The fiscal (FY) 2022 National Defense Authorization Act (NDAA) included a rather provocative provision. That provision, Section 1505, demands that the Department of Defense (DoD) prove how well it understands and protects its control systems and operational technology (CS/OT). Congress isn’t holding back with this provision: over the next several years through a series of questions and requested briefings to Congressional staff it requires DoD to reveal its visibility into the mission critical assets and supporting infrastructure CS/OT. It lays the groundwork for a process in which the DoD must measure, document and report on its progress and proficiency for securing CS/OT against a set of clearly defined standards and objectives. If DoD fully implements and adheres to Section 1505, it will better understand and mitigate the mission risk stemming from its reliance on CS/OT.
Our adversaries’ ability to target CS/OT systems has been on display for over a decade, with the first systemic probing of our civilian CS/OT systems noted in 2012. In 2015, after the Russian invasion of the Crimean Peninsula, suspected Russian hackers targeted the Ukrainian power grid leaving 230,000 customers in western Ukraine without power. But the threat has come closer to home in recent years and months. In January, 2021, hackers accessed the computer system of a California water treatment plant and tried to poison the water supply by deleting programs. In February, 2021, hackers took control of computers at the Oldsmar, Florida water treatment plant and reset the level of sodium hydroxide in the city’s drinking water to unsafe levels (they were quickly discovered). In March, 2022, the U.S. government unsealed an indictment that alleges three Russian intelligence officers spent five years targeting energy infrastructure in 135 countries in an effort to enable the Russian government to gain remote control of power plants. In short, adversaries already possess the intent and capability to disrupt or destroy systems that are necessary for the U.S. to respond militarily to an act of aggression against us or our allies. The vulnerability of U.S. CS/OT systems has come into even sharper perspective given recent aggression by Russia.
Our military bases contain many of the same types of sensors, controllers and actuators found on these civilian systems and potentially depend on many of the same vulnerable devices and applications. Section 1505 questions whether DoD has properly planned for the cybersecurity threat to CS/OT systems and whether it has sufficiently resourced for their security. In fact, until now DoD has relied on engineers and technicians with no CS/OT cyber tools or training to manage hundreds of thousands of CS/OT systems and devices. Four years ago, the DoD issued some policy documents designating the Chief Information Officer (CIO) as an overall lead for securing the Department’s CS/OT, however, actual oversight, coordination and implementation has yet to occur via funded action plans. The historical focus on reliability of CS/OT systems is not unlike commercial organizations, however, in the case of the DoD the consequences of insecure systems are potentially much higher. The push to achieve the requirements of Section 1505 should therefore have the level of urgency that our government had in the aftermath of the Office of Personnel Management (OPM) breach. On par with the Administration’s call to cyber-secure the sixteen critical infrastructure sectors, achievement of Section 1505’s directives should be considered a sprint.
Read more via Night Dragon
