Cyber-physical system attacks have crept from the theory to reality; 2017-2018 demonstrated the severity of the threat to Critical Infrastructure, hence to national security by way of coordinated cyber and physical attacks (CCPA). The most salient point about Cyber-Physical Systems is that they have their feet firmly planted in two worlds, the information systems enabling them and the Control Systems (CS) that execute physical effects. The understanding of a particular CPS’ maintenance procedures, protections, indications and warnings, and response and recovery procedures require both technical and operational insight into the cyber and physical domains. There is huge variation across the CPS domain, and the challenges are significant. We will review here some of the most recent actions and recommendations by the U.S. Government to reduce the threat to Critical Infrastructure CPS, with a focus on Department of Defense (DoD) actions to secure its critical Infrastructure.
HOUSE ENERGY AND COMMERCE COMMITTEE REPORT
CSIAC will be examining current preparedness status in light of the most recent recommendations from the U.S. House Energy and Commerce Committee reviewing their priorities vis-à-vis 2018-19 government cyber strategies and budget authorizations.
The Oversight and Investigations Subcommittee of the House Energy and Commerce Committee released their December 7 2018 Cybersecurity Strategy Report (Committee on Energy and Commerce, 2018) after having spent several years analyzing cybersecurity issues with impacts across the 16 sectors defined in Presidential Policy Directive 21 (“PPD-21”) Critical Infrastructure Security and Resilience. (The White House Office of the Press Secretary, 2013) The Subcommittee established six priorities:
PRIORITY 2: The implementation of software bills of materials across connected technologies.
PRIORITY 3: The support and stability of the open-source software ecosystem.
PRIORITY 4: The health of the Common Vulnerabilities and Exposures (CVE) program.
PRIORITY 5: The implementation of supported lifetimes strategies for technologies.
PRIORITY 6: The strengthening of the public-private partnership model.
Of specific interest here will be the impact to the DoD and its Defense Industrial Base (DIB) of Priority 2, implementation of software bills of materials (SBOM) across connected technologies, Priority 5, implementation of supported lifetimes strategies for technologies, and Priority 6, the strengthening of the public-private partnership model.
A software bill of materials (SBOM) requirement for government acquisition is considered “key for organizations to manage their assets because they must first understand what they have on their systems before determining whether these technologies are impacted by a given threat or vulnerability” [p6]. This is essential to the effectiveness of an inventory of CS components in order to mitigate vulnerabilities. The importance of this to cyber-physical systems is that such systems are generally composed of off-the-shelf devices, many of which are replaced or upgraded piecemeal over the long life of an industrial plant or platform. They generally take on the character of a “black-box” from the operator’s perspective. Provision of a “good faith” description of the software embedded in a device is key to ongoing vulnerability assessment.
The implementation of supported lifetimes strategies for technologies is going to have a much greater impact on the defense industrial base, as the requirement for adaptable modularity in the hitherto largely “designed for purpose” cyber-physical systems will increase component design and cost, with the added requirement that critical systems demand minimal or no system downtime.
Strengthening the public-private partnership model will certainly receive greater attention when it comes to Utilities Privatization of DoD critical infrastructure, in the face of recent criticism of the results of DoD’s Privatization of military housing. Much greater oversight will be required over contract issuance, maintenance and operations, to include provision of procedures for Defense Support of Civilian Authorities (DSCA) in remediation of cyber-attacks on DoD CI that has been privatized.
