UWF Experts Works to Protects Cars from Cyberattacks
“Almost all modern automotive vehicles are equipped with some form of electronic connectivity through GPS devices, smartphones, telematics devices, roadside sensor units, on-board devices, WiFi, among others,” Francia said. “On one hand, these connectivity features provide newly found conveniences. On the other hand, they provide an expanded attack surface that adversaries can take advantage of.”
Francia explained one example is an adversary successfully taking control of a vehicle’s speed on a busy interstate highway. He has been part of a research group known as the Transatlantic (US-Ireland-Northern Ireland) working group on IoT/CPS Cybersecurity Research. Their research has uncovered several cyber threats related to connected vehicles including that the radio frequency signal from keyless remote fob transmitter can be intercepted and cloned for replay attack; the vulnerabilities in automotive controls due to insecure communication channels; the susceptibility of the inter-vehicle network due to an insecure protocol; and the viability of Machine Learning techniques in recognizing various attacks on the vehicle network.
Francia’s research project on securing connected cars from cybersecurity threats began in 2019. It has received funding support from the National Security Agency, the Florida Center for Cybersecurity, the Office on Naval Research and the Florida Department of Transportation. The workshop was supported by the National Science Foundation (USA), Department for the Economy (Northern Ireland), and Science Foundation of Ireland (Republic of Ireland).
For more information on UWF’s Center for Cybersecurity, visit uwf.edu/cyber.
Article available at https://news.uwf.edu/uwf-cybersecurity-expert-shares-research-on-connected-vehicle-security-warns-of-vulnerabilities-in-modern-vehicles/.
Sriram Chellappan
Dr. Sriram Chellappan is Cyber Florida’s academic director of research and a professor in the Department of Computer Science and Engineering at the University of South Florida (USF) in Tampa, Florida. Previous to his appointment at USF, he was an associate professor in the Department of Computer Science at Missouri University of Science and Technology where he directed the SCoRe (Social Computing Research) Group. His primary interests lie in many aspects of how Society and Technology interact with each other, particularly within the realms of Smart Health and Cyber Security. He is interested in mobile and wireless networking, cyber-physical systems, and distributed and cloud computing. Dr. Chellappan’s research is supported by grants from the National Science Foundation, Department of Education, Army Research Office, National Security Agency, DARPA, and Missouri Research Board. He received his PhD in Computer Science and Engineering from the Ohio State University in 2007. Dr. Chellappan received the NSF CAREER Award in 2013, the Missouri S&T Faculty Excellence Award in 2014, the Missouri S&T Outstanding Teaching Commendation Award in 2014, and the Missouri S&T Faculty Research Award in 2015.
Research Interests
Socio-technical systems; cybersecurity; smart health; cyber-physical systems; mobile and wireless computing
Teaching Interests
4930/6930: Information Security and Privacy in Distributed Systems;
6611: Operating Systems
Education
PhD in Computer Science and Engineering, Ohio State University (2007)
Honors and Awards
Missouri S&T Outstanding Teaching Commendation Award (2015)
Missouri S&T Faculty Research Award (2015)
Missouri S&T Faculty Excellence Award (2014)
NSF CAREER Award (2013)
Key Activities
Invited Speaker at International Conference on Orange Technologies (ICOT) (December 2015)
Invited Speaker at International Conference on Collaboration Technologies and Systems (CTS) (June 2015)
Technical Program Committee Member, Percom 2016, Infocom 2016, AINA 2016, MSN 2015
IEEE Member
Cyber Florida Launches Statewide Cybersecurity Risk Assessment for Critical Infrastructure
Oct. 21, 2022—Tampa, Fla– The Florida Center for Cybersecurity (Cyber Florida) at the University of South Florida and Florida Digital Service are working together to launch the state’s first statewide assessment of both public and private critical infrastructure cybersecurity pursuant to House Bill 5001, Appropriation 2944B. The appropriation provides $7 million in funding to Cyber Florida to “conduct a comprehensive risk assessment of the state’s critical infrastructure and provide recommendations to support actionable solutions for improvement of the state’s preparedness and resilience to significant cybersecurity incidents.”
The assessment is part of a significant investment by the Florida Legislature to enhance the state’s cyber resiliency, dubbed “CyberSecureFlorida.” The initiative also includes a $30-million statewide cybersecurity awareness and upskilling training program for public sector employees and establishing a cyber range to help public cybersecurity and information technology professionals learn to detect, prevent, and mitigate cyberattacks. Law enforcement personnel will also be able to use the cyber range to learn digital forensics and evidence-gathering techniques.
