According to the Department of Homeland Security, critical infrastructure includes the vast network of highways, connecting bridges and tunnels, railways, utilities and buildings necessary to maintain normalcy in daily life. Transportation, commerce, clean water and electricity all rely on these vital systems.
But as cybersecurity threats against critical infrastructure increase, innovative and adaptable solutions are necessary for protecting vulnerable components. Computer Science and Engineering Professor Csilla Farkas began a two-year project last September that aims to help implement an adaptive authorization framework for critical infrastructure that is more resilient against cyberattacks than current security solutions. Her approach is to modify the security requirements based on the changing context of users and system components.
Farkas’s research is funded by nearly $500,000 from the National Security Agency (NSA) and Department of Defense. The project includes collaborators from The Citadel and University of Memphis. Farkas’s research is built on her previous project in which she developed context-aware access control for the Internet of Things (IoT).
“We're aiming to develop a cybersecurity model that can automatically adapt to changing environments. For this, we need to understand the protected system, critical functionalities and dependency of the different system components. This will allow us to allocate protection resources to the most critical components to ensure functionality during a cyberattack,” Farkas says.
Farkas’s previous NSA grant focused on developing context-aware security for smart homes. Her research team has proposed a framework that uses a rule-based engine to define the context and determine the access control context on the user and IoT network context. Similar to her previous project with smart homes, her current research is focusing on industrial control systems, which are physical and digital objects that manage the behavior of machines and processes.
“The approach is very similar for critical infrastructure, but the context for the environment is more complex,” Farkas says. “For example, it is not enough to model the context of a single infrastructure component. We also need to understand the dependencies of the component.”
Authorization framework is an implemented security policy that defines the permissions of system users. These permissions must adapt to system and context changes, such as attempting remote access. Farkas admits that no system if completely safe from a cyberattack, but her research aims to preserve critical functionality to avoid catastrophic failure.
“One way to reduce the risk of security breaches is to limit user’s capabilities if there is a remote login operation or if potential misuse is detected. This may limit the damage if it turns out that an unauthorized user gained access to the system,” Farkas says.
Farkas referred to the Colonial Pipeline ransomware cyberattack in 2021 when unauthorized users exploited critical infrastructure using stolen credentials to block the pipeline’s operation. That same year, an attack against a water treatment facility in Florida increased the amount of lye that was added to the water.
Login context refers to where and how a user gained access to a system. The login scenarios can determine the security awareness level, especially for vulnerable critical infrastructure. The basic idea is how an unauthorized user can control systems, and what are the capabilities and impacts?
“The goal is to reduce the damage and avoid a catastrophic event if something happens. It’s a term we use called ‘graceful degradation of functionalities,’” Farkas says. “Some of the functionalities are critical, so if you think about a nuclear facility, what kind of functionalities do you need to maintain for the facility to not be at risk of a catastrophic failure?”
Farkas will work with University of Memphis Professor Dipankar Dasgupta and Professor Shankar Banik from The Citadel. Dasgupta will utilize his expertise in multifactor authentication to determine the best form of authentication to make it harder for an attacker to gain unauthorized access.
“If somebody wants to hack into an account using dual factor authentication, they will need to know the password and somehow highjack the phoneline. When you're dynamically changing what authorization method to use in different scenarios, it will be even harder for the attacker to bypass security,” Farkas says.
Banik has developed security solutions for IoT networks and smart environments and previously worked with Farkas on research projects. The Citadel will provide the necessary industrial control systems models, which helps industry strengthen the cybersecurity of its utilities and manufacturing.
“We're going to find how we can design a framework which is portable in all critical infrastructure sectors. It's needed since critical infrastructure basically controls the economy of countries,” Banik says. “If something happens in the power grid, water distribution, transportation or healthcare, everyone’s lives will be affected. It’s a complex challenge that our research aims to help fix.”
Farkas says that there are different requirements when installing cyber security in industrial environments, which includes preventing leaked personal data to unauthorized individuals. Previously, industry was less worried about cyberattacks because they considered their environments too complicated for attackers who had to have specialized knowledge. But this is no longer relevant.
“In this age when we have so much publicly available information, cybersecurity is more difficult to provide because people don't have to be an expert in industrial control systems to carry out an attack,” Farkas says. “Part of the current project is building a model for understanding how industrial control systems work and using it to develop appropriate security requirements. It will help us decide what level of authorization and authentication users need to access certain components.”
Farkas also hopes that her research will inspire more students to pursue careers in cybersecurity. According to Cybersecurity Ventures, there are expected to be 3.5 million openings globally by 2025.
“The workforce and demand for cybersecurity is so high that we can't produce enough graduates for job openings,” Farkas says. “We hope that a side effect of this project is to motivate more undergraduate students to pursue cybersecurity studies.”