By Jeth Fogg, Ph.D., P.E., M.SAME
In 2019, operational technology/industrial control system (OT/ICS) attacks against critical infrastructure had increased 2,000 percent, according to IBM. With an accelerated shift to remote work environments due to the coronavirus pandemic, the attack surface has further expanded. These facts contributed to an alert issued in July 2020 urging critical infrastructure facilities to take immediate action to secure their OT/ICS assets.
Internet accessible OT/ICS have become more prevalent across all critical infrastructure sectors; however, the security aspects of legacy systems have not been modernized. The outcome is easy access to unsecured assets through commonly available open-source information and extensive availability of hacking technology deployable by common exploit frameworks.
For the Department of Defense (DOD), cyberattacks are a constant concern, foremost because of the security risks but also because it is the largest real property owner in the United States. Its portfolio of facilities, infrastructure, and systems is significant.
DOD has to be focused on countering growing cyberattack threats while simultaneously balancing fiscal constraints in a rapidly evolving battle space.
POTENTIAL CASCADE EFFECTS
The United States and its territories are home to 89 percent of the nation’s military installations and the engineering, technology, and manufacturing partners that make up the defense industrial base. Domestically, North American Aerospace Defense Command and U.S. Northern Command are heavily dependent on 90 percent privately owned critical infrastructure to support defense of the homeland. Losing the supplied services of that infrastructure could significantly impact forward projection capabilities. For example, an adversary could disable controls on a drawbridge to slow transportation at a port facility, disable commercial electrical power production and distribution, disrupt a natural gas pipeline, or disable the spillway operation at a dam. Such attacks could result in a slowed military response, a denial of access, or the inhibition of capability at key locations that provide force generation.
OT/ICS attacks have a low entry cost and a high return on investment. They carry limited human casualties and are difficult for perpetrator tracing. This allows for nation state actor denial and disinformation. As an adversary is highly unlikely to make a direct kinetic attack against U.S. critical infrastructure, OT/ICS attacks offer limited negative repercussions while meeting an adversary’s desired outcome of muting a U.S. military response.
When considering first-, second-, and third-order effects and the interdependence of critical infrastructure, the effects of such cyberattacks are multiplied. For example, fuel supplies may be neglected for communities that house the employees who work at these critical facilities.
Generally, private sector decisions regarding redundant systems are based on economics. As a result, in many cases, private sector redundant systems are minimal, have limited capacity, limited depth of operation, limited duration, and are considered temporary stop-gap measures until a permanent repair is made on the primary system. The anticipated disruption of the interdependencies of daily life and critical infrastructure could degrade military mission capability.
CHALLENGING THE THREAT
In an effort to counter this threat, the More Situational Awareness for Industrial Control Systems Joint Capability Technology Demonstration (MOSAICS JCTD) has been developed as a step toward mission assurance and OT/ICS resiliency.
JCTDs examine new technology for military purposes through operational usefulness, technology capability, scalability across a broad spectrum, and inter-service integration. This allows the services to solve important problems and transition technology from prototypes to widespread implementation and employment. MOSAICS is the first DOD effort demonstrating the initial operating capability for cyber defense of critical OT/ICS. Overall, its scope consists of seven key areas: detection, mitigation, visualization, analysis, decision, recovery, and data sharing of threats and vulnerabilities with partner agencies.
MOSAICS baselines the OT/ICS network, highlights potential vulnerabilities, and semi-autonomously identifies, responds to, and recovers from asymmetric attacks—reducing the decision response time from months to minutes. It provides intrusion detection, indications, and warnings that nefarious actors may be leveraging an OT/ICS disruption as a precursor or in conjunction with other actions to disrupt military capability.
This technology approach is an integration of commercial-off-the-shelf and government-off-the-shelf technologies. MOSAICS conducts OT/ICS simulations using current technology, with the ability to integrate future advanced sensors for evolving open-source system capability. Through information-sharing, MOSAICS minimizes the re-use of adversary tactics, techniques, and procedures and malicious software. Its system analytics use artificial intelligence and machine learning to sense disruptions and determine focus areas for future system development to enhance system integrity and security orchestration. All of this is viewed through customized human-machine interfaces that provide visualizations to best communicate intrusions as they occur, resulting in improved situational awareness with real-time decision aids to enhance cyber defender response and speed.
The MOSAICS team conducted a thorough analysis, detailed feature categorization, and corporate representative product team engagement to document the technology capabilities of more than 250 commercial-off-the-shelf technologies. This review was accomplished by several National Laboratories using a weighting criteria, with the goal of meeting all technology gaps with available technologies. Major technology gaps in end-point sensing, analytics, and visualization were filled through a social media call to developers. Government-off-the-shelf technologies were developed to fill remaining gaps.
The key deliverable of the MOSAICS JCTD is an integrated, tested, and real-world proven tool suite. Among many advanced features, it includes an OT/ICS cyber baselining system vulnerability tool; automated playbooks; a MOSAICS Concept of Operations; an updated Facilities-Related Control System design guide; and updated Unified Facilities Criteria for integration into all DOD facilities and public works.
As MOSAICS development advances, emerging spiral spinoffs are anticipated to better service user organizations.
A REINVENTED MINDSET
The increasing threat to OT/ICS has forced the Combatant Commands to reinvent the warfighter mindset and cultivate a homeland defense culture through network expansion and destruction of organizational silos. Military commands must always continue to look up and out. As such, we need to imagine the possibilities, connect the dots, and seek innovative solutions to new problems while driving requirements to meet and defeat threats.
Ultimately, this is what the MOSAICS JCTD does by countering OT/ICS threats to ensure our ability to globally integrate the defense enterprise and dynamically source military capability worldwide. MOSAICS reaches across all areas of responsibility to counter numerous threats. It mitigates the OT/ICS risk as the initial operating capability for cyber defense of DOD, federal government, and private sector critical infrastructure.
Securing OT/ICS crosses the spectrum of engineering disciplines. With cyberattacks expected to rise in frequency and severity, understanding their vulnerabilities and addressing the risk they pose to our nation’s critical infrastructure and military readiness will only increase in importance for all engineers.
Jeth Fogg, Ph.D., P.E., M.SAME, is Operations Engineering Chief, North American Aerospace Defense Command and U.S. Northern Command; firstname.lastname@example.org.
[This article first published in the September-October 2021 issue of The Military Engineer.]