While workers at a water treatment facility keep their plant operating, a hacker has infiltrated the system, increasing chlorine levels to render the drinking supply lethal.
The workers have to take quick action to keep the tainted water out of the public system while warning of the possible dangers.
It’s all happening inside a case that’s the size of a steamer trunk, with a Virginia Military Institute cadet wearing virtual reality goggles and tasked with thwarting the simulated attack.
The scenario in a VMI lab is based on true events — multiple documented hacks into water treatment and other infrastructure systems in recent years, particularly a nearly successful Florida attack in 2021 that was meant to sicken a small town.
The exercise, using cadet-built equipment, is part of a range of simulation devices that VMI professor Mohamed Azab calls “smart cities in a box.” Seed funding for this and multiple projects on campus comes from the Commonwealth Cyber Initiative, Virginia’s official hub for cybersecurity research, innovation and commercialization. Millions of dollars in funding and research partnerships flow from the initiative known as CCI.
[What is CCI? Jump to the end of the story to read more about the initiative.]
VMI has plenty of disciplined, intelligent cadets, but the school is not among the nation’s 187 Carnegie Commission on Higher Education-classified R1 research institutions, like Virginia Tech, the University of Virginia’s Charlottesville campus, George Mason University, William & Mary, Old Dominion University and Virginia Commonwealth University. That makes funding harder to come by, Azab said.
But CCI counts 46 colleges and universities among those doing cybersecurity work, including at least 15 in Southwest and Southside Virginia, according to a report detailing five years of the initiative. Dollars flow to projects at all of them.
“It’s a very, very useful seed fund here in Virginia, especially for institutions of our size,” said Azab, one of more than 300 affiliated faculty statewide. “We are not an R1 Institute, so it’s not so easy for us to acquire funding unless you have a mature idea, and that mature idea needs some sort of seeding, and this is where CCI funding really helps.”
This article examines a few of the many CCI-related cybersecurity initiatives happening at several schools in the region: VMI, Virginia Tech, Radford University, Virginia Western Community College and the University of Virginia’s College at Wise.
VMI: Building virtual situations, gaining real-world experience
VMI cadets, along with postgraduate degree candidates and Lexington-area high school students, have joined forces over the past few years to help build the simulator boxes used for cybersecurity experimentation and attack-defense scenarios, Azab said.
The boxes include micro embedded computers that control the goings-on but can be breached. Cadets started with a smart house, and moved on to other projects that include the multi-stage water treatment facility. It took about three years to build it, mimicking industry standards.
Cadet Trenton Watkins was there from the beginning. He was still a rat (a freshman, in military school parlance) whose upper-class mentor was part of Azab’s group.
“We developed a digital twin that mimics a real-life water treatment facility that users are able to interact with and learn how cyber attacks work on facilities and how they can differ with certain situations,” said Watkins, of Bristol.
“So we developed it as an educational tool, because critical infrastructure like water treatment is becoming more online and using more internet communications with their at-home systems, monitoring systems, so that opens a larger field for hacking capabilities for very bad people to get a hold of our water control, and that’s something we need on a daily basis.”
The idea is for the cadets to learn while developing such systems, then share their knowledge with people working in the field.
“I got working on this about halfway through my rat year, and stuck with it ’til were able to get it working and publish papers on it and kind of present it to the world,” said Watkins, who plans to get into cyber software engineering.
Among the simulator’s lessons: Human expertise remains key. In the event that a hacker manipulates gauges, preventing them from showing a dangerous chlorine increase, for instance, a worker needs to rely on senses of sight and smell, Azab said.
“Humans, while we are actually usually the weakest link in the loop and we are also always the easiest point for attackers to attack a system, we are also a very useful defense tool, right?” Azab said. “So it’s your experience. As an experienced person who worked in this facility for years, when you smell the chlorine, you will detect that there is something wrong. Yes, the meters on your screen are showing that everything is fine, but you know that there is something wrong.”
Elsewhere at VMI’s computer and information sciences department, a project called NetSense won the CCI Tech Innovation Award in 2023, said another computer science professor, Sherif Abdelhamid.
Netsense can predict the spread of malicious behaviors and viruses on communication networks, said Abdelhamid, who led a group of cadets on the project and established a limited liability company for it in Virginia.
UVA Wise: Spreading security plans to local institutions, businesses
Back in olden times, outlaws looking for cash grabs would put on masks, enter a bank, pull out their guns and rob the place. Violence was not out of the question.
That still happens today, but there are more efficient, less deadly ways to get at the loot. Malware, ransomware, data skimming, transaction fraud, data breaches, phishing attacks and more are likely and disruptive.