“Florida lawmakers have made an unprecedented investment in the state’s cyber resiliency,” said General (Ret.) Frank McKenzie, Executive Director of Cyber Florida. He continued, “This risk assessment will enable Cyber Florida to start building a statewide community of cybersecurity leaders and practitioners centered on Florida’s collective cyber resiliency.”
The assessment consists of an online survey of roughly 150 questions using the Cyber Security Evaluation Tool (CSET) created by the Idaho National Laboratory and the Department of Homeland Security. Cyber Florida is leveraging Idaho National Laboratory’s critical infrastructure cybersecurity expertise through a Strategic Partnership Project (SPP). Florida is the first state in the nation to conduct a statewide survey using CSET.
The CSET link will open on Oct. 20, 2022, at cybersecureflorida.org. Participation is voluntary, and Cyber Florida is encouraging all critical infrastructure organizations in the state, both public and private, to participate. Participants will receive a custom risk assessment report for their organization, which they can use to apply for potential grant funding. All data will be kept confidential and housed on secure servers at Cyber Florida’s host institution, the University of South Florida.
The data will be compiled and reviewed by researchers at MITRE working with Cyber Florida to create a report for the Florida Legislature and Governor DeSantis. The report will outline the aggregate, anonymized findings and recommend potential legislation and funding initiatives to enhance and fortify the state’s critical infrastructure cybersecurity posture.
To learn more about the assessment, please visit cyberflorida.org/cybersecureflorida/.
ABOUT CYBER FLORIDA
The Florida Center for Cybersecurity, also known as Cyber Florida, was established by the Florida Legislature in 2014 to help position Florida as a national leader in cybersecurity through education, research, and outreach. Hosted by the University of South Florida, Cyber Florida leads an array of initiatives to inspire and educate future and current professionals, support industry-advancing research, and help people and organizations better understand cyber threats and what they can do to stay safer in cyberspace.
###
Cyber Florida Names Ernest Ferraresso as New Director
October 4, 2022 – Tampa, Fla. – The Florida Center for Cybersecurity at the University of South Florida (USF), also known as Cyber Florida, is delighted to announce that Ernest “Ernie” Ferraresso has been selected to serve as Cyber Florida’s new Director, overseeing the center’s day-to-day operations under Executive Director General (Ret.) Frank McKenzie.
Ferraresso previously served as Cyber Florida’s Associate Director of Programs and Partnerships, leading numerous essential projects and initiatives and helping the center grow from a regional entity to a statewide organization. Among his achievements, Ferraresso built strategic public and private partnerships across Florida to forge a strong cyber workforce and worked to implement programs focusing on education, research, and engagement to advance Florida’s cyber resilience
Before joining Cyber Florida in 2017, Ferraresso was Director of Operations for a small technology design and integration firm, overseeing the design and implementation of cybersecurity and emergency operations center technology solutions in the U.S. and Latin America. He is a retired U.S. Marine Intelligence Officer whose work included assignments with U.S. Special Operations Forces, the Intelligence Community, the George C. Marshall European Center for Security Studies, and U.S. Cyber Command.
“Ernie is a highly respected member of the Cyber Florida team,” said General (Ret.) Frank McKenzie. “His expertise, prior exemplary service at Cyber Florida, collaborative leadership style, and ongoing commitment to the mission made him the standout candidate for this role. I am entirely confident that, under his leadership, Cyber Florida will continue to flourish and secure its rightful place as the nation’s preeminent center for cybersecurity.”
Ferraresso describes his vision for Cyber Florida’s future as being the mechanism at the heart of Florida’s efforts to stand as the national model for a statewide culture of cyber resiliency and collaboration. “Florida has made significant investments in advancing public sector cybersecurity as well as building a robust cyber industry and workforce across the state,” noted Ferraresso. He continued, “There are many entities, both public and private, working toward the same goals across the state, and I see Cyber Florida as the nexus of these efforts, connecting, enabling, and facilitating the initiatives and resources needed for Florida to realize its goal of being the national leader in cybersecurity.”
ABOUT CYBER FLORI
The Florida Center for Cybersecurity, also known as Cyber Florida, was established by the Florida Legislature in 2014 to help position Florida as a national leader in cybersecurity through education, research, and outreach. Hosted by the University of South Florida, Cyber Florida leads a spectrum of initiatives to inspire and educate future and current professionals, support industry-advancing research, and help people and organizations better understand cyber threats and what they can do to stay safer in cyberspace.
