Season 1 – Episode 47 – Critical Infrastructure and College Campuses
Colleges and universities in the United States are considered critical infrastructure, falling under the government facilities sector as one of eighteen sectors established by Homeland Security Presidential Directive 7 (HSPD-7). In 2018, the U.S. Department of Homeland Security created the Cybersecurity and Infrastructure Security Agency (CISA) to better address cybersecurity and critical infrastructure together. Recognizing educational institutions as critical infrastructure enables them to receive increased federal funding for security training, expertise, and support, safeguarding them against potential physical and cyber attacks in the future.
Episode Transcript
Click to expand/collapse
Darren Gaddis: From CITI Program, I’m Darren Gaddis, and this is On Campus. Today, critical infrastructure, how it impacts a college campus, and how critical infrastructure and cybersecurity can overlap on campuses. I spoke with Kristina Cone, critical infrastructure and emergency management consultant who has local, state, and federal experience working with multiple sectors including public health, higher education institutions, and law enforcement agencies. As a reminder, this podcast is for educational purposes only. It is not intended to provide legal advice or guidance. You should consult with your organization’s attorneys if you have questions or concerns about relevant laws and regulations discussed in this podcast. Additionally, the views expressed in this podcast are solely those of the guests and do not represent the views of their employers. Hi, Kristina, thank you for joining me today.
Kristina Cone: Hi, Darren, thanks for having me.
Darren Gaddis: To get us started today, would you mind telling our audience a little bit about your background and professional experience?
Kristina Cone: Thank you again for having me, Darren. I started my career in 2015 with the Florida Department of Law Enforcement in domestic security. I was a planner and coordinator for the North Florida Regional Domestic Security Task Force where I deployed as a law enforcement civilian role for over 20 natural disasters, mostly hurricanes, and also for active shooter incidents and civil unrest events. I got my master’s in emergency management and crisis management and most recently have worked as a critical infrastructure specialist at the Department of Homeland Security, Cybersecurity, and Infrastructure Security Agency. I am now working independently on critical infrastructure and emergency management.
Darren Gaddis: Our conversation today is all about critical infrastructure on college campuses. To get us started, broadly speaking, what is critical infrastructure?
Kristina Cone: In the United States, the Congress identifies critical infrastructure under Presidential Policy Directive 21. Critical infrastructures are assets, systems, or networks, both physical and virtual, that are considered vital to the United States that their destruction or incapacitation would have a debilitating effect on economic security, public health or safety or any combination thereof.
Darren Gaddis: With this definition in mind, could you provide us with a few examples of critical infrastructure on college campuses?
Kristina Cone: Yes, that’s an excellent question. There are 16 critical infrastructures defined under the Department of Homeland Security, Cybersecurity, and Infrastructure Security Agency. Campuses, exclusively college campuses, fall under the government facility sector. Some examples on a campus may identify as their entity specific critical infrastructure are server rooms, office of the president, the police department, the main lecture hall if they have one, if they have a dispatch for their law enforcement, or they have a gymnasium that they have all their gatherings at. And it depends on the facility on the campus, which facilities they identify as being critical to their campus.
Darren Gaddis: Knowing what would be considered to be critical infrastructure on a college campus, why should college campus communities be concerned about their critical infrastructure?
Kristina Cone: Critical infrastructure is important to keep the campus running smoothly and safely in day-to-day operations. There are two types of infrastructure, there’s physical and cyber. Campuses are interconnected with both the physical and cyber in identifying, understanding, and analyzing dependencies and interdependencies, allows a campus to be more prepared and resilient against both physical and cyber attacks. Some examples of dependencies are electricity, water, natural gas, information technology, and telecommunications. The college needs these to function their infrastructure. And if these are disrupted, so are their operations. These assets are often targeted because they offer unique services. They may perform sensitive functions, they may contain irreplaceable artifacts or have some sort of value symbolically. To minimize this vulnerability, they must incorporate risk management due to this high profile nature of campuses.
Darren Gaddis: And with this information, how can colleges protect their critical infrastructure?
Kristina Cone: There are tools and trainings out there for colleges to utilize. Some things you can do to protect critical infrastructure are add access controls, implement policies and procedures on how these access controls operate, establish and implement any anti-phishing program, have vulnerability scans done on your systems and networks. Implementing annual refresher trainings like active shooter, cybersecurity awareness, are both beneficial to help bring awareness to the faculty on protecting their critical infrastructure. Another measure you can add is multi-factor authentication. You can also read through www.cisa.gov. It’ll give campuses more information on Presidential Policy Directive 21. The critical infrastructure sectors are all listed on there as well as the education sub-sector. They have cyber awareness fact sheets as well as a link to request a cybersecurity advisor that works in their area. You can work with local emergency management. And there are also consulting companies available that focus on cybersecurity and critical infrastructure that can help your campus.
