• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ National Cyber Security Awareness Month – October 2018 / Safeguarding the Nation’s Critical Infrastructure – National Cyber Security Awareness Month – Week 4: October 22-26

Safeguarding the Nation’s Critical Infrastructure – National Cyber Security Awareness Month – Week 4: October 22-26

Overview:

The 15th annual NCSAM is coming to a close, and we hope you’ll join in to promote a safer, more secure and more trusted Internet for these last few days of the month. The CSIAC and the National Cyber Security Alliance (NCSA) have made it easy to support NCSAM by providing materials for each week that anyone can share at home, at work and school and in the community.

The theme for Week 4 of NCSAM is Safeguarding the Nation’s Critical Infrastructure from Cyber Threats. The systems that support our daily lives are increasingly dependent on the Internet, and having a resilient critical infrastructure is essential to our national security. We’ll look at how cybersecurity relates to keeping our traffic lights, running water, phone lines and other critical infrastructure secure.

Critical Infrastructure Security and Resilience (CISR) Month
CISR is held annually in November by DHS, NCSA and partners. They raise awareness about the importance of securing the country’s critical infrastructure.

Week 4 will emphasize the importance of securing our critical infrastructure and highlight the roles the public can play in keeping it safe. In addition, it will lead the transition into November’s Critical Infrastructure Security and Resilience Month, which is spearheaded by the U.S. Department of Homeland Security.

Introduction:

2018 was significant in the United States for cyber attacks on critical infrastructure. Three events stand out: the shutdown of operations of the city of Atlanta; the shut down and subsequent reattack of the Colorado Department of Transportation (CDOT), and the take down of a dedicated Safety Instrumented System (SIS) overseeing an industrial control system that required sophisticated reverse engineering of proprietary components.  The cost for and duration of the restoration of service in the former two incidents ran into millions of dollars and months for each. The potential for damage from the latter attack could be catastrophic in certain industrial applications.

Cyber-Physical systems that automate control of networked components and platforms are increasing rapidly. This activity is driven by three technological enablers: embedded computing, network pervasiveness, and advanced distributed control methods.  For 2019, the introduction of 5G will lead to “game changing” advances in network access for cyber-physical systems, with a resultant increase in cyber risk. The cyber attack surface for Critical Infrastructure will increase, and we need a corresponding increase in appreciation of the emerging threat.

Background Definitions: Three types of cyber-physical systems

  • Operational Technology (OT)– OT is “hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise.[1]” OT is also referred to as Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems, and Distributed Control Systems (DCS)[2]. OT systems control critical services in manufacturing, facilities, energy, water, transportation and telecommunications, and historically have consisted of proprietary industrial programmable logic controllers, monitoring sensors, and actuators in limited access, non-TCP-IP networks. See IIOT below.
    Learn more by browsing CSIAC’s resources on Operational Technology (OT).
  • Platform Information Technology (PIT)– PIT in a military context refers to “computer resources, both hardware and software, that are physically part of, dedicated to, or essential in real time to the mission performance of special-purpose systems. PIT does not include general purpose systems.”  (DON, 2007) In the civilian sector PIT includes control systems in automotive, maritime and aviation domains. PIT also applies to self-driving cars and aircraft.
    Learn more by browsing CSIAC’s resources on Platform Information Technology (PIT).
  • Internet-of-Things (IoT)– Internet of things loosely refers to TCP-IP network-based devices that interact with their physical environment, using the wider internet for their command and control access.  “The IoT allows objects to be sensed or controlled remotely across existing network (e.g. TCP-IP) infrastructure” (Harvard Business Review, 2014). The move to integrate industrial cyber-physical control systems with enterprise IT networks has led to a hybrid system type labeled Industrial Internet of things, or IIOT.
    CSIAC has many resources on IoT, learn more.

Cyber-physical systems and Critical Infrastructure

Cyber-physical systems are susceptible to many of the same problems as traditional enterprise information technology (IT) with the below added issues:

  • Systems are directly related to affecting the physical environment (Power, safety controls, etc.).
  • Cyber-physical systems generally have components that are limited in processing power and bandwidth, use local non-TCP/IP communications channels, such as Modbus, and traditionally rely on physical security (e.g. controlled access) to ensure resistance to cyber attack.
  • Cyber-physical systems often have much longer technological refresh cycles, as long as 15-20 years, which limits technology upgrades that engineer out vulnerabilities.
  • Cyber-physical systems invert the traditional ITSEC order of priority from “Confidentiality, Integrity and Availability” to “Availability, Integrity and Confidentiality”.

