The fiscal (FY) 2022 National Defense Authorization Act (NDAA) included a rather provocative provision. That provision, Section 1505, demands that the Department of Defense (DoD) prove how well it understands and protects its control systems and operational technology (CS/OT). Congress isn’t holding back with this provision: over the next several years through a series of questions and requested briefings to Congressional staff it requires DoD to reveal its visibility into the mission critical assets and supporting infrastructure CS/OT. It lays the groundwork for a process in which the DoD must measure, document and report on its progress and proficiency for securing CS/OT against a set of clearly defined standards and objectives. If DoD fully implements and adheres to Section 1505, it will better understand and mitigate the mission risk stemming from its reliance on CS/OT.
Our adversaries’ ability to target CS/OT systems has been on display for over a decade, with the first systemic probing of our civilian CS/OT systems noted in 2012. In 2015, after the Russian invasion of the Crimean Peninsula, suspected Russian hackers targeted the Ukrainian power grid leaving 230,000 customers in western Ukraine without power. But the threat has come closer to home in recent years and months. In January, 2021, hackers accessed the computer system of a California water treatment plant and tried to poison the water supply by deleting programs. In February, 2021, hackers took control of computers at the Oldsmar, Florida water treatment plant and reset the level of sodium hydroxide in the city’s drinking water to unsafe levels (they were quickly discovered). In March, 2022, the U.S. government unsealed an indictment that alleges three Russian intelligence officers spent five years targeting energy infrastructure in 135 countries in an effort to enable the Russian government to gain remote control of power plants. In short, adversaries already possess the intent and capability to disrupt or destroy systems that are necessary for the U.S. to respond militarily to an act of aggression against us or our allies. The vulnerability of U.S. CS/OT systems has come into even sharper perspective given recent aggression by Russia.
Our military bases contain many of the same types of sensors, controllers and actuators found on these civilian systems and potentially depend on many of the same vulnerable devices and applications. Section 1505 questions whether DoD has properly planned for the cybersecurity threat to CS/OT systems and whether it has sufficiently resourced for their security. In fact, until now DoD has relied on engineers and technicians with no CS/OT cyber tools or training to manage hundreds of thousands of CS/OT systems and devices. Four years ago, the DoD issued some policy documents designating the Chief Information Officer (CIO) as an overall lead for securing the Department’s CS/OT, however, actual oversight, coordination and implementation has yet to occur via funded action plans. The historical focus on reliability of CS/OT systems is not unlike commercial organizations, however, in the case of the DoD the consequences of insecure systems are potentially much higher. The push to achieve the requirements of Section 1505 should therefore have the level of urgency that our government had in the aftermath of the Office of Personnel Management (OPM) breach. On par with the Administration’s call to cyber-secure the sixteen critical infrastructure sectors, achievement of Section 1505’s directives should be considered a sprint.
The Control Systems Challenge
“Control systems” (CS) refers to the use of hardware and software to monitor and control physical processes, devices, and infrastructure. We use the term “control systems” interchangeably with the term “operational technology” (OT), which simply refers to hardware and software that controls physical processes. These systems include things like water and wastewater, power generation and distribution, heating ventilation and air conditioning (HVAC), life and safety systems – all ubiquitous on a U.S. military base. Such systems also include lesser-known infrastructure such as access control and emergency warning systems, conveyance, dams, locks and levees, rail, pipelines, airfields, and piers. Every DoD functional component and agency uses control systems, especially the facilities, logistics, medical, intelligence and weapons communities. Disruption or destruction of control systems due to a cyberattack would have a severe impact on DoD’s ability to execute its mission, including its warfighting mission.
The Department’s deficiencies in this area have manifested themselves in several oversight reports. Most notably, an August, 2021 General Accountability Office (GAO) report 21-250SU, “Mission Assurance: Actions Needed to Improve DoD’s Cyber Risk Management of Utility-Related Control Systems,” recommended that the DoD and the military services take actions to fully address five leading practices, issue guidance to establish program standards for assessing control systems risks and implement actions to prioritize risk management efforts.
