Industrial control systems (ICS) enable the oversight of functions such as power, water supply and facilities at our military bases. Even more critically, they provide support that, without which, our mission systems simply would not work. And, more than ever, we’re recognizing that these systems are vulnerable to cyberattacks. Securing them in cyberspace is just as important to mission readiness as physically securing weapon systems on a flight line, in a sea port or at an ammunition depot.
I recently discussed this issue at the 2019 Defense Communities National Summit in a panel session titled “Protecting Industrial Control Systems and What You Need to Know.” The Department of Defense relies on an estimated 2.5 million industrial control systems in more than 300,000 buildings for the real-time, automated monitoring and management of utility and industrial systems which support military readiness and operations. It is in our national interest to ensure these systems are safeguarded. However, they are highly vulnerable.
An October 2018 report from the U.S. Government Accountability Office indicates that the Pentagon “faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats.” A large number of weapon systems depend upon software-enabled ICS to monitor and manage equipment and carry out essential functions, according to the GAO report. But industrial control systems were originally designed for use in trusted environments, so many “did not incorporate security controls,” the report stated. What’s more, according to the report, DoD officials admit that their program offices may not know “which industrial control systems are embedded in their weapons or what the security implications of using them are.”
In response to the urgency of securing these systems, the John S. McCain National Defense Authorization Act for Fiscal Year 2019 required the Pentagon to designate one official to oversee the integration of cybersecurity and ICS, including the adoption of department-wide certification standards and the consideration of frameworks from the National Institute of Standards and Technology. That legislation authorized the Department of Defense and the Department of Homeland Security to launch a pilot program to improve the cybersecurity and resiliency of critical infrastructure. Both the House and Senate versions of the fiscal year 2020 NDAA also draw attention to the challenges of securing these systems directing the GAO to evaluate whether military departments have “implemented a DoD instruction to enhance the cybersecurity of industrial control systems.”
These and other developments signal the focus of policy makers and defense leaders on the criticality of ICS, and on their vulnerabilities. However, having worked for years with the Department of Defense to secure such systems, I know that cultural, funding and operational hurdles remain.
This means leaders and mission owners from the information technology side and the operational (OT) side must come together. These are two entirely different “tribes” that do not always speak the same language. IT people will focus primarily on taking an inventory of ICS systems and working toward cybersecurity solution testing and implementation. But operators may push back, hesitant to introduce solutions which may disrupt systems or require system downtime to deploy.
IT must llustrate to operators the extent of the ICS presence and interconnectedness within the agency, and the potential impact of a compromise. Military leaders, for example, often start out greatly underestimating this presence. They may believe there are 9,000 such systems on a base when they actually have 90,000. With this, the military stakeholders will understand and appreciate the possible threat attack surface, with a higher likelihood of providing needed support.
It also means, in the government, funding cycle maturity for ICS solutions probably lags behind that of private industry. It is easier to convince a CIO or CFO for a major power provider to pay for a solution when you can accurately forecast how much the company will lose in revenues when an attack takes ICS down. These forecasts establish the level of “hard ROI” quantification to justify solution acquisition. Military agencies, on the other hand, face greater challenges in projecting tangible return on investment. Instead, they must explain the potential for disruption of routine operations and critical missions.
The focus on the security of ICS is intensifying, and for good reason. These systems enable the fundamental mission of the DoD in protecting the American homeland, and they cannot be defended with the same kinds of tools which secure computers. The American people must be reasonably assured that national defense functions, and the systems that support them, are not susceptible to interruption or destruction, by cyber or any other means.
Mike Walsh is vice president for Defense Department and intelligence community markets at Forescout.