Highlights from 2018 Critical Infrastructure Attacks: CDOT and HATMAN

CDOT: There is good news in the Colorado Division of Homeland Security and Emergency Management CDOT Cyber Incident After Action Report[3]. The SamSam ransomware attack was isolated to the CDOT enterprise systems and not the traffic operations systems due to an effective firewall implementation; the recently instituted “Backup Colorado” data protection plans made restoration simpler; the CDOT Continuity of Operations Plan (COOP) was successful, and a coalition of State, Colorado Army National Guard (COARNG), Federal and civilian actors was organized and worked together successfully. The COARNG was mobilized by the Governor and their technical SME’s provided significant resources for incident response, threat ID, and analysis[4].

The bad news was that the attack was successfully carried out on server zero in a cloud services environment via remote access only two days after it was brought online for the first time. The attack ultimately took down 150 servers and 2000 workstations. Effective response also required a significant learning curve for the consolidated Emergency Response Team since the State Emergency Operations Plan and the Colorado Office of Information Technology (OIT) Cyber Incident Response Plan were not integrated nor operationally tested in an Incident Command System previously[5]. Soon after during the Idaho National Laboratory Resilience Week conference “Transforming the Resilience of Cognitive, Cyber-physical Systems”, one of the recurring themes was the recent ransomware attack on the Colorado Department of Transportation. CDOT operations took four weeks to restore at a cost of $1.5M. This topic was addressed at the conference panel Owners and Operators Addressing Infrastructure Risk and Resilience, which included representatives of Xcel Energy, AT&T Disaster Recovery, the Colorado Springs Utilities, and Denver Water.  When asked at the end of their panel, what was their most serious challenge around emergency response and recovery, three of four said “cyber attack”, and recommended the full integration of cybersecurity SME’s on Federal and State Emergency Response Teams.

DoD CYBER Defense Support for Civil Authorities (Cyber DSCA) was also a topic brought up at Resilience Week with respect to the CDOT attack. 2018 has seen Congress direct DoD to provide a Cyber DSCA exercise with DHS and the National Guard. See NDAA 19 Sec. 1648 below. However, a recent DOE National Renewable Energy Laboratory (NREL) study entitled “States of Cybersecurity: Electricity Distribution System Discussions”[6] indicates that the lessons learned in a single exercise in one state with one utility and one emergency response team may not apply to other States. For example, only one-third of the energy distribution utilities participating in the survey reported having a security plan that addressed both physical and cyber aspects, in accordance with the North American Electric Reliability Corporation (NERC) cybersecurity maturity framework. In fact, only one of the participating utilities reported having a security plan that identified critical cyber assets[7]. Hence, as in the CDOT incident, the learning curve may be steep for a cyber emergency response team that has never worked together before.

HATMAN: The good news[8] is that the simultaneous compromise of an OT distributed control system and its dedicated Schneider supervisory Safety Instrumented System (SIS) did not lead to destructive operation of an industrial site. The bad news is that it could have[9]. The compromise of both the control system and its safety system is a direct attack on hardened defense in depth approaches in the ICS domain. The sophistication of the exploit, which required significant reverse engineering of a Triconex safety Programmable Logic Controller (PLC) and the geographic location of the attack points to the involvement of a nation-state.

The Future: Recent (2018) government developments in Critical Infrastructure Cyber Security

The 2018 National Cyber Security Strategy[10] lists several critical infrastructure specific actions:

  • The Administration will develop a comprehensive understanding of national risk by identifying national critical functions and will mature our cybersecurity offerings and engagements to better manage those national risks. The Administration will prioritize risk-reduction activities across seven key areas: national security, energy and power, banking and finance, health and safety, communications, information technology, and transportation.
  • The Federal Government will update the National Critical Infrastructure Security and Resilience Research and Development Plan to set priorities for addressing cybersecurity risks to critical infrastructure.

The National Security Council, in early 2018, convened a working group (WG) of control systems’ cybersecurity experts to identify how the Federal government could improve cybersecurity and resilience of multiple critical infrastructure sectors through improving control systems security.  The working group concluded that more engagement between senior-level government and control system vendors and integrators could drive toward more security and resilience in control systems.  A workshop with vendors and integrators in August identified potential strategic joint priorities for a strategic partnership and the WG is now developing discrete and measurable actions, which public and private sector executives could consider, agree to accomplish, and track to completion in the next several months.  This effort aligns with the “Enabling Cybersecurity through Information and Communications Technology Providers” action-area in the draft National Cyber Strategy. If you would like to suggest “discrete and measurable actions” to assist”, please contact CSIAC[11].

