Military leaders like to point out that the nature of warfare is unlikely to change, but the character of war — how they are fought and with what — is rapidly evolving. Physically, the United States benefits from the geographic isolation, separated from adversaries on all sides by large oceans and friendly nations, but the advent of cyber capabilities has created new attack vectors. In turn, agencies are pursuing case studies and exercises to identify best practices in less transparent, highly vulnerable sectors, such as manufacturing.
The homeland is no longer a sanctuary
In the event of a conflict, it is within the realm of possibility that adversaries will try to target small to medium-sized manufacturing companies with crippling cyberattacks. In many cases, these companies provide the Department of Defense with critical services but often are so small that they don’t have the wherewithal to institute enough cyber defenses against intrusions.
If these companies are hit with a cyberattack and unable to provide soldiers with critical services during a conflict, the U.S. military could be opening itself up to significant risks. The Defense Department, however, continues to award contracts to these smaller companies without a lot of knowledge as to their cyber resilience, their cyber posture, who they’re buying from or if their networks are currently laden with malware. This supply-chain vulnerability has been an increasing focus within the DoD, namely with the under secretary for acquisition and sustainment.
Some of the concerns DoD is grappling with, according to those familiar, are if it should award a contract to a company with a medium risk score. There would be a dilemma, for example, if a company that is one of only a few that produces a widget for a particular weapon system should be awarded a contract as the U.S. is getting ready to go to war, and that company is found to be vulnerable to a cyberattack that could potentially reduce its capacity to supply troops critical components.
One way the Pentagon has explored to mitigate this problem was hosting a miniature mock-up to test solutions that can continuously monitor the networks of these small suppliers and understand if they are hit with malware.
While the Office of the Under Secretary of Defense for Acquisition and Sustainment, a sponsor of the initiative, did not respond to requests for comment, there is still much to glean from the exercise.
Rapid prototyping event
Recently, the A&S office, in partnership with the Office of Small Business Programs, hosted a multiday event at a facility called DreamPort, located in Columbia, Maryland.
DreamPort — run by the Maryland Innovation and Security Institute through a partnership intermediary agreement with U.S. Cyber Command — serves as a state-of-the-art facility where companies can bring in capabilities to be evaluated.
For its June 18-21 rapid prototyping event, DreamPort built miniature manufacturing factory networks with real-world programmable logic controllers — essentially a digital computer that controls industrial and manufacturing machines — from major companies.
Armando Seay, the director of DreamPort, told Fifth Domain that this event set out to examine how DoD comes in with a cost-effective set of procedures and technology to get basic information about manufacturers before the department issues them contract awards.
The main problem the government is trying to mitigate with the prototyping event, Seay said, is the prospect of smaller companies putting the United States at a disadvantage. One of the biggest problems these industrial companies have is they have no way of knowing if their networks have been compromised, Phil Neray, vice president of industrial cybersecurity at event participant CyberX, told Fifth Domain.
“Here’s a cyberattacker who’s already in your network and they’re scanning the network to do cyber reconnaissance. Did you detect this was going on? Or here’s an attacker that’s using industrial protocol in a way in which it was not designed to be used. This could indicate a cyberattack — did you detect it?” Neray said, regarding the scenarios for the rapid prototyping event.
“Most of the firms that would be involved in this type of initiative need a way to even detect the most basic attacks. It’s not even detecting super sophisticated attacks; it’s detecting the most basic types of attacks and are there products that help these companies do that.”
Neray added that the NotPetya attack — a ransomware strain that hit worldwide in June 2017 and cost companies billions of dollars — was a bit of a wake-up call.
“That’s when we started seeing a real shift in awareness on the part of management teams and boards that they needed to do something about industrial cybersecurity. Because before that, and still for a lot of cyber companies, they sort of assume who would take down my plant, why would anybody go after my factory,” he said.
“A bunch of these pharmaceutical companies and food manufacturers were taken down because they just don’t have security in the plants at the level at which we’ve gotten accustomed to in the IT networks. That’s the big problem that we’re exploring here.”
Continuous monitoring is better than either asking companies to self-report or relying on outside auditors to get at the supply-chain cybersecurity problem, Seay contends, because organizations could feasibly be compromised the day after the audit. By using continuous monitoring tools, larger prime companies and DoD can have a better understanding of the cyber posture of smaller companies.
These companies really can’t afford to buy tools and don’t have the staff to implement them as they might not even have a “cyber” or IT person on the staff.
“If you look at the holistic picture, the government is still struggling with how does it handle some of the supply chain issues that the manufacturing companies [have]; are they secure in their operational technology network,” John Almlof, director of alliances and business development at Nozomi Networks, which participated in the rapid prototyping event, told Fifth Domain.
“I think this is an evolutionary process. I think the first step was really this [rapid prototyping event] and there will be additional steps on how well can we diagnose or how well can we identify it … [As] the government learns more and they understand what some of the commercial vendors can provide in this area I think you’ll see some of the events become more refined to try to tease out some of the capabilities that come from vendors.”
There’s a government value, but also a private sector benefit to this event.
“One of the things we’re trying to provide, since this event was primarily targeted not just at the government but their suppliers, is to bring our own private sector experience in play here,” Pete Burke, technical sales engineer at Nozomi Networks, told Fifth Domain. “A lot of these guys they have government contracts but they also are commercial entities that are probably in the private sector.”
The June rapid prototyping event was more of a “fact-finding” event than some of DreamPort’s other events that have been billed along the lines of a winner-loser event, in which companies put their tools to the test to vie for top spots.
Phase two will be an offensive-defensive cyber exercise with full-blown nation-state cyber exploits deployed on DreamPort’s internal range, which is capable of running high-end malware, such as Stuxnet and BlackEnergy.
Personnel associated with the event noted that, while Cyber Command did not sponsor the event, it sent representatives to observe the technologies tested with a mind toward defense and offense.
They were able to observe emerging tools in a live test using real-world exploits in an unclassified environment. Many of these tools could provide insights into how they’re used to protect oil and gas platforms in certain regions of the world, for example, which would be of significant interest to the command from an offensive perspective.
Asked for a comment, Cyber Command did not provide a response.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.