Darren Gaddis: Now knowing how institutions are best able to protect themselves and their critical infrastructure, what are some examples of incidents that have had an effect on college campuses in recent years?
Kristina Cone: During the pandemic, schools saw an increase in cyber attacks due to the significant increase in transitioning to virtual learning. And then depending on the location will depend on different types of disasters that can disrupt the operations of campuses, such as on the East Coast you have hurricanes or on the West Coast you have wildfires. These types of incidents such as a hurricane on the East Coast would require a school to close down its operations and evacuation of students, faculty, and staff. So then you must also account for the safety of your faculty and staff.
Darren Gaddis: Having more information on types of incidents which impact a college campus, what role do administrators, faculty and staff play in protecting critical infrastructure on their campus?
Kristina Cone: The end users, which on college campuses are the faculty and staff, are key to ensuring that policies and procedures and best practices are followed. Faculty should ensure their computers stay updated. They use strong passwords, use good cyber hygiene practices, and report anything suspicious to campus police or the local authorities. Another key component is for the campus to have standard operating policies and procedures in place. Have the faculty and staff train and exercise the plans and review them annually, adding to or making changes if needed. Campuses should have anti-phishing software installed and have vulnerability scans performed regularly on their systems and networks. Something else that is important for campuses to do to protect their infrastructure is implementing interactive virtual and in-person trainings on cyber awareness, cyber hygiene, and suspicious activity and key identifiers, and even active shooter training like the run, hide, fight method. Lastly, putting up posters with contact information for students or visitors to report suspicious activity will also help college campuses to keep their campus safe.
Darren Gaddis: Kristina, knowing all this information, what else should we know about critical infrastructure in college campuses?
Kristina Cone: Stuff will happen. There is no way to be 100% protective 24/7. But being proactive versus reactive and having preventative measures in place and having your staff and faculty trained and prepared will help to strengthen the disruption of everyday operations on your campus. As information technology becomes more and more integrated with all aspects and functions, not only the functioning of the facilities but also in our daily lives, we must be vigilant because there is an increased risk for wide scale or high consequence events that would impact thousands of people.
Education on cybersecurity is key for you and your college campus. Remember, if you see something, say something. Remembering cyber and physical security have many similarities and overlap. They must also be looked at separately. You can read CISA’s website for more information, and interactive training, and contact for advisors in your area, as well as reporting ransomware activity. SchoolSafety.gov is another resource the federal government launched in 2020 as a collaborative effort to serve as a one-stop access point for information, resource, guidance, and evidence-based practices on a range of school safety topics and threats.
If a physical or cybersecurity event does occur at your college campus, you will work with several different outside agencies that may include the FBI, the Department of Homeland Security, state and local law enforcement, or local emergency management, just to name a few. Getting to know your partners before an event occurs will help your college campus transition from the response phase to the recovery phase quicker and more smoothly so you can resume day-to-day operations as soon as possible. Different states have different legislation in place. Work with your state Department of Education to know more about what they have in place for both cyber and physical attacks and what resources they can provide to your college.
Darren Gaddis: Kristina, thank you for joining me today.
Kristina Cone: Thank you so much for having me, Darren.
Darren Gaddis: Be sure to follow, like, and subscribe to On Campus with CITI Program to stay in the know. If you enjoyed this podcast, you may also be interested in other podcasts from CITI Program, including On Research and On Tech Ethics. You can listen to all of our podcasts on Apple Podcasts, Spotify, and other streaming services. I also invite you to review our content offerings regularly as we are continually adding new courses, subscriptions, and webinars that may be of interest to you, like CITI Program’s Information Security course.
How to Listen and Subscribe to the Podcast
You can find On Campus with CITI Program available from several of the most popular podcast services. Subscribe on your favorite platform to receive updates when episodes are newly released. You can also subscribe to this podcast, by pasting “https://feeds.buzzsprout.com/1896915.rss” into your your podcast apps.
Recent Episodes
- Episode 46: Biden-Harris Title IX Proposed Rule Change
- Episode 45: Developmental Educations Reforms
- Episode 44: LGBTQIA+ Individuals in Higher Education
- Episode 43: Student Housing, Resource, and Partnerships
- Episode 42: Housing Options for Students Today
Meet the Guest
Kristina Cone, MS – Consultant
Kristina has a Masters Degree from University of Central Florida in Emergency and Crisis Management and over a decade in State and Federal government experience in domestic security and emergency management.
Meet the Host
Darren Gaddis, Host, On Campus Podcast – CITI Program
He is the host of the CITI Program’s higher education podcast. Mr. Gaddis received his BA from University of North Florida, MA from The George Washington University, and is currently a doctoral student at Florida State University.