The National Cyber Range[12] operated by the Test Resource Management Center (TRMC), is now to provide a capability for vendors to test their HW/SW in an HVAC environment. The National Cyber Range is accredited by the Defense Intelligence Agency (DIA), and provides a cybersecurity test infrastructure that can operate at levels up to Top Secret/Sensitive Compartmented Information. In addition, an Approved Products List (APL) capability has been initiated.[13]

The National Defense Authorization Act (NDAA) for FY 18[14]

  • SEC. 1639 “MEASUREMENT OF COMPLIANCE WITH CYBERSECURITY REQUIREMENTS FOR INDUSTRIAL CONTROL SYSTEMS”

This required the addition of Industrial Control Systems to the Department of Defense Cybersecurity Discipline Implementation Plan and the Secretary of Defense Cybersecurity Scorecard. DoD cyber threat remediation metrics now will include supervisory control and data acquisition (SCADA) systems, distributed control systems, programmable logic controllers, and platform information technology. The implementation of ICS into the Scorecard is expected by the end of CY18.

The National Defense Authorization Act for FY19[15] included:

  • SEC. 1643. DESIGNATION OF OFFICIAL FOR MATTERS RELATING TO INTEGRATING CYBERSECURITY AND INDUSTRIAL CONTROL SYSTEMS WITHIN THE DEPARTMENT OF DEFENSE.

The Secretary of Defense is tasked to designate one official to be responsible for matters relating to integrating cybersecurity and industrial control systems for the Department of Defense. This official shall be responsible for integration of cybersecurity and ICS at all levels of command to include facilities operated on behalf of the DoD, and will have responsibility for development of NIST RMF-based certification standards for DoD ICS.

  • SEC. 1648. TIER 1 EXERCISE OF SUPPORT TO CIVIL AUTHORITIES FOR A CYBER INCIDENT

The Commander of the United States Cyber Command, and the Commander of United States Northern Command need to conduct a tier 1 exercise of a Cyber Defense Support to Civil Authorities (DSCA) incident, considering Government Accountability Office report GAO–16–574 “DOD Needs to Identify National Guard’s Cyber Capabilities and Address Challenges in Its Exercises[16]. Coordination with the Department of Homeland Security, the Federal Bureau of Investigation, and elements across Federal and State governments and the private sector is required.

  • SEC. 1649. PILOT PROGRAM ON MODELING AND SIMULATION IN SUPPORT OF MILITARY HOMELAND DEFENSE OPERATIONS IN CONNECTION WITH CYBER ATTACKS ON CRITICAL INFRASTRUCTURE.

This Pilot Program is to model cyber attacks on critical infrastructure to identify and develop means of improving Department of Defense responses to requests for defense support to civil authorities for such attacks.

  • SEC. 1650. PILOT PROGRAM AUTHORITY TO ENHANCE CYBERSECURITY AND RESILIENCY OF CRITICAL INFRASTRUCTURE

This authorizes the Secretary of Defense, in coordination with the Secretary of Homeland Security, to assign DoD technical personnel to the Department of Homeland Security, to include the National Cybersecurity and Communications Integration Center (NCCIC), to enhance cybersecurity cooperation, collaboration, and unity of Government efforts.

Deputy Assistant Secretary of Defense (Emerging Capability & Prototyping): A new Joint Capability Technology Demonstration[17] (JCTD) titled “More Situational Awareness for Industrial Control Systems (MOSAICS) was selected for funding by the Assistant Secretary of Defense for Research and Engineering in 2018. MOSAICS will build an architecture and toolset to monitor and report the cybersecurity status of a DoD ICS system in real time, with enhanced automated response and remediation in accordance with the 2017 revision of US CYBERCOM’s Advanced Industrial Control Systems Tactics Techniques and Procedures (AICS-TTP) for DoD ICS. The JCTD is jointly managed by US INDOPACOM and NORAD-NORTHCOM. The main participants include: DOE’s Cyber Partnership for Advancing Resilient Control (CyberPARC), which is composed of Sandia National Laboratories, Idaho National Laboratory and Pacific Northwest National Laboratory; SPAWARSYSCEN ATLANTIC; Navy Facilities Engineering Command; and Johns Hopkins University Applied Physics Laboratory.

DOE and CESER: In February of 2018 the Department of Energy opened a new Office of Cybersecurity, Energy Security, and Emergency Response (CESER) with a $96M budget[18].  The office mission includes “continuous monitoring tools and capabilities for information systems and control networks and identifying best practices” to support CESER’s Cybersecurity Risk Information Sharing Program (CRISP)[19].