###
Cyber Florida Staff Director Dr. Ron Sanders Retires
July 18, 2022—TAMPA, FL: After helping to oversee a period of rapid change and dramatic growth at the Florida Center for Cybersecurity (also known as Cyber Florida), Staff Director Ron Sanders, DPA, has announced his retirement. Dr. Sanders first served as a member of the Board of Advisors upon the center’s founding in 2013. In 2020, he was brought on as staff director under former Executive Director Mike McConnell, VADM, USN, Ret., who has also recently retired. During his tenure as staff director, Dr. Sanders championed several new initiatives that garnered national recognition for the center and helped secure significant new funding for a series of efforts to improve the state’s overall cybersecurity posture.
“I am grateful to Dr. Sanders for his many notable contributions to this organization,” said the center’s new executive director, General (Retired) Frank McKenzie. He continued, “His leadership was instrumental in elevating Cyber Florida to national prominence, and together, he and VADM McConnell built an impressive legacy. I’m proud to carry on the remarkable momentum they created and wish Dr. Sanders well in retirement.”
Dr. Sanders’ career includes nearly three decades of decorated civil service. Among his many accomplishments, he helped lead the historic post-Cold War transformation of the U.S. Defense Department and the post-9/11 stand-up of the Department of Homeland Security and the Office of National Intelligence. He managed the recruiting, development, and deployment of thousands of new intelligence officers to fight the Global War on Terror and the restructuring of the IRS. He helped establish the United Arab Emirates’ cybersecurity and space agencies and China’s National School of Administration. He was also a presidential appointee, serving as chair of the U.S. Federal Salary Council from 2017 to 2020.
Dr. Sanders is the recipient of three Presidential Rank Awards (from DOD, IRS, and the U.S. Office of Personnel Management), two Teddy Roosevelt Distinguished Public Service Awards, and the National Intelligence Distinguished Service Medal. He is the author of four books and has served on the faculty of several distinguished institutions, including George Washington University, The Brookings Institution, and the University of South Florida.
During his tenure with Cyber Florida, he led the transformation of the University of South Florida’s online M.S. in Cybersecurity into four independent cyber-focused master’s degree programs to better align with employer needs. He advocated for the launch of the center’s highly successful Operation K12 program, and his passion for public service led him to create the Cyber Citizenship Education initiative, designed to teach K-12 students to navigate online misinformation and disinformation, among other accomplishments.
ABOUT CYBER FLORIDA
The Florida Center for Cybersecurity, also known as Cyber Florida, was established by the Florida Legislature in 2014 to help position Florida as a national leader in cybersecurity through education, research, and outreach. Hosted by the University of South Florida, Cyber Florida leads a spectrum of initiatives to inspire and educate future and current professionals, support industry-advancing research, and help people and organizations better understand cyber threats and what they can do to stay safer in cyberspace.
###
Cyber Florida Says Goodbye to Executive Director, Welcomes New Leadership
After a highly distinguished career in public service spanning more than five decades, the Honorable J. Michael “Mike” McConnell, VADM, USN, Ret., has retired as executive director of the Florida Center for Cybersecurity at the University of South Florida (USF), also known as “Cyber Florida” as of June 30, 2022. General Frank McKenzie, USMC, Ret., has been appointed by USF President Rhea Law to be Cyber Florida’s new executive director. General McKenzie will also be leading USF’s new Global and National Security Institute [link to USF news article].
McConnell first served as chair of the board of advisors upon the center’s launch in 2013. He assumed the role of executive director in February 2020 at the behest of then-USF President Steven C. Currall. During his two-and-a-half-year tenure, McConnell elevated Cyber Florida from a regional center to a truly statewide entity, helping to guide policy at the state level and expanding the center’s reach beyond the State University System of Florida to include the Florida College System and the state’s public school districts, the state’s defense extensive defense industry, and several federal agencies. Under his guidance, the center also forged strong relationships with Florida’s military community, robust defense industry, and several federal agencies, including helping to bring in several million dollars in grants from the National Security Agency.
“We sincerely thank Vice Admiral McConnell for his decorated career of service to our country and his many important contributions to the success of Cyber Florida. We wish him the best in a well-deserved retirement,” USF President Rhea Law said. “With the foundation Vice Admiral McConnell helped establish, I look forward to seeing Cyber Florida continue to strengthen the cybersecurity industry across our state and the nation in the future.”
General Frank McKenzie, who recently retired from the U.S. Marine Corps as commander of U.S. Central Command, has taken over as Cyber Florida’s new executive director as well as leading USF’s new Global and National Security Institute.
“Vice Admiral McConnell has set Cyber Florida on a solid trajectory to position Florida as a national industry leader and model state for cybersecurity, and I intend to carry on that mission leveraging the strong momentum he and his team have created,” said McKenzie.
UCF Research: Stress Prompts Poor Cyber Habits
When we think of insider threats, the common image is that of a disgruntled employee who takes out their anger on their employer or their manager. Research from the University of Central Florida reminds us that this is seldom the case.
