Modernizing the Pentagon’s Tech Arsenal
Estimated read time 4 min read
Posted in Technology

Modernizing the Pentagon’s Tech Arsenal

Key Takeaways:

  • The US military’s lethality depends on advanced technology, but also on basic utilities like electricity, oil and gas, water, telecommunications, and rail transit.
  • The military relies on private contractors to supply these utilities, which are vulnerable to cyberattacks due to their dependence on operational technology (OT).
  • The current regulatory framework for OT cybersecurity is fragmented and full of gaps, making it unlikely that a comprehensive system of laws and regulations will be established soon.
  • The Pentagon should use its procurement power to set standards for OT cybersecurity in the services it purchases, including contract language defining cybersecurity controls for OT.
  • An inventory of assets, inside and outside the fence, is necessary to identify vulnerabilities and inform mitigation efforts.

Introduction to the Problem
The US military’s ability to project force and maintain its lethality depends on a range of factors, including the availability of advanced technology like tanks, drones, and warships. However, it also relies on more mundane utilities like electricity, oil and gas, water, telecommunications, and rail transit. These utilities are critical to the military’s ability to operate effectively, and any interruption to them could have significant consequences. The military does not produce these utilities itself, instead relying on private contractors to supply them. These contractors, in turn, depend on operational technology (OT) to monitor and control physical processes, which is vulnerable to cyberattacks.

The Vulnerability of Operational Technology
The evidence is clear that foreign adversaries have targeted and successfully gained access to the OT of critical infrastructure. The US’s regulatory framework for OT cybersecurity is fragmented and full of gaps, with directives on gas pipelines not applying to the last mile that delivers product to military bases, and federal regulations for the bulk electric system not extending to the distribution lines bringing power to many installations. Water, vital for life and industry, is effectively unregulated for cybersecurity. This lack of regulation creates a significant vulnerability, as OT is increasingly connected to the internet and is often digital. The assumption that OT is secure from cyber compromise due to air-gapping is a myth, and the Pentagon’s efforts to "island-off" military installations from public networks may be to no avail.

The Need for Inventory and Contractual Requirements
The Pentagon can use its procurement power to address OT cybersecurity in utilities critical to its warfighting mission. It should begin by conducting an inventory of assets, inside and outside the fence, to identify pathways between OT systems and the internet as well as vulnerable equipment. This inventory should inform immediate mitigation efforts and spur the development of prioritized and measurable controls for OT that can be required of critical infrastructure contractors. The trend is only going to be toward more internet-capable OT, and the time to start insisting that it be protected against foreign adversaries is now. The Pentagon should accelerate the development of specific, prioritized OT cybersecurity requirements to be incorporated in contracts for inside-the-fence and outside-the-fence utility services.

The Current State of Contract Requirements
The US military has no contract requirements for how its outside-the-fence contractors operate OT, despite the fact that the Pentagon is currently implementing a major program aimed at hardening the IT of its contractors against cyberattack. The Cybersecurity Maturity Model Certification (CMMC) program requires contractors to implement a set of cybersecurity controls defined by the National Institute of Standards and Technology, but there is no equivalent requirement for OT. The electric utility contracts for US military installations contain a clause requiring cybersecurity controls on the contractors’ corporate IT networks, but there is no contract clause for OT. The Pentagon should develop specific, prioritized OT cybersecurity requirements to be incorporated in contracts for inside-the-fence and outside-the-fence utility services.

The Way Forward
The Pentagon should use its procurement power to set standards for OT cybersecurity in the services it purchases, including contract language defining cybersecurity controls for OT. This should include attention to the sensors, actuators, and other devices collecting physical-world data at the very foundation of OT systems. A good starting point would be the controls in a suite of standards adopted by the International Society of Automation specifically for industrial automation and control systems. The National Security Agency has recently built on these controls with recommendations for OT in systems under its purview. Implementation of OT security requirements for utilities serving military installations should assume that on-base and off-base OT systems will not be air-gapped and will include China-made devices, so the focus should be explicitly on resistance to compromise in systems that are connected and use China-made devices. With Chinese, Russian, and Iranian hackers already observed in US critical infrastructure, reforms to accelerate procurement of more lethal weapons would be wasted if there is not also reform aimed at the basic utilities that support the readiness and deployment of those very weapons.

You May Also Like

More From Author

Celebrities Pay Tribute to Rob Reiner and Wife Michele

Celebrities Pay Tribute to Rob Reiner and Wife Michele

Armed Individual Threatens Spring ISD Bus Driver and Students Before Fleeing

Armed Individual Threatens Spring ISD Bus Driver and Students Before Fleeing

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending Today