Building Cyber Resilience Through Education
There is an urgent need to address the cybersecurity literacy of the civil engineering defense community.
BY JUAN LOPEZ JR., CISSP, M.SAME, JOHN H. SAUNDERS, PH.D., M.SAME, and DEANNE W. OTTO, PH.D., M.SAME
The introduction of the Stuxnet computer virus and actions taken by the federal government to protect and ensure the continuity of the nation’s critical infrastructure has amplified the need to manage the escalating cybersecurity risk to industrial control systems (ICSs).
There is an urgent need to address the cybersecurity literacy of the civil engineering community across the Department of Defense (DOD). While cybersecurity education and training for ICSs is limited, a course developed jointly by The Civil Engineer School, National Defense University, and Center for Cyberspace Research at the Air Force Institute of Technology, Wright-Patterson AFB, Ohio, has sought to evolve the understanding of this emerging area of military engineering.
DOD relies on ICSs to provide critical core infrastructure services that include electric power, water and wastewater, chemical, transportation, and oil and natural gas systems. In October 2009, the Air Force Civil Engineer Support Agency (now the Air Force Civil Engineer Center) published Engineering Technical Letter (ETL) 9-11: Civil Engineering Industrial Control System Information Assurance Compliance. It was a coordinated effort to mitigate emerging cybersecurity threats like the Aurora vulnerability to Air Force critical infrastructure systems. Aurora is a cyber-vulnerability found in critical systems using rotating machinery like pumps and turbines to provide electricity.
ETL 9-11 was superseded in 2011 by ETL 11-1, which instituted a Certification and Accreditation (C&A) process tailored specifically for ICSs and codified eight ICS system types. These efforts helped institutionalize cybersecurity for ICSs with an established risk management process. The manual recognizes the unique reliability, safety and cybersecurity requirements peculiar to ICSs without diluting the risk management responsibility of Air Force Civil Engineer (CE) leadership at the local level (ICS IAM & FAM) and enterprise level (HQ AF/A7).
System owners believe Internet-accessible supervisory control and data acquisition (SCADA) systems boosts efficiencies at utilities because they allow workers to operate equipment remotely. Remote Internet access of control systems exposes these once-closed systems to cyber attack. The number of SCADA components connected to the Internet and vulnerable to attack is alarmingly high. A recent study discovered that more than 3,900 SCADA devices in the United States are Internet-accessible.
The U.S. Government Accountability Office designated federal information security as a government-wide high-risk area in 1997, and in 2003 expanded it to include cyber critical infrastructure. The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) established in 2009, reported that cyber incidents increased by more than 200 percent between FY2010 and FY2011.
Leveraging the momentum exhibited by Air Force leadership to champion ICS efforts, a grass roots effort started to shape a cybersecurity course for civil engineers titled “Managing Control Systems Security.” It was a collaboration between the Center for Cyberspace Research, National Defense University and The Civil Engineer School. The course brings together ICS engineers and IT professionals to collaborate and solve ICS cybersecurity challenges. This combined approach creates an interesting dynamic in the classroom. Invariably, when ICS and IT personnel discuss cybersecurity, frustration can quickly set in. This can be healthy. In a classroom setting, it can be utilized to promote discussion and a heightened sense of awareness. Case studies and guided discussions focus on cybersecurity issues that require detailed discussions in order to develop mitigation strategies that are feasible, measurable, effective and will not exceed safety thresholds. Both sides are challenged to reevaluate their assumptions with regard to system functionality, safety, reliability and security. The course is augmented with guest lecturers and field site visits. Briefings have included the Air Force Civil Engineer, Air Force ICS Program Manager, 262nd Network Warfare Squadron and 346th Test Squadron among others. The course integrates hands-on labs with industry standard hardware and software. Students gain experience with vulnerability exploitation such as those used in the Davis-Bessie and Stuxnet incidents. Throughout the week, the participants work on a large facility case (four teams: electric, fuel, water and perimeter security) to provide a set of prioritized recommendations during a capstone presentation.