A group of students from the University of Virginia’s College at Wise used a CCI grant to analyze all the cybersecurity possibilities for a local bank, along with a county courthouse and a vineyard.
It was one of multiple ways that UVA Wise students, with professors to guide them, have gained real-world knowledge while informing the college community on cybersecurity issues.
Karen Carter, associate professor of information systems in the college’s math and computer sciences department, said the project involved 10 students. They assessed the regionally owned Farmers and Miners Bank, the Wise County and City of Norton Circuit Court clerk’s office and MountainRose Vineyard.
Two of the three students who conducted that late 2024 assessment have since moved on to postgraduate studies.
Kaylee Scarce is pursuing postgraduate work at Newcastle University, in the United Kingdom. Noah Sturgill is at Emory University, in Atlanta, studying for a Ph.D. in computer science and informatics, specializing in large language models.
“I didn’t know they were the cream of the crop, but they did a fantastic job on the project, and they were just very knowledgeable, and you could tell that they had done their research, in the questions they asked and so forth,” said Shawn Moore, executive vice president and chief operations officer at the Pennington Gap bank, which has branches in Wise, Lee, Dickenson and Scott counties.
So learning that two of them were pursuing high-level postgraduate degrees “does not surprise me a bit,” he added.
“From the bank’s perspective, it was still very helpful from our side, even though maybe it didn’t give us something new,” Moore said. “It’s always good to take another look under the covers at everything that you’re doing.”
MountainRose Vineyard’s Suzanne Lawson said the business had a good experience with the students, who delivered a great presentation.
“Well, there were several areas they felt like we could improve on,” Lawson said. “And some of those we have worked on, and I’ll be honest, some of them we haven’t, just because we don’t have staff to work on it.”
Sturgill, who participated in the vineyard’s risk assessment as well, had associate degrees in cybersecurity, computer science and general studies from Mountain Empire Community College, near Big Stone Gap, before enrolling at UVA Wise to get his bachelor’s degree in computer software engineering.
“I came in with a bit more of a background than most students,” said Sturgill, a Wise native. “For me, personally, it was really an application of a lot of the things which I had previously learned.”
The assessments project was among three that were fully or partly CCI-funded, he said.
“I thought everything involved with it was very interesting, and it likely, at least partially, bolstered my resume to end up where I’m currently at,” he said.
Carter, who with her husband farms black angus cattle and nubian goats, used her agricultural experience on another CCI-funded project. She and a colleague at UVA Wise did an assessment of Southwest Virginia farmers’ knowledge and needs in agricultural cybersecurity.
“We determined that there was very little training going on within those counties and that there was a need to have more discussions with the farmers” about using and protecting data related to breeding, tracking, medication, meat quality, fertilizer use and more, Carter said.
Two of Carter’s colleagues, financial accounting instructor Ning Zhou and Gurkan Akalin, chair of the Department of Business and Economics, are working on a new project fueled by a $60,000 grant they received last summer. They are working beyond the community boundaries to survey auditors who do remote work on their cybersecurity preparedness.
About one-third of the grant has gone toward questioning between 350 and 400 auditors. Zhou and Akalin have published two papers on using advanced AI systems known as large language models to analyze threat intelligence in remote auditing. A big early answer: For now, LLMs’ work is “fuzzy,” Akalin said.
“You ask one question, you get two answers at the same time,” he said. “OK, so if you get two answers, that’s not good for accounting, that’s not good for auditing. You just have to have one clear answer that is backed up.
“So we’re just going a step beyond, not just saying that LLMs are not good, but how to make it work better. At what point that they can actually use it, because that’s the direction. Guardrails is an important concept, meaning every step LLM is doing, we need to make sure that it is still following the process, the guidelines, and if it doesn’t follow it, then we shouldn’t” trust the results.
The technology moves fast, so they hope to have a portfolio of papers within the year, in hopes of addressing auditing education, practice, policy and compliance.
“Eventually I think all the auditing guidance is going to include some of the cybersecurity,” Zhou said. “So hopefully what our papers contribute will also inform the regulators how cybersecurity should be included as part of auditing. After I started working with Gerkan, I realized there is so much cybersecurity knowledge that, as accounting professionals, we just don’t know.”
Virginia Western: Helping develop a necessary workforce
About 700,000 cybersecurity jobs are unfilled nationwide, said B. Bagby, assistant professor of computer science and information technology at Virginia Western Community College.
“That’s a terrifying number, and it’s doubled from what it was just a few years ago when we started talking about” cybersecurity needs, Bagby said. “And the problem isn’t that there aren’t applicants. The problem is that they’re not getting hired.”
