With prestigious NSF grant, Li aims to protect the power grid

For most people, seeing a notification it’s time to update the software on a cell phone or computer is no big deal.

It’s easy to ignore, and many of us are guilty of letting that notification bubble linger perhaps a bit too long.

For Qinghua Li, assistant professor of computer science and computer engineering, and the utility companies he works with, software patches are a very, very big deal.

It’s so important, in fact, that Li has received one of the National Science Foundation’s most prestigious grants for early career faculty members to make the patching process more efficient for companies.

Li has received the NSF’s Faculty Early Career Development Program Award, known colloquially as a CAREER Award, which is described by the NSF as the organization’s “most prestigious awards in support of early-career faculty who have the potential to serve as academic role models in research and education and to lead advances in the mission of their department or organization.”

Li will receive $427,600 over five years to develop an automated system to improve cyber security patching in utility companies. Protecting the nation’s power grid is a critical, multi-faceted project, and much of it centers on the software that operates the systems.

"Currently, you’ve got these patches where employees spend hours, days, or even weeks, analyzing whether they need to be implemented. An automated process could do it in seconds, and employees could start applying the fixes sooner."

A never-ending threat

Utility companies spend a lot of time and resources keeping their cybersecurity systems up to date, Li said, and it’s a never-ending task.

As hackers look for new ways to break into security systems, companies develop new methods for keeping them out. Those updates are known as patches, and once a security vulnerability in the system is found, a patch is usually needed to fix it. And it happens a lot.

“Thousands of new vulnerabilities arise monthly,” Li said. “Patch management is the foremost security task at utility companies – they work on it daily.”

But not all patches are created equal. Depending on the severity of the vulnerability, patch installation has to be prioritized, so security teams must spend time analyzing which patches should be installed, and when.

It eats up a tremendous amount of time for security personnel, and the stakes are high to get it right.

If that’s not pressure enough, utility companies face an added complication. Because the services utility companies provide are so crucial, security teams can’t just shut down the system to install patches any time they want, Li said.

“It must be scheduled out very carefully,” he said. “And if you can’t do them right away, you have to develop mitigation plans, you have to analyze how to deal with each vulnerability.”

The first fix

The constant cycle of detecting, analyzing and patching security systems has long been a problem for utility companies, and is likely familiar to any company with an outwardly-accessible network.

And yet, no research has looked closely at ways to improve the cycle that involves a lot of manual analysis – until now.

Li’s research proposes an automated system that can analyze security patches.

Human teams would still handle the implementation, but reducing the time between detection of a vulnerability and implementation of a patch could be a game-changer, especially in the utility industry.

“Currently, you’ve got these patches where employees spend hours, days, or even weeks, analyzing whether they need to be implemented,” Li said. “An automated process could do it in seconds, and employees could start applying the fixes sooner.”

For utility companies, the timing of Li’s research coincides with a major regulatory change.

In 2017, the North American Electrical Reliability Corporation, a body that regulates utility companies, mandated that companies must address every new patch within 35 days.

“That sounds like a long time, but it’s really not,” Li said. Because so many vulnerabilities and patches emerge every month, the complexity of analyzing each of them, and the limited security personnel in most utilities, that timeframe is putting a major crunch on utility companies in Arkansas and across the nation, he said.

And when it comes to scheduling patch installation, the stakes are high.

“Vulnerabilities are there whether you address them or not,” Li said. “The longer you go without addressing them, the bigger the risk of your system being exploited by hackers.”

Li said the process described in his CAREER proposal is a first.

“This will have a big impact for electric utilities. We’ve known about this problem for a long time, but nobody has ever thought about how to help – this is the first tool to automate the patching analysis process,” he said. “This could generate some technology that could really change the world.”

"Vulnerabilities are there whether you address them or not. The longer you go without addressing them, the bigger the risk of your system being exploited by hackers."

Educational outreach

Like all CAREER awards, Li’s proposal includes an educational component. Funding from the award will support a Ph.D. student who will help carry out Li’s research, and Li said he’s also planning to develop a new course at the University of Arkansas.

The new course will be focused on security vulnerability and patch management, and Li said he believes it is the first course of its kind not only at the U of A, but in the nation.

“This is an increasingly important field,” Li said, “not just in utility sectors, but in all critical infrastructures and companies with IT needs. This course will produce students who are prepared to enter that world with a specific set of skills that can be applied immediately.”

Beyond that, a portion of Li’s grant award will go toward promoting the study of cybersecurity to high school students in Arkansas, he said.

Li also plans to develop a multi-day training course based around the automated vulnerability and patch management technology that can be taught to current security operators in electric utilities.

“This will help our tool be adopted more broadly, and will help ensure this research is going toward something applicable,” Li said.

A collaborative environment

Li credits the collaborative environment within the College of Engineering for positioning him for success.

“The collaboration, especially between computer science and computer engineering and electrical engineering, and within the Cybersecurity Center for Secure, Evolvable Energy Delivery Systems (SEEDS), helped me build part of the background supporting this award,” Li said. “Collaboration between disciplines is working for me.”