THE 2018 NATIONAL CYBER STRATEGY
Following issuance of Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure (Department of Homeland Security, 2017), the National Cyber Strategy for 2018 laid out priorities for the U.S. Government, to be coordinated for action by the National Security Council. (National Intelligence Strategy (NIS), 2019, p. 3) The following points are relevant to the above House Report:
- The United States Government will convene stakeholders to devise cross-sector solutions to challenges at the network, device, and gateway layers, and will encourage industry-driven certification regimes that ensure solutions can adapt in a rapidly evolving market and threat landscape [p.9]
- The United States Government will promote full-lifecycle cybersecurity, pressing for strong, default security settings, adaptable, upgradeable products, and other best practices built in at the time of product delivery [p.15]
- Capacity building allows for additional opportunities to share cyber threat information, enabling the United States Government and our partners to better defend domestic critical infrastructure and global supply chains, as well as focus whole-of-government cyber engagements [p.26]
- The United States will work with international partners, government, industry, civil society, technologists, and academics to improve the adoption and awareness of cybersecurity best practices worldwide [p. 26]
THE 2018 DOD CYBER STRATEGY
The DoD Cyber Strategy was released the same month as the National Cyber Strategy. (Department of Defense, 2018) Both documents addressed defense of Critical Infrastructure, but with more of a focus on Defense Support of Civil Authority (DSCA) via public-private partnership by DoD:
- “The Department must defend its own networks, systems, and information from malicious cyber activity and be prepared to defend, when directed, those networks and systems operated by non-DoD Defense Critical Infrastructure (DCI) and Defense Industrial Base (DIB) entities”
- “The Department seeks to preempt, defeat, or deter malicious cyber activity targeting U.S. critical infrastructure that could cause a significant cyber incident regardless of whether that incident would impact DoD’s warfighting readiness or capability. Our primary role in this homeland defense mission is to defend forward by leveraging our focus outward to stop threats before they reach their targets. The Department also provides public and private sector partners with indications and warning (I&W) of malicious cyber activity, in coordination with other Federal departments and agencies”. (Department of Defense, 2018, p. 2)
The obvious intersection with the House Report is the strengthening of the public-private partnership, as implied by defending non-DoD operated DCI and DIB entities, and providing the private sector military I&W. In addition, the DoD strategy requires increased practical activity in Cyber DSCA.
The summary goes on to affirm that the DoD is the Critical Infrastructure “Sector Specific Agency (SSA) for the DIB and a business partner with the DIB and DCI”. (Department of Defense, 2018, p. 3) As we noted above, an SSA has clear responsibilities as laid out in PPD-21, which authorizes increased DoD interaction and oversight with industry, including utilities and vendors providing DCI services.
NATIONAL DEFENSE AUTHORIZATION ACT OF FY2019
The National Defense Authorization Act of FY 2019 (NDAA-19) addresses the DoD role in cybersecurity of Defense Critical Infrastructure (DCI) as well as national CI, and strengthening of corresponding public-private and multi-agency partnerships. In addition, it specifically calls out the cybersecurity of Facilities Related Control Systems (FRCS), a key element of CI security.
With respect to FRCS, the following was authorized:
- The Secretary of Defense shall designate one official to be responsible for matters relating to integrating cybersecurity and industrial control systems within the Department of Defense [FY19 NDAA SEC. 1643]
However, previous NDAAs had addressed FRCS in greater detail:
- The Secretary of Defense shall make such changes to the cybersecurity scorecard as are necessary to ensure that the Secretary measures the progress of each element of the Department of Defense in securing the industrial control systems of the Department against cyber threats, including such industrial control systems as supervisory control and data acquisition systems, distributed control systems, programmable logic controllers, and platform information technology [FY18 NDAA SEC. 1639]
- The Secretary of Defense shall, in coordination with the Director of National Intelligence, the Secretary of Energy, and the Secretary of Homeland Security, submit to Congress a report identifying significant security risks to defense critical electric infrastructure posed by malicious cyber-enabled activities [FY18 NDAA SEC. 11604]
- DoD shall issue a joint training and certification standard for the protection of control systems for use by all cyber operations forces within the Department of Defense [FY17 NDAA SEC. 1644]
- Initiate a pilot program under which the Secretary shall assess the feasibility and advisability of applying new, innovative methodologies or engineering approaches to improve the defense of control systems against cyber-attacks [FY17 NDAA SEC. 1650]
- Report the structural risks inherent in control systems and networks, assess the current vulnerabilities to cyber-attack initiated through Industrial Control Systems (ICS) at Department of Defense installations worldwide, propose a common, Department-wide implementation plan to upgrade and improve the security of control systems, assess the extent to which existing DoD military construction regulations require the consideration of cybersecurity vulnerabilities and cyber risk. The effort is to employ the capabilities of the Army Corps of Engineers, the Naval Facilities Engineering Command and the Air Force Civil Engineer Center [F17 NDAA Report 114-255]
With respect to Critical Infrastructure Cyber Defense Support for Civil Authorities (DSCA), NDAA-19 requires the following:
- A Tier 1 Exercise in Cyber Defense Support for Civil Authorities (DSCA) by U.S. Cyber Command and U.S. Northern Command [SEC. 1648]
- A pilot program in Modeling and Simulation for Cyber DSCA [SEC. 1649]
- A pilot training program for Guard elements [SEC. 1651]
- A study on the use of Reserve elements for cyber civil support [SEC. 1653]
- Immediate authorization for assignment of active duty military personnel to the DHS National Cybersecurity and Communications Integration Center (NCCIC) [SEC. 1650]
These are all significant, though overdue, preparations for DoD defense of national CI. Let us hope that the pilot programs and studies are not overcome by events. Congressional urgency was demonstrated in bill S. 79 introduced by Senator King called the “Securing Energy Infrastructure Act”, which passed the Senate in December 2018. This bill includes the DoD in a multi-agency public-private pilot program headed by the Department of Energy (DOE) to “defend industrial control systems … from security vulnerabilities and exploits in the most critical systems …, including – (A) analog and non-digital control systems; (B) purpose-built control systems; and (C) physical controls”. (S. 79, 2017) S.79 needs to now go to the House. However, as we see below, the DOE’s National Laboratories are already working with the DoD on cybersecurity of CI.
