Dear Penn State faculty, staff and students,
Today (May 15), University leadership announced that our College of Engineering has been the target of two highly sophisticated cyberattacks. In a coordinated and deliberate response by Penn State, the college’s computer network has been disconnected from the Internet and a large-scale operation to securely recover all systems is underway. Our experts expect the network to be back up and running in several days.
While disruptions related to our coordinated recovery will largely be limited to the College of Engineering in the coming days, I feel it is important to reach out to all of you directly. Moving forward, we all will need to take additional steps to protect ourselves, our identities and our information from a new global wave of cybercrime and cyberespionage. As we have seen in the news over the past two years, well-funded and highly skilled cyber criminals have become brazen in their attacks on a wide range of businesses and government agencies, likely in search of sensitive information and intellectual property.
I encourage all College of Engineering faculty, staff and students to visit http://SecurePennState.psu.edu/ for the latest information about steps they will need to take as the college recovers from the attack. This website also includes general information for all members of the Penn State community, including steps that all can take to safeguard their critical information, above and beyond the protections that already are in place.
What has happened
On Nov. 21, 2014, Penn State was alerted by the Federal Bureau of Investigation (FBI) to a cyber attack of unknown origin and scope on the College of Engineering network by an outside entity. As soon as the University became aware of the alleged attack, top administrative leadership and experts from Penn State Security Operations and Services, in close coordination with third-party security experts, began working immediately to identify the nature of the possible attack and to take appropriate action. An intensive investigation has been conducted across the College of Engineering computer network and other mission-critical areas of the University since that time.
In order to protect the college’s network infrastructure as well as critical research data from a malicious attack, it was important that the attackers remained unaware of our efforts to investigate and prepare for a full-scale remediation. Any abnormal action by individual users could have induced additional unwelcome activity, potentially making the situation even worse.
This is an incredibly serious situation, and we are devoting all necessary resources to help the college recover as quickly as possible; minimize the disruption and inconvenience to engineering faculty, staff and students; and to harden Penn State’s networks against this constantly evolving threat.
In conjunction with the conclusion of the internal investigation, University officials are now in the process of notifying about 18,000 individuals whose personally identifiable information (primarily Social Security numbers) was discovered in files that were stored on several affected machines in the College of Engineering. Penn State’s Office of the Vice President for Research also is notifying public and private research partners who have executed contracts with College of Engineering faculty since September 2012, the earliest known date of compromise.
While there is no direct evidence that research data or personally identifiable information (such as Social Security or credit card numbers) have been stolen, investigators do have direct evidence that a number of College of Engineering-issued usernames and passwords have been compromised. While investigators have found that only a small number of these accounts have been used by the attackers to access the network, as a precaution and beginning immediately, all College of Engineering faculty and staff at University Park, as well as students at all Penn State campuses who recently have taken at least one engineering course, will be required to choose new passwords for their Penn State access accounts.
Engineering faculty and staff also will need to choose new passwords for their college-issued access accounts, and faculty and staff who wish to access college resources remotely via a VPN connection will be required to sign up for two-factor authentication. For detailed information about these changes, visit http://SecurePennState.psu.edu/.
At Penn State, our strong information security protocols and practices help us to repel more than 22 million hostile cyberattacks from around the world every day. That said, in this particular case we are dealing with the highest level of sophistication. Unfortunately, we now live in an environment where no computer network can ever be completely, 100 percent secure, but there are steps we all can take to better defend ourselves against this new kind of threat.
Our path forward
In several days, our College of Engineering will emerge from this unprecedented attack with a stouter security posture, and faculty, staff and students in the college will need to learn to work under new and stricter computer security protocols. More details about this new computing landscape for engineering faculty, staff and students, and the steps they will need to take as part of the recovery process, is available at http://SecurePennState.psu.edu/.
In addition, and in light of these new and ongoing threats against large organizations around the world, we are launching a comprehensive review of all related IT security practices and procedures at Penn State. As this review takes place, we will keep in mind our intrinsic need as a university to maintain an open environment for learning and collaboration, while at the same time acknowledging the need to further strengthen our security posture to marginalize cybercrime.
What you can do
In the coming months, significant changes in IT security protocols will be rolled out across the University, and all of us as Penn Staters will need to change the way we operate in the face of these new and significant challenges. University leaders are developing a detailed plan that will include even more robust monitoring for malicious activity across Penn State. Over time, individual users also will see changes including the implementation two-factor authentication on major university systems, stronger password management practices, and enhancements to system and software administration.
To our faculty, staff and students in the College of Engineering: I ask for your understanding and flexibility as recovery takes place over the next few days. There will be unavoidable disruptions to your normal flow during this time, though plans are in place to allow you to continue in as much of your good work as possible.
This new threat must be faced head-on, not just by Penn State but by every large university, business and government the world over. This is a new era in the digital age, one that will require even greater vigilance from everyone.
Eric J. BarronPresident, Penn State