Securing the Future
How Virginia is safeguarding its critical infrastructure
States, nations, and any municipality can build and tout their critical infrastructure that, on the surface, may appear second to none.
Think: thriving, automated food and agriculture ecosystems. Sprawling office buildings outfitted with remote smart sensors. Unflappable financial markets. Hyper-efficient transportation systems. Ubiquitous utility and energy access. Dependable and downstream supply chains.
All in the name of securing everything needed to sustain and grow a thriving society. Impressive, right?
But dig deeper. None of it is possible without a comprehensive plan and collaborative approach to securing all of these systems from myriad, ever-changing cyber threats.
This is the journey that the Commonwealth has embarked on, like other states but in a uniquely Virginia way: to evolve from difficult spot fixes and upgrades to planning, developing, and maintaining all critical infrastructure assets with cybersecurity top of mind from Day One.
“The only way to address cybersecurity is from the get-go,” said Paulo Costa, Professor and Chair of George Mason University’s (GMU) Cybersecurity Engineering department. “You don’t develop it and then make it secure. You make it secure from the very beginning.”
And that’s precisely the destination the Commonwealth is charting toward.
Built for the Moment
Like many of Virginia’s leading cybersecurity authorities, Costa plays many roles, including serving as director of the school’s Center of Excellence in Command, Control, Communications, Computing, Cyber, and Intelligence, the nation’s first, and still one of the few, civilian academic institutions devoted to military applications of information technology and cybersecurity. Another research-intensive post Costa holds is at the Cybersecurity Manufacturing Innovation Institute (CyManII), a U.S. Department of Energy initiative where he’s focused on cybersecurity energy and emissions quantitation as well as being a lead investigator.
“We are setting up the framework for the secure introduction of new technologies, standards, and best practices…versus a ‘let’s build it first and then protect’ usual approach,” Costa said of CyManII.
The combined responsibilities represent a balancing act that allows Costa to bring real-world scenarios into the classroom while inviting the next wave of big cyber thinkers into the professional ranks.
And that wave is growing — fast. This includes the students in GMU’s Cybersecurity Engineering department — home of the first Cybersecurity Engineering undergraduate program in the country — with an enrollment that has ballooned to 800 since 2015.
“If you’re anyone who wants to be a player in cybersecurity, you need to be in Virginia, and that’s just a no-brainer,” said David Ihrie, chief technology officer and vice president of strategic initiatives with the Virginia Innovation Partnership Corporation (VIPC), a state agency that creates technology-based economic development strategies to accelerate innovation.
And it’s easy to see the reasons why companies are coming here, from Loudoun County’s “Data Center Alley” and its 25 million square feet of rack space to America’s most automated, fully cybersecure port facilities. And from seas of office space requiring employees with top-secret clearance to the Blue Ridge Mountains’ endless waves of evergreens.
Of course, it’s not just the usual suspects of critical infrastructure and natural resources that are vulnerable to attacks, both malicious and otherwise. It’s every piece and part, both the information technology and networks they’re facilitated through — and any random Internet of Things (IoT) component installed in a dizzying array of systems ranging from air traffic control to water treatment.
The Port of Virginia is known as America’s Most Modern Gateway, in part because of its heavily automated operations. Advances in connected operational technology at the port lead to increased productivity, but also provide a target for cyberattacks.
“The underlying theme is that we need cybersecurity on all of these data feeds,” Ihrie said.
That need extends beyond the public sector into all manner of critical infrastructure across Virginia’s factories. Any piece of connected technology that is relied on for continuous operation is a potential target, with companies standing to lose out on significant amounts of production and revenue if operations are compromised.
Manufacturing now sees the most cyberattacks of any industry, comprising more than a quarter of security incidents in 2023, according to IBM X-Force’s 2024 Threat Intelligence Report. Aberdeen Research data indicates that unplanned downtime can cost a manufacturing company more than $250,000 an hour.
Protecting Land, Sky, and Sea
Part of Ihrie’s VIPC’s responsibilities include Smart City IoT Innovation (SCITI) Labs, where he splits his time between emergency management functions as well as U.S. Department of Homeland Security missions, which can overlap into a federal and state focus.
SCITI Labs was designed to bring together federal agencies and private sector companies pinpointing new and existing technology that meets the operational needs of first responders while enhancing commercial buildings.
SCITI’s work includes supporting environments as diverse as Washington, D.C.’s Capital One Arena and remote forests, where it has built and distributed smart wildfire sensors that now are detecting wildfire ignitions as much as 30 minutes before emergency calls arrive.