Over the past several years, Congress has also requested several CS/OT-related actions and reports from the DoD, including Section 1647 of the FY2016 NDAA, which requested insight to the cyber vulnerabilities of weapon systems; Section 1650 of the FY2017 NDAA, which directed a pilot program to explore new methodologies to defend control systems against cyberattacks (Congress has yet to receive the requested report on the few pilot assessments); Section 1639 of the FY2018 NDAA, which directed CS/OT be included in the Cyber Scorecard to the Secretary of Defense; and Section 1643 of the FY2019 NDAA which directed the Secretary of Defense to designate one official to be responsible for matters relating to integrating cybersecurity and industrial control systems for the DoD. With regard to the latter, it appears that the DoD sent a single email stating that the CIO would serve as the lead, however, it made no formal declaration of this, nor did it ever delineate any new authorities for this person.
Despite DoD’s sluggishness in responding to some Congressional directives, in 2016, it did take the important step of establishing the Unified Facilities Criteria (UFC) 4-010-06, Cybersecurity for Facility-Related Control Systems, which outlined the DoD Risk Management Framework (RMF) processes to be used by designers and installers to secure CS such as HVAC, power generation and distribution, fire, life, safety systems, electronic security systems and about 100 other CS. The CS inventory for DoD is quite extensive, with cybersecurity provisions applying even to construction equipment. The UFC was signed by Navy, Air Force, Army and Office of the Assistant Secretary of Defense for Energy, Installations, and Environment and truly represented a momentous effort on the part of DoD. The UFC states, presciently: “While the inclusion of cybersecurity during the design and construction of control systems will increase the cost of both design and construction, it is more cost effective to implement these security controls starting at design than to implement them on a designed and installed system. Historically, control systems have not included these cybersecurity requirements, so the addition of these cybersecurity requirements will increase both cost and security. The increase in cost will be lower than the increase in cost of applying these requirements after design.” The UFC 4-010-06 includes referential guidance based on NIST SP 800-53 and NIST SP 800-82r2, Guide to Industrial Control Systems Security. The UFC applies to design, construction, and renovation of new and existing facilities. However, DoD control systems in facilities not under construction or renovation are not in scope as part of this UFC.
Congress Demands Action and Accountability
The directness of Section 1505, with its many subparts and short timelines indicate the urgency the Armed Services Committees attached to this issue. The provision:
- Directs the Secretary, the Commander of USCYBERCOM, and the military service secretaries to complete the mapping of the “mission relevant terrain” for Defense Critical Assets so they can be defended from a cybersecurity standpoint. Defense Critical Assets (DCAs) refer to the defense critical infrastructure that is so essential that the incapacitation, exploitation, or destruction of an asset within this network could severely affect DoD’s ability to deploy;
- Requires the DoD CIO, the military service secretaries and CIOs, and the Commander of USCYBERCOM to—
- Create and implement baseline cyber requirements for CS/OT across the DoD;
- Achieve visibility of CS/OT within all of DoD’s “forces, facilities, installations and bases, critical infrastructure, and weapon systems;” and
- Establish command and control over and be able to defend CS/OT systems, including implementing concept of operations for defense of CS/OT, sensoring OT networks and establishing processes for incident reporting, compliance, and vulnerability management; and
- Calls for the DoD to make “necessary investments” to secure CS/OT and to establish dedicated funding for remediation of cybersecurity gaps in CS/OT.
Perhaps most notably, Section 1505 directs key DoD components to begin providing budget briefings within 30 days of enactment of the bill and annually thereafter. Section 1505 is therefore the legislative equivalent of tuition-paying parents telling their college freshman, “Show me your grades!” Except, in this case, the consequence of poor performance is the degradation of our nation’s military response capabilities, potentially during a conflict – not just getting booted off the Dean’s list.
Turning Policy into Action
Tackling the requirements of Section 1505 will require significant planning and collaboration by several DoD stakeholders. After DoD performs its initial assessment of the scope of the work required by Section 1505, one option that has previously been promoted at the stakeholder level is to create a program management office (PMO) or portfolio management office (PfMO), preferably led by a three-star military officer and potentially under the Office of the Undersecretary of Defense for Acquisition and Sustainment. The PMO/PfMO must work in close collaboration with the Commander of USCYBERCOM.
