Enable breadcrumbs token at /includes/pageheader.html.twig

Cybercore Focuses on Critical Infrastructure Cyber Battlespace

For this Department of Energy organization, critical infrastructure cybersecurity is the sole mission.

The core mission at the Idaho National Laboratory’s Cybercore Integration Center is to provide cybersecurity for critical infrastructure industrial control systems. Credit: Shutterstock AI Generator

Personnel at the Cybercore Integration Center have one job: provide cybersecurity for industrial control systems associated with U.S. critical infrastructure.

U.S. critical infrastructure consists of 16 sectors, including many that U.S. citizens rely on each day, such as communications, information technology, energy, food and agriculture, financial services, transportation, healthcare and public health, and water and wastewater.

Earlier this year, the government revealed that critical infrastructure systems faced a new and alarming cybersecurity threat from Volt Typhoon, a group of hackers backed by the People’s Republic of China. The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency and FBI assessed that Volt Typhoon hackers sought to pre-position themselves on information technology networks for disruptive or destructive cyber attacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States.

This intrusion went far beyond China’s usual hacking for espionage purposes.

Scott Cramer serves as the director of the Cybercore Integration Center, which falls under the Department of Energy (DoE) Idaho National Laboratory. In a recent SIGNAL Media interview, he described the critical infrastructure cyber environment as the new battlespace.

“The U.S. has been the top dog in the nuclear age and all of that with rivals Russia and China and others, but we’ve basically been on top. And a lot of these other countries that are adversaries see a way to equalize the playing ground in their international spectrum. There’s a great race to be the best at this, and it keeps us all very busy,” he said.

Cybercore’s specialty is in critical infrastructure industrial control systems. “Cybercore is focused on one thing and one thing only, and that’s industrial control system cybersecurity. That’s a mouthful. We are focused on the digital systems in our digital world that make processes work efficiently and effectively.”

Think supervisory control and data acquisition systems, distributed control systems, digitally controlled human-machine interfaces, actuators, pumps, valves and programmable logic computers, for example. “All of those things are powered by digital systems that keep everything running. Cars, tanks, trains—all of those things are now digitally controlled—and as we know, they’re vulnerable to attack. That’s a big problem, and that’s what we deal with on a daily basis,” Cramer offered. “This is a national security issue. It’s a security issue for all these things, but it’s kind of the new battle space. It’s all about adversaries trying to attack our systems.”

According to the Idaho National Laboratory’s website, Cybercore is designed to enable partnerships across federal agencies, private industry and university partners to secure control systems from cyber threats. “Cybercore brings together experts in critical infrastructure security assessments, cyber forensic analysis, threat detection and consequence-based targeting to provide real-world technical solutions and innovations that protect operational environments from an ever-evolving threat landscape. Seasoned threat analysts work with experienced power engineers, cyber researchers and control systems experts to develop novel, comprehensive solutions to protect vital control systems from cyberthreats,” the site explains.

It adds that Cybercore aligns national science and engineering resources, technical expertise and collaborative partnerships to focus on scalable and sustainable control system cybersecurity solutions that protect the U.S. grid, other critical infrastructure and military systems. The programs partner to provide physical and virtual environments to accelerate the pipeline of engineers, operators and responders of cyber-physical systems.

When China’s illegal incursion into U.S. systems came to light, the Energy Department turned to the Idaho National Lab and other labs. “When it became clear that the Chinese had infiltrated some of our IT infrastructure, we worked with DoE, did a lot of analysis as to data that they had received and wrote a report that helped better understand Chinese persistence, how they could establish that [presence] on Windows devices, how we could detect that, how we could detect lateral movement to other parts of infrastructure,” Cramer reported.

The government’s final assessment indicated that China wanted to potentially cripple U.S. critical infrastructure systems if the two countries clashed in East Asia. “China would get a foothold somewhere [on a network] and try and remain in place stealthily as long as they could and gather as much information as possible. And the main reason was that China wants to be able to cause us delays if and when they want to move in East Asia,” Cramer noted. “For example, if we wanted to deploy our troops to repel any type of Chinese incursion, they might go after our railway or transportation, our port facilities.”

Cybercore was also called upon when Russia first invaded Ukraine. With Russia “taking out good chunks of Ukraine’s power grid” as winter approached, cybersecurity experts from multiple labs put their heads together, held some workshops and then asked industry for European standard equipment to help boost Ukraine’s power grid. “We helped pull together a team that airlifted big transformers and pieces for some of their energy infrastructure, which was pretty cool—all kinds of big equipment that we found sitting in stockyards, unused by industry, that we delivered to help them plug into their grid and reconstitute some of their energy security,” the Cybercore director revealed.

