The U.S. Military Must Defend Its Power Grid
Comply-to-Connect presents one solid method to improve industrial control systems protection security.
The U.S. arsenal boasts diverse weapons that share a common cybersecurity challenge: They depend on power generated by U.S. Defense Department or civilian-owned infrastructures that are increasingly vulnerable to cyber attack. Disrupting the availability of these power systems could impact not only the United States’ ability to project U.S. military power globally but also to respond to a domestic attack.
While some observers offer alarmist theories about U.S. grid vulnerabilities, the anxiety their well-intentioned claims cause can be useful. It prompts the nation to think hard about the basic societal functions that depend on the U.S. ability to generate, store and distribute power. Typically, the catastrophic effects of a power outage are thought of in the context of hospitals or water treatment plants. But it is just as important to consider how they would affect core national functions.
The 2015 and 2017 cyber attacks on the Ukrainian power grid demonstrate that not only are offensive cyber operations against industrial control systems supervisory control and data acquisition (ICS/SCADA) systems possible but also that an adversarial country, in this case Russia, is willing to use them. Offensive cyber operations intend to deny, degrade, disrupt, deceive or destroy adversary capabilities through cyber means.
The Russian attacks against Ukraine set off alarm bells among U.S. policy makers, grid owners and operators, and the cybersecurity industry that continue to drive behaviors and decisions today. They provoked discussions about whether the Russian operations were a warmup to a feared attack on the U.S. grid. A 2018 Department of Homeland Security press conference suggested that breaches to the U.S. grid “had occurred” and “could have led to blackouts.”
The U.S. military depends heavily on both the civilian grid and on Defense Department-owned and -operated power infrastructure on bases. The department has facilities worldwide and runs numerous power generation and distribution systems, which are increasingly connected—sometimes knowingly, sometimes not—to the Department of Defense Information Network (DoDIN).
Like the civilian sector, these industrial control systems are connected to networks to increase precision, improve maintenance and drive efficiencies or cost savings through interconnected sensors and control devices automating operations. Although these networks can enhance security, they also create vulnerabilities as formerly disconnected devices become networked, communicating with the same protocols that make computers susceptible to cyber attack.
Defense Department power systems also are increasingly the target of cyber campaigns by hacker groups with known ties to adversarial nation states. In the Government Accountability Office report titled “Weapon Systems Cybersecurity: DOD Just Beginning to Grapple with Scale of Vulnerabilities,” the office notes, “Government and industry reports state that attacks on these systems are increasing.”
The Defense Department appears to understand the seriousness of the cyber threat to its systems. A 2016 department instruction redefined the DoDIN to ensure the same cybersecurity requirements that apply to the Defense Department’s information technology networks would be applied to industrial control systems. Also in 2016, the Defense Department released Cybersecurity of Facility-Related Control Systems, which provided criteria for including cybersecurity in the design of control systems to address the recommended National Institute of Standards and Technology (NIST) security controls.
Despite much discussion of cyber threats to the Defense Department’s industrial control systems, Congress has remained dissatisfied with the department’s progress. For the past several years, the House and Senate armed services committees have included strong language on cyber and ICS/SCADA in the National Defense Authorization Act. For fiscal year 2018, Congress required the Defense Department to include ICS/SCADA in Cybersecurity Scorecard reporting. In the fiscal year 2020 Act, both the House and Senate versions of the bills direct the comptroller general to report on how the department has applied the cybersecurity requirements to enhance the cybersecurity of industrial control systems and asked them to identify what is incomplete.
Although the cyber vulnerabilities jeopardizing the ubiquitous availability of the department’s electrical power supply are well-acknowledged, the problem is that until recently the Defense Department simply has not thought of its networks as extending beyond traditional computing devices such as desktops, laptops and servers. In fact, some parts of the department still do not.
This is an organizational and cultural transformation many private sector organizations are struggling with as well, sometimes referred to as the information technology/operational technology convergence. The security gaps that result from this convergence are becoming more difficult to deny. Tools such as Shodan, which can detect the number of publicly visible and potentially vulnerable devices inside of an organization’s network, have existed for years. As these tools evolve, the Defense Department may be in the unsettling position of being last to know about the extent to which its ICS/SCADA devices—and, by extension, military readiness and operations—are at risk.
Recognizing the seriousness of the threat, many private owners and operators of power generation and delivery systems are breaking down these organizational barriers. Their engineering, information technology and network security teams are collaborating to incorporate newer capabilities for enhanced network monitoring, including passive asset management capabilities that can be integrated with their existing cybersecurity tools to make them more effective. As with traditional information technology networks, NIST-based security strategies such as continuous monitoring are becoming the standard for ICS/SCADA networks.
The department also is making some changes. In 2018, U.S. Cyber Command (CYBERCOM) released an endpoint strategy that outlined six device categories. This strategy is prompting leaders to think differently about the network terrain they defend. One of the device categories, Platform Information Technologies, includes industrial control systems.
In 2019, the Defense Department adopted the National Security Agency’s Comply-to-Connect approach, a framework for securing all of the CYBERCOM device categories, including ICS. The Comply-to-Connect concept is based on the NIST recommendation that a real-time and continuous assessment of the cybersecurity posture of any connecting device must occur before that asset is granted access to such network. Further, it demands the posture of that device be continuously monitored while it remains connected to the network.
Comply-to-Connect, designed to incorporate the department’s existing cybersecurity toolset as well as some new capabilities, enables the Defense Department to enforce basic and extremely important NIST controls on all networked devices, not just industrial control systems and certainly not just computers. Where it is instantiated, use of the framework has resulted in the department’s components receiving considerably higher cybersecurity audit scores.
The Defense Department plans an enterprise deployment of the Comply-to-Connect framework beginning in 2020. The U.S. Navy and the Marine Corps are serving as models, or pathfinders, for the program, defining operational configurations, best practice policies and day-to-day tactics, techniques and procedures that make the framework an operational capability for defending the department’s networks.
The digitization of power infrastructures is as inevitable for the military as it is for the civilian world. It is imperative that the department possesses complete situational awareness of the assets on its networks as the first critical foundation for understanding and managing its operational risk profile. Comply-to-Connect aims to give the department these capabilities.
Getting to full implementation of the framework will require resolve, creativity and, above all, leadership because the department must overcome entrenched ways of thinking about cybersecurity. It demands that power systems engineers and information technology professionals collaborate to secure the enterprise in a truly unprecedented manner.
Building a foundation of robust cyber fundamentals for all of the Defense Department’s networked devices and systems is an appropriate way to respond to Russian demonstrations of capability and intent against ICS/SCADA systems. While the cybersecurity capabilities encompassed in the Comply-to-Connect framework may not be sexy, they are critical to mission assurance and must be implemented expeditiously.
Katherine Gronberg is vice president of government affairs for Forescout Technologies in McLean, Virginia.