The Department of Defense’s cyber teams have typically defended IP-based networks, but now leaders are requiring a sharper focus on other networks that power installations.
Army Cyber Command recently reorganized its list of priorities for some of its cyber protection teams. Defending industrial control systems (ICS) and supervisory control and data acquisition, known as SCADA, is one of the organization’s five priorities for defensive cyber operations.
In other words, the Army wants its high-end cyber teams — that focus on threat actors, defending and incident response — to better protect all the utilities that support military installations from cyberattacks.
Some believe the Department of Defense should move away from typical information network defense and expand its coverage to include industrial control and data acquisition systems more extensively.
“Over the last four or five years, as we’ve gotten repetitions responding to incident responses, we’ve really identified where the most likely opportunities that the [Cyber Protection Brigade] will be called to respond and react to. One of those huge areas is ICS-SCADA networks,” Lt. Col. Michael Smith, S-3 operations officer at the brigade, told Fifth Domain during a February visit to Fort Gordon.
If cyber defenders work to fortify the infrastructure on specific DoD Information Network-Army endpoints, what’s the next likely avenue of approach for an adversary, Smith asked. The answer is the infrastructure that supports that base.
“That’s where the ICS-SCADA mission footprint has come in,” he said. “Under this mission set, we’re trying to understand all the facilities — water, electric — that support military installations and how all that’s powered and how it affects an installation as an adversary would attack that.”
This means Army cyber protection teams can’t focus solely on Army infrastructure anymore; they have to understand commercial environments and infrastructure that integrates with the DoDIN.
“At each base there is so much stuff, I don’t believe at this point that cyber protection teams could parachute in effectively,” Greg Touhill, the former federal chief information security officer, said at a May 2018 conference. “You almost have to have a tailored approach for each installation and to have those [cyber protection teams], or whatever unit Cyber Command is going to designate, have familiarity well before an emergency happens ... They need to practice, practice, practice.”
These kinds of networks for industrial systems will require specialized expertise. However, Smith noted that the Army does not provide training at its cyber schoolhouse in this area. The service has contracted for advanced-level training to be provided specifically to the Cyber Protection Brigade, he said.