Virginia Western’s cybersecurity program graduates about 13 students annually. It’s small, but shows steady growth from past years, Bagby said. There is a speed bump on the road from graduation to landing a job, though: They’re leaving school with associate degrees.
“They have to fit very specific needs,” he said. “There’s a lot of fear, [although] it’s finally starting to go away, of hiring folks that don’t have bachelor’s, master’s, Ph.D.s in cybersecurity. That’s been a real fight, to get the system to realize that maybe you didn’t need to pay somebody $200,000 a year to check email logs.”
The college is working on getting a new CCI grant that would establish an internship program, in hopes of creating a pipeline from Virginia Western and other community colleges to good cybersecurity jobs, he said.
“A big part of the challenge that our students are having is that we’re seeing folks cut back on hiring entry level workers, particularly AI and programming folks,” he said. “And a lot of that, I think, is because the education component can’t quite keep up with the real-world experience.”
Bagby’s department seeks out local tech companies that have received CCI grants to fund internships. One of them, Virginia Power Transformer, brought on a VWCC student recently.
The college has received its own CCI grants as well, he said. One allowed for stipends to students who created questions for Capture the Flag cybersecurity events, which feature a screen with complex questions that lead to other questions.
“And pretty soon you find yourself tracking breadcrumbs through five or six different iterations,” he said.
Writing the challenging questions requires technical skill, time and research. “That’s great learning for those students,” he said.
The other grant funded a project with Radford University, focusing on home security, particularly the so-called “internet of things.”
“So as you know, we’re all buying these smart devices, whether it be a smart lock or a thermostat or light bulbs, but there wasn’t a lot of security information on them,” Bagby said. “We knew there were problems, but we hadn’t done a whole lot of research. So with Radford, we did some of that research. We actually built out a small lab here in the cybersecurity lab and did some very simple research with students.”
Among the results was a guide for students to build their own virtual environment to test so-called IoT devices.
Bagby continues looking for grant opportunities while teaming with tech companies that have received CCI money.
Radford: Offering a chance to grow resumes
Radford University’s School of Computing and Information sciences wrote the CCI grant proposal that Bagby’s team piggybacked on to use for its home security work. The grant also included learning opportunities for K-12 students in cryptography, forensics and ethics, along with teacher training.
Another program Radford University developed with a CCI grant was a cybersecurity certification class for working professionals. Tim Shelton, a network engineer for Roanoke County, took advantage of some free learning through the program.
He and several colleagues signed up for the Foundations of Cybersecurity class, geared toward working professionals, which he began last year and has until August to complete.
With a family at home and a full-time job, multiple weekly trips to campus would be out of the question, Shelton said. But the university records the classes in a studio and posts them for students to access at their own time and pace.
“It helps me as a professional, because you have to take security as inherent in every decision you make,” Shelton said. “It’s not just one person’s job. Everybody has to do it at every step of their job for it to be effective. So it’s just a skill set that’s going to stack on what I’m already doing and ultimately make me a better technician.”
Cyberthreats lurk daily in Roanoke County government offices. Shelton is not a member of the county’s cybersecurity team, but he interacts with it frequently.
“The most obvious [vulnerability] is compromised passwords and phishing,” he said. “Those are the two things that you’re going to see prevalent and just non-stop all the time.
“Our cybersecurity team here does a really good job of training people up on that.”
Shelton said he is interested in cybersecurity, and the Radford course could get him a step closer to such a job. Either way, he’s augmenting his skill set and at no personal risk, because it’s free, he added.
Among the challenges he’s faced was learning structured query language, or SQL, which programmers use to get work done in databases.
“I’m not inherently a programmer,” he said. “It’s like a lot of puzzles I’m having to solve to go through some of the labs there. So it’s fun, but it is challenging because that’s just not how my mind is geared to work. But I’m getting there.”
Networking and penetration testing followed. He’ll finish with a cyber defense course, then, having finished his certification, may sit for an exam to extend his credentials.
Virginia Tech: A living-learning program focused on cybersecurity
As the nexus of Southwest Virginia’s CCI landscape, Virginia Tech has a lot of cybersecurity work going on. Students and researchers work on drone technology, global satellite networks, biosecurity, quantum cryptography, identity abuse and more.
There’s a bit of reaching out to the rest of the student body, as well. Some of that comes from Securitas, the on-campus living-learning community, or LLC, that’s focused on computer science, cybersecurity and similar majors.
Over the past couple of semesters, a group of Securitas dorm residents came together to build an exhibit aiming to let their fellow students know more about the cyberworlds that have become such a big part of their lives. The group showcased it the evening of March 2 at Newman Library.
