By Brett Zupan
Last year, I wrote a blog about the varied threats that higher education security professionals have to face on a daily basis. While these threats fell into certain categories, the larger risk was when a threat could have potential crossover impacts in another security domain, such as a cyber threat with physical impacts or vice versa. These crossover impacts may result from what are called blended threats. Many security professionals are unprepared for these threats, not through a lack of training but rather a lack of the right relationships and experience in other security fields.
In 2018, REN-ISAC launched its Blended Threat Resilience Workshop Series to help the higher education community prepare and respond to the complex situations spawned by blended threats. Utilizing a combined controversial speaker and hacktivist scenario, participants were able to explore how to best cooperate, plan, and train for a blended cyber-physical threat. The results of these discussions are encapsulated in the 2018 Blended Threat Resilience Workshop Series Final Report, which has been made publicly available on REN-ISAC’s website. With the 2019 series in full swing, I’d like to take a look back at this report and highlight some of the best practices learned from the 2018 scenario.
A Comprehensive Campus Speaker Approval Process
Event applications were a hot topic at multiple workshops, as this is the first chance an institution really has to vet a potentially controversial speaker and explore the security risks an event could bring to campus. Many schools have begun to incorporate some sort of threat assessment into their processes. Some universities mandate an assessment for all event applications while others only required them for events that meet certain thresholds. Some universities place the responsibility for conducting these assessments on a specific office or individual, like student affairs or security, while others place it in the hands of a committee, such as risk management or events.
In an attempt to automate what could be a complicated procedure, one participant detailed how their organization built an event registration process, focusing on the checks and balances necessary to handle the concerns of a potentially controversial event application. The university has a standard online form that anyone interested in hosting an on-campus event is required to fill out. Depending on the information provided, the application is then automatically emailed to the appropriate stakeholders to review the request. For example, the institution’s police department always reviews an event request for security concerns, while student life only becomes involved if the form indicates that a student or student-run organization is planning the event. It has taken years to refine the process of ensuring these emails are sent to the appropriate groups based on the specific information entered into the form. While there are still occasional unsanctioned events on campus, this system has reduced the burden of event management for all involved according to participants.
Proactive Management of Protest Groups On-Campus
If protests do occur at an institution, there is always the potential for a sudden escalation due to misunderstandings and heightened emotions, leading to situations that neither campus officials nor protest organizers want. One of the workshop participants represented a sporting venue that bordered a college. They emphasized the importance of managing protestors deliberately and offered multiple best practices that their organization had used with protestors that moved freely between the stadium and the campus. In order to ensure clear communications, the venue embeds a staff member with each organized protest and counter-protest group. The groups are informed that the staff member is there to ensure the group’s safety as much as the safety of those attending the event that is being protested. Any safety and security guidance, such as outlining the safest areas to stand or the evacuation route in case of emergency, is communicated through this trusted staff member. This information includes any security updates issued by management. This staff member is trained to act appropriately with the group, always assuming they are on camera and representing the venue. Police representatives do not join the staff member unless a certain threshold of violence has been reached and the police on scene have taken over security.
At another workshop, a participant discussed their institution’s success in formalizing a set of rules similar to the above maxims through creating what they called “protest teams.” These teams consist of a group of staff members who are trained to coordinate with and assist those planning and conducting protests on campus. Each team contains of representatives from multiple campus organizations, including housing, student affairs, and other key stakeholders, who are trained by the team captain in relevant university policies, de-escalation, and further critical techniques. The primary purpose of the protest team is to get involved with protest groups as early as the administration is aware of them and begin discussing both the group’s goals and the school’s protest policies and procedures, all with the intention of helping the protestors accomplish their mission in the safest manner possible. These teams do not exist in a vacuum and are a fully integrated component of the campus police department’s protest response protocols. When there is no observed potential for violence, they are expected to be the institution’s face at protests, with law enforcement standing by to support. Only if and when the potential for violence appears, does the police department take the lead to minimize risks to protest team members.
Full IT Support to the Emergency Operations Center
One workshop’s participant noted an important lesson learned for their institution: the need for providing full IT support to an emergency operations center (EOC) that was stood up alongside government partners during their response to a potentially violent security event. The university treated the event similar to a significant IT project, with procurement money and hours set aside specifically for the EOC. The incident managers had a number they could call regarding any technical issue, and there were technical staff on-site for IT emergencies. This redundancy was helpful at multiple points during the event, especially when diagnosing a sudden drop in bandwidth the EOC experienced at the eleventh hour as it began to process video streams from the campus and surrounding areas
Memorandums of Understanding to Defer Cyber Risk
At multiple workshops, participants mentioned their organizations use of memorandums of understanding (MOU) to help manage and defer cyber risks during serious security incidents, whether those incidents were denial of service attacks or observed data exfiltration attempts. These MOUs give participants’ institutions the ability to rapidly call upon other universities’ security operations personnel, network bandwidth, or other cybersecurity capabilities as necessary and allow the school to be more efficient with its resources while effectively planning and managing surge capabilities without incurring exorbitant costs. For example, an institution can depend on other schools to provide remote staffing as its IT department surges to respond and recover rather than having to pay for a large number of cybersecurity personnel during a complex cyber incident. Once the event is over, personnel are returned to their host institution and operations revert to a steady state.
While not all encompassing, this list of best practices can provide a useful starting point for institutions that are trying to strengthen their ability to respond to protest events and potential hacktivism, or other network threats. As part of its responsibility to increase the resilience of the higher education community, REN-ISAC is attempting to combat the risks of these blended threat events through expanding and strengthening the services it offers. This involves embracing a more holistic view of threat management which acknowledges that pre-event threat awareness is the most efficient way to handle risk, that collaboration with stakeholders within and across sectors is vital to an effective sector response, and that cyber and physical risks are bleeding together like never before.
Gate 15 is excited to be working with REN-ISAC on one of these growth initiatives: the Blended Threat Resilience Workshop Series. This series of workshops across the United States allows members of the higher education community, affiliated with REN-ISAC or not, to interact with their peers and strengthen their organizations’ resilience and security posture. This year’s scenario, a cyberattack that occurs during a potential pandemic event on campus, gives participants a venue to discuss best practices, areas of improvement and challenges in order to strengthen the community’s overall resilience. REN-ISAC has also continued to expand its Peer Assessment Service, which provides evaluations of an institution’s cybersecurity posture by fellow cyber security practitioners from other schools. This is all is in addition to REN-ISAC’s best-in-class offerings to the higher education community, like Passive DNS scanning, the Daily Watch Report, and work on the Higher Education Cloud Vendor Assessment Tool (HECVAT). Gate 15 is honored to continue to partner with REN-ISAC in its mission to improve the higher education sector’s cyber and physical resilience and we hope to continue building on its successes in 2019!
See our previous posts on REN-ISAC and Higher Education Threats, Risks, and Preparedness:
- Higher Education: A Complex Array of Threats, 06 Aug 2018
- REN-ISAC: Higher Education Enterprise Risk Management Leadership, 06 Mar 2018
- Security Spotlight: An Interview with REN-ISAC Executive Director, Kim Milford, 11 Jun 2018
About REN-ISAC: “The Research and Education Networks Information Sharing and Analysis Center (REN-ISAC) serves over 620 member institutions within the higher education and research community by promoting cybersecurity operational protections and response. REN-ISAC member institutions benefit from Security Event System (SES) threat intelligence and other automated data collection and sharing tools to enable informed decisions about threats and events, as well as peer assessment services to improve the institution’s overall security posture. We offer members daily cybersecurity news reports, alerts and advisories, analysis reports of cybersecurity threats and mitigation, and an active, interested community of subject matter experts who provide feedback on practices and standards.” Read more.
Brett Zupan is a Risk Analyst at Gate 15 with experience in all-hazards analysis, exercise development, and information sharing. He has supported analysis, preparedness and operations for a number of critical infrastructure communities, including support to Water and Wastewater Systems Sector, the Commercial Facilities Sector, and with Higher Education in support of REN-ISAC, among other projects. Before joining the company in 2016, he worked at the Georgia State Senate. Brett received his Masters of International Relations from American University.