One of the key differentiators between legacy smart tech and the new equipment SCITI has been championing is that the latter is being built on zero-trust architecture, which operates under the premise that no users or devices should be trusted.
“We think we’ll be the first ones to do that — zero-trust for data feeds on distributed devices,” Ihrie said of VIPC’s current collaboration with private companies. “Our role is really to experiment and pilot early-stage technology.”
That’s out in the woods, in stacks of cubicles, among racks of servers, and even with actual pilots.
Ihrie’s eyes are also on the skies — the low-altitude space that drones frequent. Even as a hobbyist’s delight, drones represent tiny but not insignificant potential intrusions into regulated airspace.
Ihrie found this out when deploying a trailer-mounted sensor to detect low-level flight activity, running a roadshow of sorts monitoring the areas surrounding the Commonwealth’s airports. In Richmond alone, expecting to detect a couple dozen flights, they picked up on 500 drones.
Now he’s leading the effort to build a real-time picture of everything flying under the radar in Virginia.
“We think that’s a responsibility for the Commonwealth to provide an authoritative feed of what’s flying under 1,000 feet,” Ihrie said. “No one else has been able to do that.”
It’s a capability that’s already been deployed in Stafford County, having been adopted as one of the county’s baseline cybersecurity standards and run by the Virginia Department of Aviation.
Securing Virginia’s Vital Logistics Infrastructure
Another critical infrastructure asset is The Port of Virginia, which operates numerous facilities around Norfolk Harbor in the Hampton Roads region, along with the Richmond Marine Terminal on the James River and the Virginia Inland Port in Warren County. As one might imagine, containers of retail goods, coal shipments, and marble countertops aren’t all that’s arriving at the East Coast’s second-largest port.
“We have seen several companies in the shipping, logistics, and global supply chain industry faced with costly attacks that impact everything from reputation to finances,” said Joseph Harris, a spokesperson from the port. “Our goals, simply put, are to constantly evolve our defenses, be prepared, and avoid becoming a victim.”
The port’s approach to thwarting such attacks, including cyber threats, includes using its experienced in-house information team, reputable private contractors, and federal and state law enforcement professionals to both monitor threats and build a better understanding of how best to combat them. Specific tactics include required online monthly training sessions for the entire port team, specialized “sweeps” of new equipment, and constant testing of existing security measures. Regular communication among the port’s users, equipment manufacturers, law enforcement, and the industry is also critical to maintaining a secure environment.
A Shift in Thinking
Similar to Ihrie, Costa’s manifold roles and perspectives enable him to see cybersecurity as far more than a one-size-fits-all problem or solution.
“Cyber education in general has to be planned in such a way that you understand your target population,” he said. “Otherwise you can’t reach them.”
In other words, a computer scientist and a mechanical engineer are going to see things very differently. And when they all don’t have a seat at the table when building a new system, Costa said, you end up with a “Frankenstein” — born of siloed thinking, piecemeal construction, and ripe with vulnerabilities, and complicated by the reality that many IoT components were never designed to be upgraded.
But Virginia nonetheless is making progress, Costa said, with most larger enterprises and government agencies quickly understanding the need to lead the development of new systems with cybersecurity at the forefront.
Locking the Door
Here’s the strange parallel between cyber intrusions, from malware to ransomware, and the countermeasures being deployed specifically to disarm the threats. It’s almost insignificant at first. And then momentum builds.
“The first compromise can be very small and then they grow from that,” Costa said of typical intrusions he researches. “It can be months before companies know they’re compromised.”
Similarly, defensive efforts can add up exponentially. But it requires that “A-ha” moment, an awareness that can make a stakeholder as vulnerable as a system.
“If you don’t see the problem, you don’t need a solution,” Costa added.
At VIPC, Ihrie is looking years down the road, primarily at defense and aerospace security. He and his colleagues are also looking to leverage the progress that the private sector is making.
“Are there places where there’s interesting entrepreneurial activity in a future-looking technology where we can do something to move the needle?” he asked.
Virginia’s critical infrastructure is by and large a hardened fortress built on best practices and the talents of among the most forward-thinking workforces in the nation. But more than that, it’s gaining ground when it comes to hardening its critical infrastructure out of the gates — embracing a cyber-first development approach to systems and solutions.
“The future is taking cybersecurity awareness to a different level,” Costa said.
