hear these scary cyberattack stories on the news,” Sun says. “As professors, the question we ask ourselves is, how do we protect the community from these attacks?”
It starts by teaching the next generation of computer engineers to build more secure systems. Both professors make it a point to discuss the latest threats in class. When researchers unveiled the Heartbleed Bug in April, Sun rearranged her teaching schedule to present the malware that exposed passwords and other private information.
“I asked them to discuss, if you’re a decision maker, what policies are you going to make?” she says.
Her students proposed keeping the bug’s existence hidden from the public. However, they would fix the problem covertly by including a patch in inconspicuous software updates. By limiting the updates to U.S. computers, American consumers would be protected but national security agencies could exploit the flaw against enemies.
“I’m very proud of them,” Sun says. “It shows they learned that you have to think about cybersecurity not only from a consumer’s point of view.”
Engineers are increasingly faced with the intersection of policy, implementation and national security. The challenge of balancing those while protecting American consumers is no easy task; today it’s hard to find a device that does not connect to the Internet. Besides computers and smartphones, we’re linking refrigerators, garage doors, drones, traffic cameras, and even eyeglasses to the World Wide Web. Security experts call it the “Internet of Things.” The two professors call it the “Internet of Vulnerability.”
Keeping the Lights On
The computer monitor in front of Yihai Zhu ’14 shows a map of the San Francisco Bay area, home to some of the country’s most prominent companies and 825,000 people. Zhu, a graduate student in electrical engineering, clicks a substation in Berkeley, a bustling city on the eastern shore of San Francisco Bay. Then he waits. The initial substation turns black. A few moments later, the lines emanating from the station start to turn black one by one. Soon other substations go dark as a major power failure drapes the region in darkness.
“Recently in the news, they said if you took down nine power substations you could take down the nation’s power grid,” Zhu says. “This may sound ridiculous, but to me it sounds very possible.”
Professors He and Sun advise a team of students, including Zhu, studying the emerging threats to critical infrastructure systems reliant on computer controls. By pooling their knowledge of computer networks and power engineering, the duo forms a powerful offense against hackers.
“People are really excited to see two fields combine to tackle this very important challenge,” Professor He says.
The professor says their work has shown that a coordinated attack could devastate the electric grid. The biggest threat stems from an attack that disables multiple substations and transmission lines in a specific order. If done correctly, the problems would initially be small. By the time operators discovered the attack, it would be too late and a cascading failure would occur. To make matters worse, the built-in “fix” of rerouting power around affected areas would overload systems and create additional damage. Blackouts could last for days or weeks. People would quickly find themselves lacking heating and cooling systems, driving on roadways without traffic lights, and facing an economy crippled by the inability to conduct any online transactions, from processing credit cards to buying stocks.
“Hackers will not cause random failures,” Sun says. “They will carefully choose substations and transmission lines. That kind of failure was not considered by traditional power engineers.”
Their work has garnered national attention and won research funding from the National Science Foundation.
“It’s the next wave of cybersecurity research,” explains Victor Fay-Wolfe, head of the University’s Digital Forensics and Cyber Security Center (see Cyber Nexus, page 26).
For electrical engineering graduate student Jun Yan M.S. ’13, riding that wave is a thrill. After completing his master’s degree here in 2013, he stayed on for the doctoral program and a chance to continue studying the security of infrastructure systems.
“There is something exciting about the research that gets me,” Yan says. “We are working on theory, models, mathematics. It’s new and it’s not just one discipline.”
Private industry is paying attention. Providence-based Utilidata designs systems that make the electric grid more efficient. The company wants to ensure that those efficiency controls do not inadvertently open the grid to attacks.
Utilidata Chief Information Security Officer Siobhan MacDermott says the work of academic researchers often proves vital.
“Our greatest collaborators come out of universities,” she says. “When you’re working in an academic environment, you’re not constrained in your thinking.”
MacDermott says Professor He’s research has already produced a powerful tool in its easy-to-understand modeling (right). Such models help companies like Utilidata explain the threat to policymakers and senior executives who may lack engineering backgrounds.
For Utilidata, there is also the appeal of having an expert just 45 minutes away. MacDermott says in-person meetings can drive faster innovation and keep the good guys ahead of rapidly evolving hacks.
And hackers can find new targets on the electric grid. As government officials encourage development of renewable energy systems like solar panels and wind turbines around the country, more access points to the grid appear. The system has become the largest network on the planet.
