Top naval commanders asks Carter to include SCADA on cyber scorecard
- By Sean Lyngaas
- Feb 25, 2016
Two Navy admirals have sent a letter to Defense Secretary Ash Carter asking him to pay greater attention to the cybersecurity of the industrial control systems that underpin U.S. infrastructure.
ICS vulnerabilities "will have serious consequences on our ability to execute assigned missions if [they are] not addressed," wrote Adm. William Gortney and Adm. Harry Harris, who are, respectively, the commanders of U.S. Northern Command and U.S. Pacific Command.
In the Feb. 11 letter, Gortney and Harris ask Carter to consider adding industrial control systems security to a monthly cyber scorecard that grades various defense agencies on their IT security practices and is submitted to Carter on a monthly basis. The scorecard is an effort to hold DOD officials more accountable for IT security flaws.
"We must establish clear ownership policies at all levels of the department, and invest in detection tools and processes to baseline normal network behavior from abnormal network behavior," the letter says. "Once we've established this accountability, we should be able to track progress for establishing acceptable cybersecurity for our infrastructure ICS."
Cybersecurity analysts told FCW that the admirals' emphasis on ICS is a step in the right direction.
"I applaud the admirals for raising awareness about ICS security," said Chris Sistrunk, a senior ICS security consultant at Mandiant, who tweeted out the letter. The memo lists several "nefarious cyber payloads" that could weaken critical infrastructure. Sistrunk's only critique of the memo was, he said, the admirals' mischaracterization of the search engine Shodan as one of those payloads.
Richard Stiennon, chief research analyst at IT-Harvest, called the memo "remarkable" because it "indicates that the higher ranks within DOD have become aware of the vulnerabilities in the infrastructure used to maintain the U.S. fighting forces.
Peter Singer, a senior fellow at New America, noted that the United States has targeted the critical infrastructure of its adversaries, most notably with the Stuxnet worm that hit Iran's nuclear centrifuges. "Ironically, with Stuxnet, the U.S. has shown the efficacy and threat of ICS attacks," Singer said, adding, "there is a risk of someone doing it back to us."
The admirals' letter cites a seven-fold increase in reported cyber incidents involving critical infrastructure between 2010 and 2015.
The Internet of Things, which encompasses embedded systems such as ICS, is an area that the DOD "hasn't done much on yet and will likely be one of the most vulnerable areas for them over the next decade," said Tony Cole, vice president and global government CTO at FireEye.
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.