Ubiquitous Connections Depend Upon Additional Security Skills
Rapid growth of the internet of things (IoT) is encouraging the introduction of new devices including those with higher mobility to the military and critical infrastructure. Besides improving efficiency, such devices are also increasing liability. Signal writes about how government agencies are taking latest security measures to protect their military facilities and IT infrastructures.
Cyber warfare continues to evolve with ever-changing innovation and technology, increasing critical infrastructure defense. In addition, with the onset of smart cities, the U.S. military in general, and the U.S. Army in particular, is exploring gaps in training and education related to operating in dense, super-connected urban areas.
In 2010, when U.S. Cyber Command achieved initial operational capability, each of the services reorganized its capabilities. Simultaneously, the services realized a rise in awareness of the importance of critical infrastructure security and began boosting their attention to it.
The U.S. Department of Homeland Security (DHS) defines and describes the term critical infrastructure by identifying 16 sectors; however, the Army’s understanding of critical infrastructure focuses more on an interrelated system. The critical infrastructure system/environment translates into doctrine as “supporting infrastructure as an overlapping and interdependent system of systems.” The doctrine also emphasizes the importance for commanders to learn, understand and consider the associated components of the infrastructure. An example from this doctrine is the observation: “the generating source providing power to the urban energy system is part of that system but may be located well outside of the urban area.”
The defense industrial base and other sectors that include energy, water and wastewater, and chemical manufacturing require a comprehensive understanding beyond just the government or military. According to the Army’s field manual, these sectors are commercially owned and have “effects of the interaction between components of infrastructure … [which] is essential to planning and conducting operations.” Gaining a better understanding of these other commercially owned aspects of the critical infrastructure will enable the U.S. military to understand gaps in urban operations. Factoring in a cyber warfare operation, for example, would provide security within a control system environment.
To address this challenge, the Army leverages an existing framework for strategic and tactical operations that comprises political, military, economic, social, information, infrastructure, physical environment and time (PMESII-PT) variables.
Operational technology has become a prominent area of apprehension within industrial control system security. Securing these systems not only is a concern for the U.S. military and government but also across public and private sector decision makers who must assist in defending systems and controlling the effects of a breach.
According to experts, the growth of the Internet of Things (IoT) will continue to influence the control system environment. Scott W Tousley, deputy director of the cybersecurity, DHS Science and Technology division, describes the IoT as inescapable and universal and adds it will impact the Internet of systems. One priority he emphasizes is creating a foundation of training and education that will be extremely important for long-term success.
For example, within the health care and public health sector, IoT devices are operating on radio frequency (RF), which creates an Internet of radios and results in new vulnerabilities. As a result, in addition to the increase for in-demand skill sets from the defense industrial base, new skills that have not yet even been codified will be required in the RF field.
According to an article by Kelly Hill in RCR Wireless News, a typical RF test engineer needs a Bachelor of Science degree in electrical engineering, mathematics or computer science/physics. In addition, RF knowledge, particularly in cellular and/ or Wi-Fi technologies, is required within several areas, including how to measure and characterize various types of spectrum; experience with test instrumentation; knowledge about spectrum analyzers, signal generators, vector network analyzers, power supplies, power meters, battery emulators and pulse generators; and data analysis skills.
A study by Trend Micro Research revealed “RF technology is being used in operations to control various industrial machines. Furthermore, IoT threats gain enterprise access through the broader RF spectrum.” Device connections enabled via Bluetooth, Near Field Communication, RF identification, Z-Wave, Zigbee or 2G/3G/4G all open possibilities to unauthorized access. The convergence of use growth, technical applications and lack of experts to maintain, protect and defend RF can be the perfect storm for adversaries to take advantage of national systems that heavily rely on remaining connected.
With the onset of the IoT and its relationship to control systems, more effort must be dedicated to identifying a baseline skill set required to operate and secure these control system environments to address this security gap properly. Artificial intelligence may lead to solutions, but in the interim, the next step is to recognize emerging hybrid skills sets.
For example, ham radio operators, engineers, information technology experts and cyber professionals have the requisite skills to enable security of the control system environment. However, these skills must be assessed to determine how to blend and apply them to complex systems.
Adding abilities only addresses the technical side of the equation. According to an Accenture survey, 60 percent of U.S. manufacturers already find it difficult to hire the skilled people they need. Moving toward converged information technology/operational technology architectures will exponentially increase the demand for workers with the necessary knowledge, experience and certifications.
China has demonstrated how it is moving forward to address this workforce shortage challenge by applying technology to it. A platform ZTE created provides innovative water control management. Unmanned aerial vehicles equipped with 5G-based video capabilities visually monitor water resources. The video is then paired with 5G-augmented reality/virtual reality technology and, using artificial intelligence and big data technology, the country plans to improve not only infrastructure security but also water quality.
To protect its internal systems and information technology infrastructure, the United States must begin thinking in these terms. To contend with an ever-changing operational environment that features more interconnected devices, the military, government, private sector and academia must zealously boost their efforts into assessing today’s workforce skills and develop innovative ways to engage and train future generations so they can properly maneuver in control systems environments amidst the arrival of the IoT.
Chief Warrant Officer 4 Judy M. Esquibel, USA, is a cyber operations technician who is a doctoral student in the Department of Information Sciences, Naval Postgraduate School, Monterey, California, and an Army Cyber Institute Fellow.