Enable breadcrumbs token at /includes/pageheader.html.twig

Taking On Critical Infrastructure Cyber Protections

Unit at Tyndall expands its cyber expertise to support crucial environments.

Cyber warriors from the 101st Air Communications Squadron and the Department of Defense’s CyberCore from Tyndall Air Force visit Idaho National Laboratory in Idaho Falls, Idaho, to scout out capabilities and training for the base’s homeland defense mission of critical infrastructure. Photo courtesy of the 101st Air Communications Squadron

The 101st Air Communications Squadron (ACOMS), headquartered at Tyndall Air Force Base, Florida, has a unique cyber role. It provides cybersecurity for the base’s homeland air defense role performed by the 601st Air and Space Operations Center (AOC) that defends the skies over North America and Alaska from airborne threats.

“All of those screens in the AOC, those are all data links and feeds and then some of our internal networks are only for the AOC, and we are protecting those terrains,” explained Lt. Col. Brion Shoemo, commander, 101st Air Communications Squadron and part of the Florida Air National Guard. “That was dictated by the AOC commander. [He] can’t afford risks on these systems or networks and so that is what we protect.”

Sometimes called “America’s AOC,” the 601st plans, directs and assesses air and space operations and possible threats for the North American Aerospace Defense Command and U.S. Northern Command, according to the Air Force. The AOC’s 24/7/365 operations provide aerospace warning and command and control for defensive counter-air activities. It also directs Air Force air and space capabilities in support of Northern Command’s homeland security and civil support missions.

The 101st ACOMS is the only National Guard unit to play such a role, as most Air Operations Centers are supported by Air Force active-duty units.

Not only is the 101st ACOMS performing cyber protection for the air operations center, but it is also growing its industrial control system cyber capabilities and training, explained Col. Shoemo during a visit by SIGNAL Media to Tyndall. The commander, who also provides information technology services to the 601st, is overseeing the growth of its cyber defense capabilities and training platforms, especially for critical infrastructure as part of their so-called ICS Foundations platform.

The state of Florida has also asked the 101st ACOMS, as a Florida Air National Guard unit, to build out an industrial control system cyber training and defense capability to help protect the state’s critical infrastructure against ransomware or other types of cyber attacks. The 101st ACOMS is in the process of building up the ICS Foundations platform, taking in requirements and U.S. Cyber Command provisions, confirmed Capt. Roger Lane, crew commander, Cyber Defense Team, 101st ACOMS,.

To start the process, Col. Shoemo reached out to his cyber contacts at the Department of Energy—as that agency’s core competencies include industrial control systems and supervisory control and data acquisition systems. He found that Idaho National Laboratories (INL) provides a robust cyber protections course for critical infrastructure.

“We did some scouting on that because I do believe in market research,” the commander said. “And the ability to get in those courses from a DoD [Department of Defense] perspective is a little bit challenging because there’s limited spaces, and INL teaches a very good course. It was worth investing in it and sending some airmen out there for a couple of weeks.”

After that, Col. Shoemo sent the airmen to instructor methodology school so that they could capitalize on the knowledge and create their own cyber critical infrastructure protection capability at Tyndall. “They were able to reproduce the training and develop materials that they use,” he shared. “It is ‘Train the Trainer 101.’”

The ICS Foundations platform will be available for active-duty airmen and drill status guardsmen down range, Capt. Lane said. The 101st ACOMS is already using several of the planned platforms to actively defend critical infrastructure and build capabilities. It is meant to improve the synergy between system administrators and network analysts, with system administrators being able to improve their cyber practices and “raise their game,” the captain noted.

“Now that we’ve gotten the training to take on that industrial control systems and supervisory control and data acquisition systems environment and then leverage that later on for the state of Florida, we really have capability to offer,” Col. Shoemo added.

The unit will also participate in the Department of Energy’s critical infrastructure/industrial control system-related exercise in New York later this year. “I will send a team up there to participate for the first time,” the colonel shared. “And we’ve heard that Florida Power and Light has been heavily involved in that, so that will be a good National Guard linkage with our statewide utility.”