While investment in cybersecurity has risen considerably in the face of a huge increase in attacks during the pandemic, often this investment has focused on technologies to try and keep data and systems safe. While such investments are worthwhile, the most vulnerable part of any system is almost certainly going to be us humans. The authors highlight that when organizations do have cybersecurity training, there is often an implicit assumption that insider threat attacks are done with malicious intent.
Determining intent
The reality, however, is that our failure to comply with the cybersecurity processes of our employer is more likely to be driven by stress. The researchers quizzed around 330 employees who were working remotely during the Covid pandemic. The workers were asked about their adherence to the cybersecurity policies of their employer alongside things such as their stress levels.
They followed this up with in-depth interviews with a group of 36 employees to try and get a better idea of just how the shift to remote working as a result of the pandemic may have affected cybersecurity. The results show that adherence to security policies was pretty intermittent. Indeed, on a typical workday, 67% of participants said that they had bypassed official cybersecurity policies at least once, with there being a 5% chance that they would do so on any given task.
It should perhaps be self-evident that breaches on this kind of scale are unlikely to be driven by widespread discontent with one’s boss or employer, and this was indeed what the researchers found. Indeed, the top response when asked why people circumvented security protocols was that doing so better helped people to get things done, either for themselves or for a colleague. This reason accounted for around 85% of all intentional breaches of the security rules. Contrary to popular perception, an intentional desire to cause harm only accounted for 3% of the security breaches. To put that into perspective, that makes non-malicious breaches around 28 times more likely than deliberately malicious breaches.
Under stress
Importantly, the relatively benign breaches were far more likely on days when employees were suffering from stress. This strongly suggests that being placed under stress reduces our willingness to abide by rules if those rules are perceived as stopping us from doing what we need to do.
The causes of stress are oft-cited and include family demands, job insecurity, conflicts with our colleagues, and even the demands of the cybersecurity rules themselves. However, there was a clear link between the pressure people faced to do their job and the belief that cybersecurity procedures inhibit their ability to do that job as effectively as they felt they needed to. Adhering to protocols often resulted in feeling like jobs take more time or effort to complete, with employees also complaining that the protocols made them feel like they were being monitored and couldn’t be trusted.
The researchers accept, of course, that their findings were a result of self-reporting from participants, so they would only be able to report on cybersecurity breaches that they were themselves aware of. This will mean that breaches as a result of a lack of knowledge or poor practice will have almost certainly been overlooked because people only know what they know. The findings do nonetheless remind us that insider threats are seldom the result of malicious and deliberate intent but rather due to a lack of training or intense pressure to get things done as quickly as possible.
Reducing the risk
So what can managers do to improve adherence to the guidelines and, therefore, the security of their systems? A good first step is to appreciate that the overwhelming majority of security violations are intentional and benign. People simply want to get their work done as efficiently as possible, so cybersecurity training should work on that basis and inform employees how they can do this while still remaining secure.
It’s also important that people feel confident enough to speak up whenever they breach security policies, as the quicker they can do this, the quicker the challenge can be addressed, and any security risks plugged.
“How do people react when the employee makes a mistake,” Kaspersky’s Chris Hurst says. “It’s crucial that if employees make a mistake that they’re confident enough to open up about it and escalate it to people who can do something about any possible risks involved.”
It would also be prudent to ensure that staff are included in the development of security protocols. This would help to ensure that protocols aren’t developed that would inhibit people’s work and result in them striving to find workarounds that reduce the effectiveness of the protocols themselves. By better understanding how protocols affect people’s workflows, security teams will have a better chance of adherence. This is especially important as people have moved to remote working and therefore taken on different ways of working.
Of course, tackling the stress and pressure that workers are under would be no bad thing either, but perhaps the key takeaway from the research is that the way we design our jobs and the way we design our cybersecurity are intrinsically linked. With cyberattacks on the rise and affecting most organizations, it’s no longer good enough to assume that insider threats are the result of a few bad apples but rather the poor way in which jobs and security protocols are designed. Once we grasp that, we can perhaps start to make positive headway.
As seen in The Cyber Post: https://thecyberpost.com/news/security/stress-prompts-employees-to-break-cybersecurity-policies/
Working from Home Cybersecurity Checklist
Over the past year and half, many organizations have transitioned to remote work. While remote work has many benefits for both employees and employers, it poses specific problems for organizational cybersecurity by introducing a host of new potential points of entry for cybercriminals in the form of personal devices and home internet service. Working from Home Cybersecurity Checklist, provided by Cyber Florida community partner Scarlett Cybersecurity, offers guidance to help ensure that your remote staff are implementing good cybersecurity practices and doing their part to protect the organization from cybercrime.
n