In 2019, a U.S. Coast Guard employee inadvertently clicked on a malicious link embedded in an email, triggering a Ryuk ransomware attack. For the next 30 hours, the attacker compromised “significant” enterprise IT network files and encrypted them, shutting off access throughout the Maritime Transportation Security Act-regulated facility.
The malware attack spread throughout the facility’s consolidated IT and operational technology network, impacting “industrial control systems that monitor and control cargo transfer and encrypted files critical to process operations. The effects included disruption of camera and physical access control systems, and loss of critical process control monitoring systems,” according to a Coast Guard statement.
The incident illustrates the urgent need for military agencies to establish cybersecurity readiness for industrial control systems (ICS) and other networked operational technology throughout all connected bases and battlefields. The Coast Guard attack was not a drill or hypothetical scenario. It happened, and demonstrates what can occur in the absence of this readiness.
Fortunately, a funded program is already in place to achieve this transition immediately. Within the Department of Defense, several agencies have incorporated Comply-to-Connect (C2C) into their cybersecurity strategies to improve the authentication, authorization, compliance assessment and automated remediation of devices and systems. Within the C2C framework, IT teams authenticate devices and systems and assess them for compliance with DoD security policies prior to authorizing network access. Compliant devices and systems gain access to appropriate network segments necessary for missions, while unauthorized devices do not until they successfully meet compliance requirements. The DoD is now moving to adopt C2C across its entire global enterprise.
C2C ensures that trusted, authorized devices are rigorously inspected for malicious code, prohibited software, noncompliance and other risks. In contrast to previous security programs, C2C applies to non-traditional networked endpoints including Internet of Things (IoT) devices and OT devices such as industrial control systems (ICS), building automation systems, weapons and other tactical systems, medical equipment, and many other mission-supporting devices. C2C combines all systems and their components in need of protection “in one house” as an integrated, collective whole.
This is proving increasingly important for the operational readiness of ICS infrastructures enabling power, water and other functions at military bases. Without them, our mission systems simply would not work. In fact, the DoD relies on an estimated 2.5 million ICS assets in more than 300,000 buildings for the real-time, automated monitoring and management of utility and industrial systems.
However, in this modern age of digital transformation, the wide range of C2C’s applicability to OT devices and systems is playing an essential role; especially as ongoing innovation introduces new vulnerabilities. In a report titled “Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of Vulnerabilities,” the U.S. Government Accountability Office (GAO) reports that the DoD “faces mounting challenges in protecting its weapon systems from increasingly sophisticated cyber threats… DoD’s late start in prioritizing weapon systems cybersecurity; and DoD’s nascent understanding of how to develop more secure weapon systems.”
A large number of weapon systems depend upon software-enabled ICS connectivity to monitor and manage equipment and carry out essential functions, according to the GAO report. But the ICSs were originally designed for use in trusted environments, so many “did not incorporate security controls,” the GAO states. What’s more, DoD officials admit that their program offices may not know “which industrial control systems are embedded in their weapons or what the security implications of using them are.” Discussions sparked by the GAO’s research illustrate challenges the DoD and all large organizations face visualizing assets and accounting for accidental and other inevitable vulnerabilities in technology supply chains spanning different private sector suppliers and countries of origin.
Given the complexities, C2C has emerged as both the roadmap and building blocks for adoption of “zero trust” principles within the DoD. As defined by NIST, a zero trust architecture “provides a collection of concepts, ideas, and component relationships (architectures) designed to eliminate the uncertainty in enforcing accurate access decisions in information systems and services.” It blocks unauthorized access to data and services while making control enforcement as granular as necessary.
An effective C2C framework is further defined by the following three components:
Comprehensive device visibility, discovery and classification: There are almost always more types of devices on the network than periodic inventories suggest. Agencies must achieve complete visibility by combining active and passive network monitoring techniques to identify multiplying numbers and types of connected systems.
Orchestration of device visibility with security and management processes: The greatest value of true network visibility is being able to act on what you find. DoD systems are governed by extensive compliance and configuration management tools; to drive ROI on these investments, C2C is charged with enabling automation and orchestration of actions necessary to restore systems to a trusted state.
Continuous monitoring: The scale of device and network activity across DoD systems and C2C’s scope across office, facility, field and other non-traditional systems mean “continuous” is critical. More than blocking unauthorized devices and remediating vulnerabilities, C2C’s wider value comes from continuous situational awareness – giving leaders insight into what their network fabric looks like over time, improving security, performance and planning decisions.
When it comes to national defense, readiness to execute missions is the metric that matters most. This has traditionally been measured in terms of forces’ ability to preposition supplies in key regions, keep personnel trained and healthy and update and execute plans taking stock of emerging conflict and humanitarian crisis hot spots.
Today, readiness also means forces have a comprehensive and automated way to monitor so they can instantaneously know whether and how malicious cyber activity may have denied, degraded, disrupted, deceived or even destroyed systems. By delivering unprecedented network awareness, automation of threat response and the reduction of cyber risk across the enterprise, C2C advances DoD enterprise cyber capabilities while meeting this timeless demand for informed decision-making and mission readiness.
Katherine Gronberg is vice president of government affairs at Forescout Technologies, Inc. in McLean, Virginia.