The positive feedback from the field engineers attending the course led to its adoption as a technical course offering. Although it has traditionally been offered only once a year (August-September) for the past three years, students highly recommended that it be offered twice a year, once in CONUS and once in OCONUS (alternating between the Far East and Europe on odd years) to reach a wider audience. Furthermore, recommendations that it be a joint designated course were considered warranted in light of the civil engineer mission across DOD. The course has been funded in the past through end-of-year funds. However, the current budget environment forced the cancellation of the majority of resident Professional Continuing Education for the remainder of FY2013 and created uncertainty for FY2014. Clearly, though, there is a real need for this instruction in what is an evolving national security mission facing military engineers. In fact, both Naval Facilities Engineering Command and Marine Corps Cyberspace Command have requested seats for their personnel in the course, and in addition to eight Air Force major commands, U.S. Army Corps of Engineers personnel have participated.
Many lessons have been captured throughout the course’s first three years. The first is with regards to language disparity. ICS and IT personnel use different terms to describe similar topics. This makes it easy to disagree on key elements of a risk mitigation strategy. For example, risk management artifacts like diagrams and symbols are rather different for both communities. The level of abstraction is more granular for IT than for ICS. Participants recommend incorporating common language, diagramming rules and standard symbols. ICS and IT lexicon needs to be codified to enhance discussions of ICS cybersecurity.
The second lesson learned is of the importance of cybersecurity goals. ICS focuses on safety and availability while IT focuses on privacy and confidentiality—at times, diametrically opposing missions. Traditional IT security goals are prioritized as: 1) Confidentiality; 2) Integrity; and 3) Availability. ICS security goals, however, are prioritized on: 1) Availability; 2) Integrity; and 3) Confidentiality. The lack of focus on confidentiality is not surprising since ICS data has a rapid decay rate with regard to the usefulness of real-time information for a process. ICS data typically has low informational content value unlike sensitive corporate documents or personally identifiable information. An exception in ICS is smart meter privacy currently under debate. Security goals present interesting challenges when mitigating cybersecurity risk. The course offers a case study that emphasizes this dilemma and forces teams to work together to resolve the disparity.
A third lesson learned is the extremely long life-cycle of SCADA systems. A typical ICS installation has a lifetime of 15 to 30 years. Legacy SCADA systems have limited cryptography capability and limited processing power in many field devices. Most ICS protocols do not have rudimentary authentication or encryption options. Protocols that theoretically can be securely configured (such as DNP3, Modbus and ICCP) require substantial effort to secure.
Lastly, SCADA protocols are encapsulated within existing and unsecured IP protocols for network-based communications. One reason for the lack of supportability is because SCADA protocols are proprietary, often undocumented, and ported from insecure serial protocols to an IP network stack. Fieldbus protocols are typically designed as serial protocols with no native security mechanism, authentication, or bounds checking. This makes them extremely vulnerable. Furthermore, if ICS decision-makers are given the choice between preserving safety or preserving security, most will prefer to accept cybersecurity risk before giving up an inch of safety. This generated serious debate. IT personnel tend to underestimate the real physical damage that can occur from a minor system interruption to an ICS.
The outgrowth from the course has been incredibly revealing and in many cases unforeseen. The civil engineering defense community can potentially leverage these lessons learned and use the course as part of an enterprise strategy to improve its cybersecurity literacy.
Cybersecurity is a particularly challenging area for critical infrastructure. The Stuxnet attack underscores the importance of cybersecurity in the ICS domain. Technical schools, trade schools and undergraduate programs in automation and industrial engineering do not adequately cover ICS cybersecurity.
The foundation established through this course will help bring an emerging discipline to ICS and IT practitioners. The course and the lessons learned can help toward developing Information Assurance pedagogy for sustainable cybersecurity throughout DOD’s civil engineer workforce.