DHS: The National Cybersecurity and Communications Integration Center (NCCIC) of the Department of Homeland Security has integrated into the NCCIC the Industrial Control Systems Cyber Emergency Response Team (ICSCERT), bringing ICS SME personnel onto the NCCIC watchfloor. As mentioned above, the FY 19 NDAA now authorizes DoD watchstanders in the NCICC as well.

Conclusion:

2018 has brought increased awareness, national policy prioritization, significant funding and increased multiagency cooperation with respect to Critical Infrastructure Cybersecurity. Understanding the definitions, issues, and intended solutions is critical to our success on the way ahead to protect the nation against attacks of significant consequence. Take a deeper look into Critical Infrastructure Protection (CIP) with this video podcast:
https://www.csiac.org/podcast/cybersecurity-of-dod-critical-infrastructure/

Footnotes and References:

  1. https://www.gartner.com/it-glossary/operational-technology-ot/
  2. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
  3. CDOT Cyber Incident After Action Report, Colorado Division of Homeland Security and Emergency Management, 17 July 2018. Releasable to the public, available on request to CSIAC.
  4. Ibid, p7.
  5. For a discussion on integration of cyber into  Incident Command Systems  see https://www.drj.com/articles/online-exclusive/integrating-cybersecurity-into-the-incident-command-system-in-an-evolving-emergency-environment.html
  6. Ivonne Pena, Michael Ingram, and Maurice Martin, “States of Cybersecurity: Electricity Distribution System Discussions” Technical Report NREL/TP-5C00-67198 March 2017 https://www.nrel.gov/docs/fy17osti/67198.pdf
  7. Ibid, p 4
  8. https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF
  9. https://blog.se.com/cyber-security/2018/03/23/strengthen-cybersecurity-through-a-united-industry/
  10. https://www.whitehouse.gov/wp-content/uploads/2018/09/National-Cyber-Strategy.pdf
  11. CSIAC will forward suggestions to OSD Energy, Installations, and Environment.
  12. https://www.acq.osd.mil/dte-trmc/ncr.html
  13. Personal communication from Mr. Daryl Haegley, Control Systems Cybersecurity ODASD(E)
  14. https://www.dau.mil/cop/iam/DAU%20Sponsored%20Documents/FY%202018%20NDAA%20-%20CRPT-115hrpt404%2011-14-17.pdf
  15. https://www.congress.gov/115/bills/hr5515/BILLS-115hr5515enr.pdf
  16. https://www.gao.gov/products/GAO-16-574
  17. https://www.acq.osd.mil/ecp/PROGRAMS/JCTD.html
  18. https://www.energy.gov/articles/secretary-energy-rick-perry-forms-new-office-cybersecurity-energy-security-and-emergency
  19. https://www.energy.gov/ceser/about-us

Related Content:

    • CSIAC Webinar – Operational Technology Risk Assessment
    • CSIAC Webinar – Cybersecurity for Energy Systems
    • CSIAC Journal Article – Security of Cyber-Physical Systems
    • Topic: Critical Infrastructure Protection (CIP)
    • Topic: Cyber Physical Systems (CPSs)
    • National Cyber Security Awareness Month Overview Page
    • Week 1 – Make Your Home a Haven for Online Safety
    • Week 2 – Millions of Rewarding Jobs: Educating for a Career in Cybersecurity
    • Week 3 – It’s Everyone’s Job to Ensure Online Safety at Work
    • Week 4 – Safeguarding the Nation’s Critical Infrastructure

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Page Sidebar

Featured Content

Data Privacy Day is January 28th

You can help create a global community that respects privacy, safeguards data, and enables trust. You can help teach others about privacy at home, at work, and in your community.

Learn How

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • Privacy Impact Assessment: The Foundation for Managing Privacy Risk Series: The CSIAC Podcast
  • Agile Condor: Supercomputing at the Edge for Intelligent Analytics Series: CSIAC Webinars
  • Securing the Supply Chain: A Hybrid Approach to Effective SCRM Policies and Procedures Series: The CSIAC Podcast
  • DoD Vulnerability Disclosure Program (VDP) Series: CSIAC Webinars
  • 5 Best Practices for a Secure Infrastructure Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Wed 27

Enterprise Data Governance Online 2021

January 27 @ 08:00 - 13:30 EST
Organizer: DATAVERSITY
Thu 28

Data Privacy Day

January 28
Jan 28

Data Privacy Day

January 28, 2022
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.