Yet, cybersecurity was not a concern when engineers first built the grid a century ago. Thousands of miles of key transmission lines stand unprotected and chain link fences are the only defense for many substations. Grid computer systems were designed for monitoring, not protection.
There is hope. Media and congressional attention on the issue motivated federal agencies to start crafting more stringent regulations for protecting the electric grid from physical and cyber attacks.
At the University of Rhode Island, work is shifting from analyzing the problem to developing defensive strategies. Traditionally, researchers would conduct an experiment, but Professor He notes that he can’t shut down a substation to see what happens. Research is relegated to computer models. The professor hopes one day to outfit a lab with a small power generator and transmission network.
“There is always the question of how close your research is to reality,” He says. “If you could show in a lab that if you switch off this switch or cut this line, here’s what happens—that would be great.”
For now, the professor meets with fellow researchers and others in his second floor office in Kelley Hall straddling the Engineering Quad. Down one story sits Professor Sun, who is building much different computer models.
Taming the Online Wild West
Many Internet surfers take online reviews and their corresponding star rankings at face value and assume real people provided honest feedback. The truth is murkier. Online merchants or their hired guns sometimes place false reviews in an effort to boost sales. Professionals take liberties with résumés. Yet these online reputations increasingly drive our decisions about where we spend our money.
“In the broadest sense, our research will help you establish your cyber reputation, protect it and prevent others from manipulating it,” Sun says.
Sun and her students are tackling reputation protection on a number of fronts. She is building a system that automatically scans product reviews in the U.S. online retail industry—expected to reach $370 billion by 2017—for sham posts. Sun discovered that if reviews lack a pattern, they are probably genuine. Reviews with similar patterns were likely generated by a computer or bulk technique. Sun’s goal is to create a system in which a Web surfer can copy the address of a page containing reviews into an online form and immediately see the legitimacy of the reviews.
By using Sun’s work as a foundation, researchers could also analyze the reputations of individuals. Sun sees a day when voters could search for political candidates and, with the help of an online tool, gauge the accuracy of their online reputations.
Sun also wants to protect voters who make campaign donations online or purchase a bumper sticker with a digital wallet. Stored payment information like credit card numbers serves as an attractive target to criminals. Recently, criminals have stolen credit card numbers from several major retailers now scrambling to restore their reputations and placate investors.
“Last time the target was Target,” Sun says. “There’s a lot of research showing small businesses may have far more problems.”
A locally owned coffee shop or corner gas station might be vulnerable because its owners lack the expertise to protect digital systems. Some may not even realize a theft occurred.
And small business owners may only compound their problems if they grouse about their vulnerability on social media. Sun says few users realize how quickly their posts can spread across the Internet and garner thousands of views.
Her team is developing a system to rank the probability of social media posts developing a life of their own. The algorithm will analyze the user’s privacy settings and those of others connected to the post. It will then return a simple number showing the probability that people outside of your immediate circle may see the post. The system will also display the “weakest link,” or the person most likely to be the conduit for additional people to see the post.
The system could help social media users keep their posts private and educate parents and children about the reach of an online post. Sun will highlight the topics of online reputations, privacy and security as she helps organize this year’s Honors Colloquium. (See below.)
Both Sun and He say that to be effective, researchers must reach across traditional academic disciplines. Cybersecurity requires understanding the physical wires and equipment, the latest software, and—yes—human psychology.
The University took a major step toward encouraging cross-disciplinary research by establishing the Digital Forensics and Cyber Security Center in 2004. Both Sun and He are members of the Center, along with professors from computer science and staff from the University’s Information Technology Services.
“Because URI has one identity to represent cybersecurity research, you get a lot of voice,” Sun says. “And inside the center, you have different strengths.”
The Center and individual professors are finding willing partners. Professor Sun works with researchers at other universities and has run a major hacking competition for students across the country.
Professor He says because URI was one of the first institutions to study electric grid security, calls are coming from far and wide. Government officials want to see his models, universities are seeking recent Ph.D. graduates to fill faculty positions, and conferences want speakers. Private industry is also knocking at the door. MacDermott, the chief information security officer at Utilidata, says that’s to be expected.
“They get to do all the fun thinking,” she says, “and we get to implement the solution.”
—Chris Barrett ’08