While ICS Foundations is a tools-based platform, Col. Shoemo is emphasizing the results, not necessarily the tools.

“I really wanted to change the focus from being all about tools to what effects we are trying to do on the system,” Col. Shoemo stated. “Because if it is all about one tool, there are some systems you cannot connect to. What has been the paradigm shift for us is using a mix of GOTs and COTs [government and commercial off-the-shelf technologies]. We really have just become about what we need to do to secure and to keep our commanders apprised of what their risks are in cyberspace. And from there, figuring out a way we can do some type of cyber [protection] activities on there.”

The challenge is that some industrial control systems cannot be connected to modern-day cyber solutions. “There are some systems that we need to be mindful of and monitor because we can’t connect our GOTs or COTs to,” the colonel noted. “But they do have an approved software list, and on that approved software list, there’s probably some type of software that does some type of cybersecurity function. And we will use that particular software to do, at a minimum, vulnerability assessments on a system.”

In 2022, the 101st ACOMS began building out its robust cyber protections to defend the AOC’s cyber terrain after learning from Air Combat Command that it would be cutting its wing-level cyber defense teams, known as Mission Defense Teams.

Members of the 301st Communication Squadron from Fort Worth, Texas, train on the cyber defense tactics used at the 601st Air and Space Operations Center by the 101st Air Communications Squadron. The cyber warriors will apply those skills back home, where the 301st Fighter Wing will host its part of the F-35 mission. Credit: Michael Dougherty, Continental U.S. NORAD Region, 1st AF (AFNORTH and AFSPACE) Public Affairs

It has been a challenge to go at it alone, the colonel said, and they have had to take “it out of hide” to create their own organic cyber capabilities, but so far, the unit has been successful to the point where they can share their cost-effective capabilities and training with the broader Air Force.

For instance, recent efforts trained members of the 301st Communications Squadron from Fort Worth, Texas, on the cyber defense tactics used at the 601st AOC so the guardsmen whose 301st Fighter Wing will be host to the F-35 mission can grow their own cyber defense capabilities at their home unit.

“Our concept to continue providing cyber defense is a little more than 1/10 of the cost of the former Air Combat Command solution,” Col. Shoemo stated. “We are now expanding the scope of cyber defense that we provide here and are building a community of interest to proliferate our template so that other units can also stay in the cyber defense business.”

That effort also features an international component with Canadian Air Force cyber experts embedded within the 101st ACOMS. The company grade officers rotate through from Canada, sharing their perspectives and expertise with the unit.

In addition, the 101st ACOMS has been hosting an annual cyber defense conference each spring to help other units grow their expertise. In March 2023, they hosted 50 cyber defenders from units in the Air National Guard, the Air Force, the Space Force, the Coast Guard and the Federal Aviation Administration.

[Our initial success] “is showing that cyber defense at the wing level doesn’t require millions of dollars of investment if we unleash our airmen to solve problems and get out of their way,” the commander stressed.

This month, the unit will lend out several of its cyber experts to the National Guard’s State Partnership Program for a cyber exchange with the country of Barbados, in support of U.S. Southern Command’s and Air Forces South’s effort to grow cyber defenses across the Caribbean, Central and South America. (See related story.)

Meanwhile, as Tyndall continues to rebuild after the devastating impacts of the Category 5 Hurricane Michael in 2018, the Department of the Air Force’s digital transformation efforts are progressing, the colonel noted. As part of the effort, the 101st ACOMS will continue to provide digital technology upgrades, such as how the unit ingests its various cyber situational awareness feeds.

“This is one of Gen. Nordhaus’ priorities,” Col Shoemo shared, referring to Lt. Gen. Steven Nordhaus, commander, Continental U.S. North American Aerospace Defense Command Region, and commander, 1st Air Force (U.S. Air Forces Northern and U.S. Air Forces Space), Tyndall. “Once he came here, he gave us the permission to take risks, experiment with things and do proof of concepts, and so slowly but surely, we’re making strides.”