The PMO/PfMO will have a number of key responsibilities. First, he or she must gather data and complete the mapping of the mission relevant terrain and establish desired security outcomes by examining the effectiveness of capabilities already available through programs such as Comply-to-Connect in CS/OT environments, issuing requests for information (RFIs) to fill identified gaps, designating and/or creating test labs and test beds, building preliminary requirements and conducting vendor bake-offs. He or she must then refine desired security outcomes, solidify requirements, set performance goals and, finally, create reference architectures. Second, the PMO/PfMO must coordinate oversight of solution review and selection, including close communication of the process and opportunity to vendors so they can supply DoD with the capabilities that are needed to meet its requirements. The DoD must select capabilities using fair and open competition to leverage the diversity of many qualified vendors.
DoD should seek adequate funding from Congress for the creation of the PMO/PfMO so it can undertake the activities described above and, most importantly, deploy capabilities to facilities installations and bases, critical infrastructure and weapon systems. Neither the requirement nor the intent of Section 1505 can be met unless the DoD allocates robust resources to achieving stated outcomes, and it should do so immediately, in its spring reprogramming request.
Collaboration and Measurability Needed
Implementation of Section 1505 should not happen in isolation. For instance, the DoD should rely on the Critical Infrastructure Control Systems Cybersecurity Performance Goals and Objectives set by the Cybersecurity and Infrastructure Security Agency (CISA) and the critical infrastructure community in accordance with the President’s July 2021 National Security Memorandum on Improving in Cybersecurity for Critical Infrastructure Control Systems. Implementing these performance goals across the Department (not exempting itself, as the DoD often does) would align best security practices across industry and DoD, a preferred option to enable mission assurance in cyber contested environments.
Additionally, the More Situational Awareness in Control Systems Joint Capability Technology Demonstration, commonly known as “MOSAICS,” underway since 2018 at Sandia National Lab, was developed and tested to provide semi-automated protection of control systems from cyber-attack. MOSAICS baselines the control systems network, highlights potential vulnerabilities and identifies best practices to respond to and recover from cyberattacks on critical infrastructure. MOSAICS, which is referenced by name in Section 1505 and as of time of writing is nearly finalized, should serve as a model reference architecture for securing DoD’s CS/OT.
Close collaboration with industry will be key to DoD’s successful implementation of Section 1505. Before it publishes any request for proposal (RFP), DoD must work alongside the CS/OT vendors to determine its goals, requirements, processes and methodologies. Without this cooperation, the DoD will have incomplete solutions that don’t integrate or interoperate. Existing forums like S4, occurring this year at the end of April, bring key stakeholders together to discuss issues like implementation Section 1505.
Finally, DoD must also develop a methodology for measuring success in improving the cyber resilience of its CS/OT, and this methodology must be distinct from those used to measure the Department’s information technology cyber resilience. A new methodology should adopt a maturity model approach and be as outcomes-based as possible, and DoD should move away from audits and/or self-attestation as the sole means of assessing cyber resiliency and incorporate validation and verification of the implementation of security controls.
Congress has asked for the evidence that DoD has prioritized the cybersecurity of CS/OT networks and devices upon which its warfighting mission depends. It is difficult for us to contemplate a more urgent priority for the DoD than securing its mission-critical CS/OT. Section 1505 delivers a firm slap to DoD’s hand and says that its efforts to secure CS/OT must now be measured and monitored and leaders must be held accountable. DoD may be as nervous as our college freshman starting a final exam, not having picked up a single book. Will the student get an “A,” or something that evokes memories from a school performance we’d rather forget?
Katherine Gronberg is the Head of Government Services at NightDragon, a venture capital firm focused on cybersecurity, security, safety and privacy technologies
Susan Howard is Director of Jacobs Federal and Environmental Systems Industrial Control Systems Cybersecurity