MORE SITUATIONAL AWARENESS OF INDUSTRIAL CONTROL SYSTEMS (MOSAICS)
In April 2018, the Under Secretary of Defense for Research and Engineering (USD(R&E)) formally announced the approved Joint Technology Capability Demonstration (JCTD) program, which included the NORTHCOM-INDOPACOM sponsored “More Situational Awareness for Industrial Control Systems” (MOSAICS). The purpose is to enhance facilities control system situational awareness and protection via an integrated, semi-autonomous solution for situational awareness and defense of industrial control systems associated with task critical assets. The demonstration will provide an ability to semi-autonomously identify, respond to, and recover from asymmetric attacks on critical infrastructure in mission-relevant timeframes
The MOSAICS team includes NAVFAC EXWC, Sandia National Laboratories (SNL), Idaho National Laboratory (INL), and Pacific Northwest National Laboratory (PNNL).
ENHANCING PUBLIC PRIVATE PARTNERSHIPS TO CYBERSECURE CONTROL SYSTEMS
The National Security Council (NSC) has also taken steps to address “Enabling Cybersecurity through Information and Communications Technology Providers” described in the National Cyber Strategy and the lack of an effective inventory and cybersecurity training in cyber-physical system components installed in DCI systems. An industry and government working group defined priorities and the required action items to enhance security of DoD cyber-physical systems. The following were identified for action:
- Establish a program and processes for industry support of government [vulnerability] assessment and response teams through value-added augmentation of teams, participation in joint security/threat assessments of supplier control systems, and/or facilitation of incident response and forensic analysis
- Develop methods for determining the level and type of cybersecurity implemented by DoD suppliers and reporting this information to the DoD (while addressing liability and intellectual property concerns)
- Develop Information Sharing Agreement/Process/Technology for improved preparedness and response to threats and malicious activity that addresses liability and intellectual property concerns
- Develop end-to-end CS cybersecurity workforce development and training programs from secondary education through owner/operator roles
The recommendations above were submitted in December of 2018 to the Director for Critical Infrastructure Cybersecurity, of the National Security Council, with the goal of obtaining senior DHS, DoE and DoD support.
As shown by the above, the preparedness status of Defense Critical Infrastructure and the role of DoD in the protection of national critical infrastructure are rapidly evolving. Many pilot programs, capability demonstrations, studies, multi-agency cooperation and information sharing initiatives have commenced. The concern is whether we will have made sufficient progress in these before they are required by actual events. With respect to Cyber DSCA, CSIAC has access to a July 2018 after-action report on a cyber-attack on the Colorado Department of Transportation by a SamSam ransomware malware variant. The attack persisted from February to March of 2018, and resulted in the Governor’s call-out of the Colorado Army National Guard cyber team to assist the state and Federal agencies responding to the attack. The lessons learned identified areas of improvement within the integration of external assets. Recommendations included the observation that “future cyber response will require external support from vendors, the National Guard and federal assets”. “Pre-incident planning and coordination will help ensure the right support is provided and integrated as rapidly as possible to facilitate a cohesive response effort that leverages the capabilities of each asset”. (CDOT Cyber Incident After-Action Report, 2018) These lessons-learned requirements have already been anticipated by DoD and other Federal agencies, as shown above, but our preparations remain to be tested in extremis on the national scale. A recent article by private sector SMEs has argued that we are at significant national risk now, and ask for a much more urgent “moonshot” cyber defense of CI program by the Federal government. (Mroz & Kelly, 2019)