Cybersecurity

Top naval commanders asks Carter to include SCADA on cyber scorecard

Navy person using keyboard

Two Navy admirals have sent a letter to Defense Secretary Ash Carter asking him to pay greater attention to the cybersecurity of the industrial control systems that underpin U.S. infrastructure. 

ICS vulnerabilities "will have serious consequences on our ability to execute assigned missions if [they are] not addressed," wrote Adm. William Gortney and Adm. Harry Harris, who are, respectively, the commanders of U.S. Northern Command and U.S. Pacific Command.

In the Feb. 11 letter, Gortney and Harris ask Carter to consider adding industrial control systems security to a monthly cyber scorecard that grades various defense agencies on their IT security practices and is submitted to Carter on a monthly basis. The scorecard is an effort to hold DOD officials more accountable for IT security flaws.

"We must establish clear ownership policies at all levels of the department, and invest in detection tools and processes to baseline normal network behavior from abnormal network behavior," the letter says. "Once we've established this accountability, we should be able to track progress for establishing acceptable cybersecurity for our infrastructure ICS."

Cybersecurity analysts told FCW that the admirals' emphasis on ICS is a step in the right direction.

"I applaud the admirals for raising awareness about ICS security," said Chris Sistrunk, a senior ICS security consultant at Mandiant, who tweeted out the letter. The memo lists several "nefarious cyber payloads" that could weaken critical infrastructure. Sistrunk's only critique of the memo was, he said, the admirals' mischaracterization of the search engine Shodan as one of those payloads.

Richard Stiennon, chief research analyst at IT-Harvest, called the memo "remarkable" because it "indicates that the higher ranks within DOD have become aware of the vulnerabilities in the infrastructure used to maintain the U.S. fighting forces.

Peter Singer, a senior fellow at New America, noted that the United States has targeted the critical infrastructure of its adversaries, most notably with the Stuxnet worm that hit Iran's nuclear centrifuges. "Ironically, with Stuxnet, the U.S. has shown the efficacy and threat of ICS attacks," Singer said, adding, "there is a risk of someone doing it back to us."

The admirals' letter cites a seven-fold increase in reported cyber incidents involving critical infrastructure between 2010 and 2015.

The Internet of Things, which encompasses embedded systems such as ICS, is an area that the DOD "hasn't done much on yet and will likely be one of the most vulnerable areas for them over the next decade," said Tony Cole, vice president and global government CTO at FireEye.

About the Author

Sean Lyngaas is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.