A lack of communication between Michigan State University’s physics and astronomy department and the school’s central IT operation contributed to a 2020 ransomware attack that cost the university more than $1 million to recover from, according to recent research by a National Science Foundation-supported group.
Trusted CI, which is part of the NSF’s Cyberinfrastructure Centers of Excellence program, explained in a webinar Monday that Michigan State’s central IT employees faulted the physics department for not patching a VPN, which allowed the NetWalker malware to infect its systems and destroy more than a year’s worth of research. But the department’s internal IT team, which is separate from the campuswide IT team, said that lapse occurred because they lacked the resources and direction from the main office.
Trusted CI concluded the two teams failed to set up a “key dialogue” through which the physics department could use some of the main IT office’s cybersecurity tools, like vulnerability scanning and intrusion detection.
The webinar followed an Aug. 1 report by Trusted CI and Michigan State, focusing on a growing issue in higher-education cybersecurity: how to balance individual departments’ IT teams with campuswide operations without losing sight of big-picture threats.
Michigan State centralized most of its IT operations years before the 2020 incident, but the physics department opted to maintain its own tech infrastructure at the time, Tom Siu, the school’s chief information security officer, said during the webinar.
“What I think this incident has proven is that it’s not so much about sensitive information, although that was affected in this particular case,” said Siu, who was hired last fall, after the ransomware episode. “You have to look at the whole program now. Researchers need to know that your information security team and your CISO and the like have a broader problem because they are dealing with a larger scale of security threats than you see. So the idea is to not let any gaps occur between the distributed teams, as well as your security team.”
In the months since the ransomware incident, more academic departments, including physics, have consolidated with the central IT operation, Siu said. Running VPNs through the university’s main IT infrastructure and becoming part of its central active directory offer more uniform protections, including multi-factor authentication and restricted user access, he said.
Von Welch, director of Indiana University’s Center for Applied Cybersecurity Research and an author of the case study, said during the webinar that a department choosing to work independently is “more rule than the exception” in higher education.
“We can have debates about the level of autonomy that departments should it have, but there will be be some level of autonomy,” Welch said. “What I have found to be instrumental here is the careful balancing of carrot and stick. So, on one hand, we want to make sure that departments fully understand the risks that they are taking on when they go it alone, and then also recognize their autonomy to go ahead to accept those risks. When they do it, they may have some services that are just so core to their particular model that they deem those risks to be worth it.”
The Trusted CI study was also conducted to show the effects of a ransomware attack on a research organization and the importance of cybersecurity professionals communicating with researchers. The NetWalker ransomware weaponized personal information that malicious actors found in a physics department directory, which also contained research data.
“There’s no evidence NetWalker knew they had research data,” the case study reads. “They either didn’t care if they had research data or were simply unaware, but that didn’t prevent them from having a serious impact on MSU’s research productivity.”
Welch added that the case study is not intended to criticize Michigan State, and he credited the university for being transparent about the attack so others can learn from it.