The utility systems that provide water, electricity and other essential services to military installations worldwide have limited defenses against cyber attacks, a new Government Accountability Office (GAO) report said.
There is a “disturbing” vulnerability in the military’s network of “industrial control systems,” the computers that monitor or operate physical utility infrastructure, the GAO report said.
For example, “most” Navy and Marine Corps industrial control systems (ICS) “have very little in the way of security controls and cyber security measures in place,” according to government documents identified by the GAO.
That leaves installations exposed to a “cyber-physical effect” attack that could cause the “physical destruction of utility infrastructure controlled by an ICS,” the GAO said.
An example of a successful cyber physical attack through an ICS was the Stuxnet computer virus ISSSource reported the U.S. and Israel teamed to attack Iranian centrifuges in 2010. By hacking the Iranian nuclear facility’s ICS, the centrifuges operated wildly out of control while operators thought they were running within secure parameters. The incident caused massive damage to the centrifuges and set the Iranian nuclear program back for years.
“According to DoD (Department of Defense), the same type of ICS can be found in the critical infrastructure on numerous DoD installations,” which means “the military services’ ICS may be vulnerable to cyber incidents that could degrade operations and negatively impact missions,” the GAO report said.
In addition to shutting down the basic water and electrical systems at a military base, the ICS vulnerabilities “could be used as a gateway into the installation’s information technology system or possibly DoD’s broader information networks,” the report said.
Last year, a Pentagon order required the military services to identify and secure these computers, but military installation officials said meeting the 2014 deadline was impossible and asked to extend the deadline to 2018, according to the GAO.
Plans for upgrading the military ICS systems remain in the early stages; none of the services has a full and accurate inventory of the ICS systems on its installations, according to the GAO.
Taken together, the shortfalls in this area will make meeting even the 2018 deadline a challenge, defense officials told the GAO.
To help track DoD’s “utility resilience efforts,” military installations must report data about utility outages and problems. But installations are not reporting that information accurately and the existing data is unreliable, according to the GAO.
U.S. Cyber Command, created five years ago, is working toward an operational fleet of 133 teams of active-duty cyber experts by the end of next year. One of that fleet’s three primary missions will be “cyber protection” and defending DoD’s networks.
This year, Cyber Command officials planned to include in their annual cyber training exercise testing procedures “to detect, mitigate, and respond to cyber incidents on DoD ICS perpetrated by advanced persistent-threat actors, such as nation states,” the GAO said.
Defense officials are all too aware of the vulnerabilities. In a March 2014 memo, DoD said “cyber infiltration through ICS used to control and monitor utilities could result in a serious mission-disabling event.”