At the MIT Cybersecurity Clinic, we work with cities and towns, particularly in New England, to help them reduce their vulnerability to cyberattacks. Our approach is to work directly with public agencies or elected officials to assess their vulnerabilities and suggest low-cost improvements they can make. We believe that having an assessment of the status-quo is the first step in figuring out a plan of action that will prevent unwanted incidents. Teams from the Clinic typically work with public agency clients for two months to gather and analyze relevant information.
There is no cost for these services.
If you think we might be of help, please do not hesitate to contact Professor Larry Susskind (susskind@mit.edu) for further information.
We are a group of MIT faculty, students, and researchers helping public agencies defend themselves against cyber attacks by using an approach called Defensive Social Engineering (DSE). Cyber defenders can use DSE along with other technical tools to defeat or compromise attackers. The MIT Cybersecurity Clinic works with the IT staff and cybersecurity specialists in public agencies, along with managers of critical urban infrastructures, to help assess their vulnerabilities. We also offer various training opportunities, including a 4-week online training program open to anyone for free: MITx Cybersecurity for Critical Urban Infrastructure on edX, and a role-play simulation exercise: Save Fairport. MIT, Harvard, and Wellesley students interested in registering for the Cybersecurity Clinic (for credit or otherwise), please visit 11.274/11.074 for more information.
The Online Course | The Clinic |
The class Cybersecurity for Critical Urban Infrastructure is available to anyone who is interested, around the world. It is self-paced, and structured in four 2-hour educational modules offered on edX by MIT, that culminate in an optional certification exam that can be used to verify your completion of the material. Read more about the course here. | The Cybersecurity Clinic (11.274/11.074) is available to any registered MIT, Harvard, or Wellesley student. The first four weeks consist of the aforementioned four modules + certification exam, and the rest of the semester involves working with a team of classmates to perform a Cyberattack Vulnerability Assessment on a real client. Read more about the clinic here. |
This 2-hour interactive experience allows city officials and community members alike to learn what it takes to combat cyberattacks. The scenario:
“Last week the City of Fairport suffered a debilitating ransomware attack, which focused on the city’s water systems. Lack of a structured response and other systemic issues led to the discovery of significant safety hazards. The Mayor, who is running for re-election, needs to act quickly and decisively to demonstrate that she is addressing the security and safety threats. The Mayor has convened a group of city, state, and federal leadership to design a policy strategy and budget.”
Working in a team of eight, the members of this group must come to a decision about how to address and solve this problem. With individual agendas, a limited budget, and the constant pressure of the time winding down, reaching consensus won’t be easy; but, it is sure to build the understanding and skills of the participants.
Download the roleplay simulation today on iDecision Games.
In these short videos you will hear firsthand accounts of recent cyberattacks in the words of city employees, police officers, and media reporters. These videos are available to watch for free. They were prepared by the MIT Cybersecurity Clinic and Reelife Documentary Productions.
&THE OLDSMAR CYBERATTACKOn February 5, 2021, a water treatment plant employee in Oldsmar, Florida noticed his mouse cursor moving strangely on his computer screen. At first, he thought it was nothing because they use remote-access software. Later, the mouse moved again to adjust the allowable level of sodium hydroxide (a disinfectant used to clean the water). Although the intrusion only lasted between three and five minutes, it took five and a half hours for the staff to notice the change to dangerous allowable levels. The plant has since disabled its remote-access system. This breach highlights the serious impacts hackers can have on utilities and critical infrastructure, potentially harming thousands of people.
Watch the video here.
THE WASHINGTON DC CYBERATTACKIn April 2021, hackers broke into the Washington, D.C. Metropolitan Police Department (MPD) computers, locked up the files and demanded $4 million in ransom. The group responsible is known as Babuk. They started leaking data just before the MPD confirmed it had suffered an attack. The leaks included financial and marriage histories of officers, social security numbers and other confidential information. Babuk claims they were offered $100,000, but the police department has not confirmed whether it agreed to pay any ransom.
Watch the video here.
THE COLONIAL PIPELINE ATTACKIn May 2021, one of the largest refined fuel pipelines in the United States, the Colonial Pipeline, experienced a cyberattack that shut down fuel delivery from the Gulf coast to the East coast. The U.S. government including CISA at the Department of Homeland Security and the FBI strongly recommended against paying the ransom demanded by the hackers. Concerned about operational safety and getting the pipeline back up and running the company decided to pay the ransom. The group responsible is known as the Darkside group.
Watch the video here.