Industrial control systems聽(ICS)聽manage聽our everyday聽water, electricity, and gas聽resources.聽The聽same聽interconnectedness and automation聽that makes聽these systems聽effective and efficient聽also increases聽their聽vulnerability聽to dangerous attacks聽that could聽leave cities and states without essential resources.聽聽
A cybersecurity engineering senior design team is聽testing聽a聽scaled-down聽ICS system聽provided by聽Dragos, Inc. to help the company shore up its cybersecurity infrastructure.聽聽
Seniors Marissa Costa, Natalie Sebastian, Kyle Simmons, Andrew Smith, Santiago Taboada聽Patino, and聽Zaine聽Wilson are working together to聽address聽the聽problem聽鈥淥ur whole job is to poke around and complete a security assessment on the ICS that Dragos, Inc. provided. We are attacking it and pinpointing vulnerabilities that need to be addressed,鈥 says聽Patino.聽聽
The team is penetration testing numerous聽components聽of the system聽Dragos, Inc.聽provided聽them to聽use.聽Penetration testing聽simulates聽a cyber-attack聽and聽pinpoints聽vulnerabilities.聽鈥淭he penetration testing we are doing is the best way possible to gain an understanding of how a cyber-attack could be carried out. Pen testing is like rating a bridge for how much weight it can support versus actually building a test bridge and driving progressively heavier trucks over it until it collapses,鈥 says Wilson.聽聽
Ensuring ICS security like the one the students are working on聽safeguards聽our world鈥檚 critical infrastructure.聽Power plants, water distributors, and gas companies all use聽ICS to protect the delivery of their customers鈥 essential resources. 鈥淧ower, water, gas鈥攖hey all start at one point and end at another, typically people鈥檚 homes or businesses. ICS provides the security to safeguard those processes, and without security measures, entire power plants could be shut down by malicious cyber attackers,鈥 says Simmons.聽聽聽聽
Dragos, Inc. delivered the system聽to the Fairfax Campus聽last fall. The team is spending their senior year penetration testing and聽using the vulnerabilities they find to create聽detection rules聽that can be included in future updates.聽Working with their faculty advisor, Assistant Professor Thomas G. Winston, and a subject matter expert from Dragos, Inc. makes聽the process as聽efficient聽as possible.聽聽聽
The Department of Cyber Security Engineering聽forges聽partnerships with companies like Dragos, Inc. to provide real-world projects for students. But this project has a specific impact that made the team excited to start.聽鈥淚ndustrial control systems have cyber-physical effects. People can understand it easier as opposed to more obscure cyber-attacks. In this case, a system could be breached, and lives could be lost,鈥 says Wilson.聽聽
Attacks like these have occurred across the globe and even close to home. Costa points to a recent attack in the United States that illustrated the vulnerabilities in the system. In February, a cyber attacker hacked a water treatment plant in Florida and remotely adjusted sodium hydroxide levels to more than 100 times the normal level, news outlets reported.聽Luckily,聽the聽system operator noticed the intrusion and immediately reduced the level back, but left unchanged, the water would have been toxic.聽聽聽聽
Dangerous attacks like those in Florida are why the team鈥檚 work is valuable to聽society.聽
The team jumped on the chance to work on this project because of its importance. They are excited they are contributing to protecting everyday life. 鈥淚ndustrial control systems like this one involve real people in their homes, people in a community who can be harmed by attacks on these systems," says Costa.聽