Advertisement

How the Pentagon is moving to counter converging IT and OT threats

The Pentagon is adapting to the expanding integration of information systems with operational technologies that control physical assets.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(U.S. Army photo by Sgt. 1st Class Marisol Walker)

The integration of data-centric information systems with operational technologies that control physical assets is increasingly enhancing the need for U.S. entities to modernize their cybersecurity and resilience approaches, according to experts from government and industry.

On a panel moderated by DefenseScoop Tuesday at a Scoop News Group-produced GDIT event, two Defense Department officials and two defense industry executives shared their latest insights on contemporary, real-world threats they’re tracking — at this convergence of IT systems, like computers and servers, with OT systems, like vehicles and medical devices — and how their teams are moving swiftly to adapt and respond.

“When we think about it, installations are our critical power projection platforms. They’re foundational to allow us to launch our critical missions, to ensure readiness, and really do power projection for the United States Air Force and for the DOD in general,” the Department of the Air Force’s acting Deputy Principal Cyber Advisor Lt. Col. Andrew Wonpat said.

“And when we think about cybersecurity, one of the big initiatives across the [DOD] and the U.S. government is zero trust. And that is transformative if we’re going to look at how we do that for operation technology,” he added.

Advertisement

Wonpat and the other panelists reflected on the broad landscape of global, existing and emerging OT vulnerabilities they’re monitoring and moving to mitigate.

Pointing to recent publicly reported numbers he pulled, Wonpat said that “China has approximately 100,000 cyber operators.” Noting that number could be an inflated estimation, he argued it’s best to assume that the real number could be much lower.  

“So, if we just extrapolate that, if China only has half of that — 50,000, that’s about the number of people in a [specific] town or a city within the United States — so that is significant for us from a military perspective, and the Department of Air Force to really grapple with,” Wonpat said.

Dwindling that down further, assuming only 10% of those personnel would be explicitly focused on OT efforts, it would still be about 5,000 people, which in his view is a lot for the service to contend with.

“So, how do we contend with those threats? One thing we did — one of the big initiatives — is [the Air Force established a new] organization called CROCS, or the Cyber Resiliency Office for Control Systems. They’re really responsible for coordinating and overseeing the cybersecurity of our control systems and operation technology, as well as defending critical infrastructure,” Wonpat explained. “And there’s a lot that goes into that.”

Advertisement

He confirmed that early lines of effort for the CROCS team include workforce, governance, visibility and prioritization activities, and transforming OT defense and response.

“I’m really excited about the CROCS organization … It’s the first time I’ve seen something like this in the department and we really need it,” Tony Robertiello, GDIT’s senior program director for Air Force enterprise IT programs, said.

For the Air Force and civil engineering community, GDIT provides cybersecurity and associated protection services for about 600 facility-related control systems across the globe in multiple forms. 

Spotlighting recent analysis the company has captured, Robertiello noted that the convergence between OT and IT across the internet protocol or IP space is currently considered to be an intensifying threat.

“We have inventory data for those 600 systems — 30,000 devices are IP-based. And these are devices that you don’t put certificates on them, but they could scan the network and could be attacked or could be a point of attack,” he explained.

Advertisement

The GDIT team is working in partnership with the 16th Air Force, an information warfare hub with OT data that Robertiello said they’ve never had access to before. 

“What’s no surprise now is that the top 10 systems in the Air Force of all the systems that they track data on — the most vulnerable systems, that top 10 — it’s OT systems. These are legacy systems. So, the threat is real out there against these types of systems,” Robertiello said.

He and other panelists also discussed Volt Typhoon and similar recent OT attacks aligned with what is reportedly China-backed advanced persistent threat (APT) groups, targeting critical infrastructure.

“One observation I will make is that if you look at what’s publicly reported, the Typhoon family is not doing the ransomware phishing attacks. They’re chaining vulnerabilities together and developing some legitimately sophisticated ways of intruding in the systems. The good news about that is that it means the sort of traditional stuff is less effective. So, some of the things that we’ve been doing for years — trying to secure systems and teach people about phishing — some of that is having an effect,” said Terry Kalka, director of the defense industrial base collaborative information-sharing environment at DOD’s Cyber Crime Center (DC3).

Officials inside DC3 are executing on what he referred to as defensive missions on DOD networks, as well as for the defense industrial base.

“One of the things we’ve had a lot of success in is vulnerability disclosure, where we work with white hat open-source or crowd-sourced researchers to look for vulnerabilities on public infrastructure,” Kafka said.

In the eight years since that program launched, around 50,000 vulnerability reports have been submitted, and heaps of patches have been made in response. More recently, the DC3 opted to build on that momentum by setting up a defense industrial base vulnerable disclosure program. 

Advertisement

“Now there’s an IBM report that estimates the cost of a data breach each year. This year, they say a data breach costs, on average, $4.8 million. I’m not going to try to do the math onstage. But if we have so far, in the DIBVDP, mitigated 59 vulnerabilities in six months … that’s about $288 million that we’ve saved industry and therefore saved the taxpayer. That’s a nice statistic if you have to go ask for cybersecurity money. And secondly, it’s a real, tangible effect in terms of what’s publicly available and how can we close that off as a way of entry,” Kalka said.

Autonomous endpoint management is another increasingly powerful solution the panelists highlighted. 

Sam Kinch, who previously worked at U.S. Cyber Command and is now an executive client advisor at Tanium, brought up a recent statistic that 70 percent of successful breaches start at the end point, which he said further reflects the growing need for organizations to capture IT and OT assets under one single umbrella of real-time visibility.

“One of the other stats that came out of DOD recently, if you look at the IT estate across their enterprise, it’s about 4 million endpoints they project right now. And they don’t know, but they’re projecting 15 to 18 million endpoints when you include the OT side of the house,” he noted.

“How is that for a target surface in a vulnerability state? Autonomous endpoint management is going to be essential. And what that means to us is really, how do you incorporate autonomy and automation into the process flows so you can reduce risk and drive down the mistakes that get made from mundane tasks nobody wants to do?” Kinch said.

Brandi Vincent

Written by Brandi Vincent

Brandi Vincent is DefenseScoop’s Pentagon correspondent. She reports on emerging and disruptive technologies, and associated policies, impacting the Defense Department and its personnel. Prior to joining Scoop News Group, Brandi produced a long-form documentary and worked as a journalist at Nextgov, Snapchat and NBC Network. She grew up in Louisiana and received a master’s degree in journalism from the University of Maryland.

Latest Podcasts