Cybersecurity on Campus: Balancing Protection and Access to Improve Collaboration

Keeping Education Safe in the Digital Age

In today's digital age, universities face unique cybersecurity challenges due to their complex technology ecosystems and the need for open collaboration among researchers. As institutions that house valuable research data and systems, universities must navigate the delicate balance between security and access. Although each university campus is unique, all institutions share similar complex challenges to protecting information.

The Cybersecurity Challenges of Today’s High-Tech Learning Environments

Universities operate intricate technology ecosystems that must provide access to both on-site and off-site researchers. This access is crucial for fostering innovation and collaboration but also poses significant cybersecurity risks. Protecting research data from adversaries is paramount, as is safeguarding research systems from tampering. For instance, if research is contained in cold storage, building systems and Central Utility Plants (CUP) must be protected to ensure the integrity of the cold storage systems. 

Integration with other systems is another challenge, as universities must collect data from various buildings and disparate systems. This often involves multiple parties responsible for securing separate systems, leading to potential gaps in security. Additionally, curious and highly talented students may identify zero-day vulnerabilities, further complicating the cybersecurity landscape.

Research that is valuable to U.S. adversaries is particularly vulnerable to targeted attacks by Advanced Persistent Threats (APT). These adversaries are skilled, motivated and well-funded, making them formidable opponents. The requirements for systems integration and flexible user designs based on research projects necessitate adaptable security measures.

Steps to Effectively Protect Digital Assets with Cybersecurity  

1. Identify Cybersecurity as a Risk: Recognizing cybersecurity as a critical risk is the first step in developing a robust defense strategy. For cybersecurity, this begins with acknowledging that the threat is real. It's not a matter of "if" an incident will occur, but "when." Traditionally, designs account for known or foreseeable risks such as fire, flood and structural load. Similarly, cybersecurity should be integrated into the design phase as a fundamental risk to be managed. By considering cyber threats alongside other risks, organizations can develop more comprehensive and resilient systems. This proactive approach ensures that cybersecurity measures are not an afterthought but a core element of the overall risk management strategy.
2. Adopt a Cybersecurity Framework or Standard: Aligning facility design and construction with frameworks like NIST CSF, ISO 27001, and ISA 62443 enhances cybersecurity. These standards provide guidelines to manage risks, secure information and protect industrial systems effectively.
3. Utilize a Risk Management Framework: Adjust cybersecurity measures to match the level of risk your organization is willing to accept. For example, losing an elevator in a two-story building is a minor inconvenience, so clients might invest less in cyber mitigations for it. In contrast, losing a Chilled Water Plant (CUP) that supports cold storage or a data center could result in significant financial loss and setbacks in critical research, warranting higher investment in cybersecurity.
4. Monitor and Maintain Systems: Modern control systems need regular maintenance for security and efficiency, similar to laptops. This includes patching and following a technology replacement/upgrade lifecycle. For monitoring, if it's a new building on a campus, the best option is to integrate with existing campus-wide monitoring solutions by working with campus IT staff. If there's no existing IT solution or it's a complex research facility, implement an industrial IDS/IPS with a local interface to monitor network traffic for anomalies and known vulnerabilities. Remember, monitoring systems are only effective if actively used. Ensure there are dedicated personnel or automated processes to respond to alerts.
5. Limit Access: Restrict access to systems and data to authenticated users and utilize read-only access through replication for outside researchers who only need to work with data. Research projects requiring direct access to systems necessitate a more in-depth study to appropriately plan for cybersecurity.

Navigating Cybersecurity Regulations 

As cybersecurity threats continue to evolve, the market is reacting by navigating away from owner voluntary risk management towards mandated risk mitigation requirements such as regulations, legislation and insurance underwriting requirements.

Federal laws vary depending on the agencies and locations involved. For example, a USDA research building on a campus must comply with USDA and DOI cybersecurity requirements, as well as university requirements for systems that integrate into the campus. Federal laws vary depending on the agencies and locations involved. For example, a USDA research building on a campus must comply with USDA and DOI cybersecurity requirements, as well as university requirements for systems that integrate into the campus. US-funded projects may have specific requirements for selecting a cybersecurity framework and complying with the standard for systems within the project.

A critical aspect that could easily be overlooked in such projects is ensuring that all IT and OT equipment specifications are tailored to be TAA compliant. For contractors, this impacts the equipment supply chain and could lead to re-orders or scheduling delays due to a limited number of compliant suppliers. In some cases, larger manufacturers have both TAA and non-TAA compliant manufacturing facilities, and if compliance is not explicitly stated in the order, it may remain unknown until the device arrives on-site.

State laws vary greatly. For example, the Florida Cyber Act mandates that each local government adopt cybersecurity standards to safeguard its data, information technology and resources. These standards must be consistent with generally accepted best practices for cybersecurity, including the National Institute of Standards and Technology Cybersecurity Framework. Insurance underwriting is beginning to require cyber protection of systems with minimum mitigations. Universities must monitor these requirements to ensure compliance and adequate protection. 

Navigating cybersecurity challenges on campus requires a delicate balance between security and collaboration. By understanding the biggest concerns, implementing best practices and adhering to state and federal laws, universities can protect their valuable research data and systems while fostering an environment of innovation and collaboration.