Also, behind the scenes, the organization analyzed Russia’s most likely cyber targets and provided information that ultimately was shared with Ukraine.

Cramer stressed the need to protect critical industrial control functions. “It’s kind of baked into everything we do. Everything has critical functions—industry, all of these sectors we talked about. Your car’s got critical functions. It’s got to have brakes and all that,” he elaborated. “Those critical functions are what we should protect first because those are what our adversaries are going to go after first.”

Scott Cramer, Cybercore Integration Center director, speaks with Gene Rodrigues, assistant secretary of electricity, Department of Energy. The Cybercore Integration Center specializes in cybersecurity for industrial control associated with U.S. critical infrastructure.

And the Energy Department leads a cultural transformation effort focused on those critical functions. “There’s a national level effort, driven by DoE, supported by us, to instill these principles of cyber-informed engineering at all levels, from education to the current workforce,” he said, adding that cyber-informed engineering is a four-step process.

Current Cybercore efforts include supporting the Energy Department’s Office of Cybersecurity, Energy Security and Emergency Response (CESER), which is tasked with strengthening the security and resilience of the U.S. energy sector from cyber, physical and climate-based risks and disruptions. “That’s our main interface at DoE. And they throw a lot of tasks our way,” Cramer said.

One of those tasks is ensuring that the infrastructure for the blooming electric vehicle market is secure from cyber attacks. “Electric vehicles are becoming more and more prevalent and deployed. As they are, there are going to be more of these fast-charging stations that you’ll see in the parking lots of Walmart and coffee shops and other things across the nation. We’re busily developing that infrastructure.”

The cyber threat encompasses more than individual charging stations. “You’re plugging your car into these things. That’s plugged into the grid. There are a lot of vulnerabilities that the government is worried about that we need to focus on,” Cramer said, adding that Cybercore works with the Pacific Northwest National Lab on the effort. “Our experts [are] all working together to take a look at those fast-charging stations and how adversaries might use those as attack vectors or information collection vectors from either the vehicles themselves or from the grid or vice versa.”

He also cited CyTRICS, or the Cyber Testing for Resilient Industrial Control Systems program, as another ongoing effort, another CESER program. Companies that own part of the country’s critical infrastructure, or the systems that run it, can have those systems tested through the program. “Imagine you’re somebody in the electric industry, and you’ve got a bunch of equipment that’s making the grid work. CyTRICS takes a look at that equipment that’s used across the grid ubiquitously. We bring it into our labs, break it down, find out what all the subcomponents are, who’s delivering those subcomponents, and what the vulnerabilities are,” Cramer illustrated.

The program also can check systems for chips made in China or elsewhere. “We want to make sure that we understand where those chips come from, that they’ve got all the right stuff in them. The supply chain is something that’s vulnerable,” Cramer said.

He pointed out that other national labs, such as Lawrence Livermore, Oak Ridge, Pacific Northwest, Sandia National Lab and the National Renewable Energy Lab, bring “their separate skills to bear on this supply chain threat.” Additionally, several vendors—Schweitzer Engineering, Schneider Electric, Westinghouse, Hitachi, GE Gas Power and Rockwell—have agreed to participate in the program. “Six U.S. industry partners allow us to grab some of their equipment, bring it into our labs and find these vulnerabilities. When we do, we share the results among all of those companies so they can benefit from what we’re doing.”

Cybercore also works with the Defense Department, U.S. Air Force, and the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency on an open-source network traffic analysis tool suite known as Malcolm. It is designed to be easily deployable and to make network traffic analysis accessible to many in both the public and private sectors as well as to individual enthusiasts.

“It’s free. It’s easy to use. It’s a tool suite that industry uses, Department of Defense uses. It’s a way to help protect yourself with a lot of tools—analytic tools to help identify intrusions, monitor traffic and so forth—that you can find online and download. It’s really a great thing that we use quite a bit. It’s being used in Germany, Australia, Ukraine, other places as well,” he said.

When Cramer accepted the director position about a decade ago, Cybercore was known as the Mission Support Center and was a much smaller organization with about 30 workers. Now, it boasts about 240 staffers and an 80,000-square-foot building with 20 different labs and an 890-square-mile cyber range with a full electric grid.

More importantly, Cybercore has earned a sterling reputation for cybersecurity expertise, Cramer indicated. “I have not found a technical cyber challenge that my team cannot crack or fix.”