Top naval commanders asks Carter to include SCADA on cyber scorecard

Two Navy admirals have sent a letter to Defense Secretary Ash Carter asking him to pay greater attention to the cybersecurity of the industrial control systems that underpin U.S. infrastructure. 

ICS vulnerabilities "will have serious consequences on our ability to execute assigned missions if [they are] not addressed," wrote Adm. William Gortney and Adm. Harry Harris, who are, respectively, the commanders of U.S. Northern Command and U.S. Pacific Command.

In the Feb. 11 letter, Gortney and Harris ask Carter to consider adding industrial control systems security to a monthly cyber scorecard that grades various defense agencies on their IT security practices and is submitted to Carter on a monthly basis. The scorecard is an effort to hold DOD officials more accountable for IT security flaws.

"We must establish clear ownership policies at all levels of the department, and invest in detection tools and processes to baseline normal network behavior from abnormal network behavior," the letter says. "Once we've established this accountability, we should be able to track progress for establishing acceptable cybersecurity for our infrastructure ICS."

Cybersecurity analysts told FCW that the admirals' emphasis on ICS is a step in the right direction.

"I applaud the admirals for raising awareness about ICS security," said Chris Sistrunk, a senior ICS security consultant at Mandiant, who tweeted out the letter. The memo lists several "nefarious cyber payloads" that could weaken critical infrastructure. Sistrunk's only critique of the memo was, he said, the admirals' mischaracterization of the search engine Shodan as one of those payloads.

Richard Stiennon, chief research analyst at IT-Harvest, called the memo "remarkable" because it "indicates that the higher ranks within DOD have become aware of the vulnerabilities in the infrastructure used to maintain the U.S. fighting forces.

Peter Singer, a senior fellow at New America, noted that the United States has targeted the critical infrastructure of its adversaries, most notably with the Stuxnet worm that hit Iran's nuclear centrifuges. "Ironically, with Stuxnet, the U.S. has shown the efficacy and threat of ICS attacks," Singer said, adding, "there is a risk of someone doing it back to us."

The admirals' letter cites a seven-fold increase in reported cyber incidents involving critical infrastructure between 2010 and 2015.

The Internet of Things, which encompasses embedded systems such as ICS, is an area that the DOD "hasn't done much on yet and will likely be one of the most vulnerable areas for them over the next decade," said Tony Cole, vice president and global government CTO at FireEye.