“Our audience are people, just undergraduate students in the building here who most likely don’t have much technical expertise, who don’t know much about cybersecurity, or maybe don’t understand all the big terminology stuff,” said Jamie Osmeña, a sophomore computer science major, during a planning session late last year.
The students toyed with a few ideas, including one in which they would have installed a camera and a monitor to represent the idea of constant surveillance. Ultimately, they developed posters with graphic depictions showing multiple aspects of cybersecurity.
One poster showed all the dozens of permissions we agree to and mostly take for granted when using Instagram, Amazon, Reddit, GrubHub and LinkedIn. Another showed four books, including George Orwell’s 1949 novel “1984” and Ann Leckie’s “Ancillary Justice,” from 2013.
Gaven Neysmith designed most of the posters. Neysmith, a junior majoring in creative technologies, is a rarity in the Securitas dorm — he’s not studying computer science. He said he missed the deadline to get into Studio 72, the art-centered LLC. Securitas was his second choice, but ultimately he decided to stay on beyond his freshman year.
“I kind of feel like an oddball, but it’s fine,” Neysmith said. “I’m still interested in cybersecurity as well, so I feel like I fit in with everybody else.”
Rishi Krishna, a senior computer science major, designed a poster that detailed the near ubiquity of cameras on campus. It included a ball cap called an “invisi-hat,” rigged with LED lights that obscure your face from a camera. Hoodies can be rigged that way, too.
Krishna said he occasionally finds himself in conversations with security-minded students about Flock cameras and what it would take to get on or off campus without being tracked.
“I mean it’s sort of idle discussion. … It always sort of sounds like we’re planning crimes,” he said.
Most of his fellow students take for granted that they’re typically under surveillance. After all, theirs is the second generation to grow up since 9/11 and the subsequent Patriot Act, he said.
“Everyone knows it’s happening,” he said. “Not many people think there’s a serious chance of preventing it. And then a lot of people just don’t even try because it’s not, like, relevant to their daily lives. … People that are specifically interested in privacy, I think they also just expect that and they might be interested in the mechanics of how and why and maybe if they can sort of counteract it a little bit.”
The exhibit didn’t earn the students a grade. They simply wanted to take part in it as a way to reach out to their peers, said Arianna Schuler Scott, a professor in the Pamplin College of Business who teaches and advises the Securitas students.
“So it’s like security is dead, unless it’s alive,” said Scott, senior associate director at the university’s Integrated Security Education and Research Center. “So unless we’re using it and applying the ideas, there’s very little you can do in a classroom, where it’s just a lecture. We can do some theory. But that’s not what this class is for.”
What is the Commonwealth Cyber Initiative?
Virginia’s General Assembly created the CCI in 2018 and put Virginia Tech at the center of things.
The law required the university to develop the initiative’s blueprint, and the CCI’s hub is at the Arlington-based Virginia Tech Research Center. A committee split the state into four regions, or nodes: Central, Coastal, Northern and Southwest.
The overall idea, according to the law that created CCI, is to establish Virginia at the global forefront of cybersecurity, and diversify the state’s economy by attracting investment and jobs. The initiative began its work in the 2020 fiscal year, with Virginia Tech cybersecurity professor Luiz DaSilva as its executive director.
In the recently published “State of CCI: 5 Years of Impact,” the initiative says it has sparked 2,517 jobs that brought in $196 million in labor income and added $367 million to Virginia’s gross domestic product. Funding has grown each year, with CCI’s fiscal year 2025 report showing 159 grants totaling $84.5 million to support research, workforce development and innovation. Federal agencies accounted for 128 of the grants, while 31 came from what CCI termed state and industry partners.
Southwest Virginia institutions received 46 grants totaling $23.4 million through CCI.
Virginia Tech mathematics professor Gretchen Matthews leads the Southwest Virginia node, centered at the university’s Blacksburg home. She juggles her academic role — leading a research team that spends significant time on data protection — with her administrative one.
Matthews said her node develops programs to support students, faculty and researchers in the region who are involved in cybersecurity research, workforce development and innovation.
“We try to engage as many people as possible, meaningfully, in cybersecurity development,” Matthews said.
That includes programs for undergraduates and high school students.
CCI doesn’t disclose individual award amounts, but in general, awards range from $15,000 to $100,000, according to Madison Boswell, program manager for CCI’s Southwest Virginia Node. The grants are designed to serve as seed funding to help establish a program, which can then work to secure other money, Boswell said in an email exchange.
_________________
Correction 4:40 p.m. April 6: Sherif Abdelhamid, a VMI computer science professor, led a group of cadets developing a project called Netsense, then acquired limited liability company status for it. Information about the leadership of the company was correct in an earlier version of this article.
