The Cyber Edge Home Page

  • Daryl Haegley, with the U.S. Defense Department, discusses how a number of military networks are vulnerable to cyber attacks because of outdated and under-protected operating systems in the critical infrastructure domain.
     Daryl Haegley, with the U.S. Defense Department, discusses how a number of military networks are vulnerable to cyber attacks because of outdated and under-protected operating systems in the critical infrastructure domain.

Protecting Data Fast and Cheap in the IIoT

The Cyber Edge
April 25, 2017
By Sandra Jontz
E-mail About the Author

Industrial Internet of Things poses new flashpoint for cyber attacks.

Though the U.S. Defense Department has spent much time and money to protect high-value network assets such as emails from cyber intruders, the systems remain vulnerable to attacks. So imagine the weaknesses to systems that haven’t garnered as much defense attention or reinforcements, a senior official said.

“We have spent a lot of time—and have been very successful at—protecting our email information,” said Daryl Haegley, program manager for Business Enterprise Integration (BEI) in the Office of the Assistant Secretary of Defense for Energy, Installations and Environment. “But what about the control systems, manufacturing systems, facilities networks, medical devices? What we’re finding is ‘not so much.’ 

“Who here would be very comfortable with their lives with Windows 95?” Haegley asked, drawing chuckles from the audience. “Well, who took the elevator up here?” Roughly 75 percent of Defense Department control system devices are on Windows XP or other non-supported operating systems, Haegley shared last week at the 2017 Intelligence and National Security Forum hosted by OSIsoft.

The Defense Department intends to issue new policy that will assign a mission assurance person to every military installation who will be responsible for addressing concerns sensors and devices capable of connecting to the Internet pose, he said. The policy will be issued "soon," Haegley said, without providing a detailed timeline. Not all solutions to shore up vulnerabilities must come from the standard acquistions and contracting methods, Haegley suggested. For example, he said he would like to extend to the critical infrastructure sector similar bug bounty programs that welcomed people to hack public-facing Defense Department websites to unveil cyber shortcomings. Last year, the department invited vetted hackers to test its cybersecurity under the “Hack the Pentagon” pilot. The effort revealed the first vulnerability within 13 minutes of program launch, Haegley said. In the end, security researchers identified and remediated 138 unique and previously undisclosed vulnerabilities for a payout of $175,000. The Army then spearheaded a similar initiative, building on the successes of “Hack the Pentagon,” but it focused on more operationally relevant websites.

The proliferation of devices and sensors all connected to the Internet within the critical infrastructure ecosystem has given rise to a new acronym and new worries, experts shared during the daylong event. Data is becoming even more valuable because of the digital transformation, helping to create the emerging Industrial Internet of Things, or the IIoT, said Paul Geraci, senior director of intelligence and national security for OSIsoft.

The company’s operational intelligence solution, called the PI System, is a real-time data management software that serves as the nexus between information technology and operational technology, connecting and framing data for a complete and reliable analysis, Geraci said. Agencies require tools that not only continuously monitor data but also log the results in perpetuity for future comparison and analysis.

Governments seek analytic and software tools that make networks more efficient and spot errant behavior, send breach alerts and purge threats in real time before much harm can be done.

The severity of the problem is magnified when considering the notice from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which stated that the average number of days is 245 that an intruder remains in an agency’s network, Haegley said.

The National Institute of Standards and Technology's National Cybersecurity Center of Excellence (NCCoE) actively reaches out to industry partners for feedback on what companies consider the most important cybersecurity challenges, and what companies might be doing about them, said Don Faatz, a cybersecurity engineer at The MITRE Corporation working at the NCCoE. Companies can submit and test products at the center provided that the solutions integrate with other commercial offerings.

Such partnerships are spurring cooperation among companies that want to curtail cyber vulnerabilities for their own sake and that of governments, Faatz said, and have helped accelerate innovation to get solutions to market quicker and possibly cheaper.


Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Share Your Thoughts: