This article addresses recent actions taken to improve cyber defense and resilience of United States and DoD Critical Infrastructure (CI), specifically Critical Infrastructure
Cybersecurity and Defense Support of Civil Authorities (DSCA).
Recent events of 2017-2018 clearly demonstrate the severity of the threat to CI and hence to national security by a Cyber-Physical Systems (CPS) attack.
The most salient point about Cyber-Physical Systems as opposed to traditional Information technology (IT) is that they operate in two domains: the information systems domain that enables communications, monitoring, recording and reporting, and the Control Systems (CS) domain that executes physical operational effects. The understanding of a particular CPS’ maintenance procedures, protections, Indications and Warnings (I&W), and response and recovery procedures, require detailed technical information about, and operational insight into, these two separate domains concurrently, the cyber and the physical. However, there is huge variation across the sixteen Federally defined CI sectors , and the challenges to maintenance of a uniform level of cyber resilience for these systems are significant. As Critical Infrastructure straddles both sides of a base perimeter fence, public-private collaboration is inescapable. Understanding of requirements and capabilities on both sides of the DCI fence is key. We will review here some of the most recent actions and recommendations by the U.S. Government to reduce the threat to national CI CPS, with a focus on DoD actions to carry out cyber DSCA tasking with respect to CI found in the 2017-19 National Defense Authorization Acts (NDAA).
A Catalyst for Change – General Accountability Office (GAO) Report 16-332
“DoD Needs to Clarify Its Roles and Responsibilities for Defense Support of Civil Authorities during Cyber Incidents.”
According to the General Accountability Office (GAO) 16-332, DoD’s role in addressing Cyber DSCA goes back to at least the DoD’s 2013 Strategy for Homeland Defense and Defense Support of Civil Authorities . In addition, Cyber DSCA was addressed in subsequent DoD Directives, policy statements and NDAAs, prior to the issuance of GAO 16-332 . However, when GAO 16-332 was released, fundamental flaws were revealed by GAO in the potential execution by DoD of its Cyber DSCA policies. The report described a “lack of clarity on key roles and responsibilities — specifically for DoD components, the supported command, and the dual-status commander — to support civil authorities in a cyber incident” . The primary conflict rested on the roles and authorities assigned to Geographic Combatant Commands such as U.S. Northern Command (USNORTHCOM), and Functional Combatant Commands such as U.S. Cyber Command (USCYBERCOM). As of January 2016, according to GAO, “DoD had not begun efforts to develop or issue updated guidance on how DoD will support civil authorities during a cyber incident and did not have an estimate on when the guidance will be finalized” .
GAO recommended that the Office of the Under Secretary of Defense (OUSD) for Policy “issue or update guidance that clarifies roles and responsibilities for relevant entities and officials — including the DoD components, supported and supporting commands, and dual-status commander — to support civil authorities as needed in a cyber incident”. DoD went on record concurring with the recommendation.
Subsequent to the issuance of GAO 16-322, additional Congressional directives and DoD policies were issued addressing the Cyber DSCA role of DoD. Some of these directives and policies are examined in this paper.
House Energy and Commerce Committee Report
The Oversight and Investigations Subcommittee of the House Energy and Commerce Committee released their December 7, 2018 Cybersecurity Strategy Report  after spending several years analyzing cybersecurity issues impacting the 16 Critical Infrastructure Sectors defined in Presidential Policy Directive 21 (PPD-21) Critical Infrastructure Security and Resilience . They also reviewed the requirement for Improving cross-sector information sharing by the 16 PPD-21 Section 9 entities required under the subsequent Executive Order (EO) 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure . In their report, the Oversight and Investigations Subcommittee established six priorities, two of which are addressed here, widespread adoption of coordinated disclosure programs and strengthening of the public-private partnership model.
The 2018 DoD Cyber Strategy
Following issuance of EO 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, the DoD Cyber Strategy  also addressed defense of CI. The DoD Strategy focused on “cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities”. However, DSCA via public-private partnership by DoD was also extended:
“The Department must defend its own networks, systems, and information from malicious cyber activity and be prepared to defend, when directed, those networks and systems operated by non-DoD Defense Critical Infrastructure (DCI) and Defense Industrial Base (DIB) entities”.
“The Department seeks to preempt, defeat, or deter malicious cyber activity targeting U.S. critical infrastructure that could cause a significant cyber incident regardless of whether that incident would impact DoD’s warfighting readiness or capability. Our primary role in this homeland defense mission is to defend forward by leveraging our focus outward to stop threats before they reach their targets. The Department also provides public and private sector partners with indications and warning (I&W) of malicious cyber activity, in coordination with other Federal departments and agencies” .
The obvious intersection with the House Report is the strengthening of coordinated disclosure and public-private partnerships, as implied by defending non-DoD operated Defense Critical Infrastructure (DCI) and DIB entities, and providing the private sector military I&W, as well as increased operational activity in Cyber DSCA. The strategy goes on to affirm that the DoD is the Critical Infrastructure “Sector Specific Agency (SSA) for the DIB and a business partner with the DIB and DCI”. Additionally, as laid out in PPD-21, an SSA has clear responsibilities, which authorizes DoD increased interaction with, and oversight of, industry, including private utilities, local governments, and vendors providing DCI services.
National Defense Authorization Acts (NDAA)
Recent National Defense Authorization Acts (NDAA) have addressed the DoD role in cybersecurity of DCI as well as National CI and strengthening of corresponding public-private and multi-agency partnerships. [Note: During the intervening fiscal years the nomenclature used within DoD for cybersecurity of Control Systems (CS) had shifted, bifurcating into Facilities Related Control Systems (FRCS), formerly Operations Technology (OT), a key element of CI, and control systems found on military weapons platforms, which had been termed Platform Information Technology, or PIT]. Since the issuance of GAO 16-322, several NDAAs addressed Critical Infrastructure FRCS in detail. For example:
- DoD shall issue a joint training and certification standard for the protection of control systems for use by all cyber operations forces within the DoD [FY17 NDAA SEC. 1644]
- Initiate a pilot program under which the Secretary shall assess the feasibility and advisability of applying new, innovative methodologies or engineering approaches to improve the defense of control systems against cyber-attacks [FY17 NDAA SEC. 1650]
- Report the structural risks inherent in control systems and networks, assess the current vulnerabilities to cyber-attack initiated through Control Systems (CS)at DoD installations worldwide, proposes a common, Department-wide implementation plan to upgrade and improve the security of control systems, assess the extent to which existing DoD military construction regulations require the consideration of cybersecurity vulnerabilities and cyber risk. The effort is to employ the capabilities of the Army Corps of Engineers (USACE), the Naval Facilities Engineering Command (NAVFAC) and the Air Force Civil Engineer Center (AFCEC). F17 NDAA Report 114-255]
- The Secretary of Defense (SECDEF) shall make such changes to the cybersecurity scorecard as are necessary to ensure that the Secretary measures the progress of each element of the DoD in securing the Industrial Control Systems (ICS) of the Department against cyber threats, including such ICS as Supervisory Control and Data Acquisition (SCADA) systems, distributed control systems, programmable logic controllers, and platform information technology [FY18 NDAA SEC. 1639]
- SECDEF shall, in coordination with the Director of National Intelligence (DNI), the Secretary of Energy, and the Secretary of Homeland Security, submit to Congress a report identifying significant security risks to defense critical electric infrastructure posed by malicious cyber-enabled activities [FY18 NDAA SEC. 11604]
With respect to FRCS, the following was authorized in the 2019 NDAA:
- SECDEF shall designate one official to be responsible for matters relating to integrating cybersecurity and industrial control systems within the Department of Defense [FY19 NDAA SEC. 1643]
With respect to Critical Infrastructure Cyber DSCA, NDAA-19 required the following:
- A Tier 1 Exercise in Cyber DSCA by USCYBERCOM and USNORTHCOM [NDAA-19 SEC. 1648]
- A pilot program in Modeling and Simulation for Cyber DSCA [NDAA-19 SEC. 1649]
- A pilot training program for Guard elements [NDAA-19 SEC. 1651]
- A study on use of Reserve elements for cyber civil support [NDAA-19 SEC. 1653]
- Immediate authorization for assignment of active duty military personnel to the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) [NDAA-19 SEC. 1650]
Section 1638, TIER 1 EXERCISE OF SUPPORT TO CIVIL AUTHORITIES FOR A CYBER INCIDENT, modifies the 2019 NDAA to extend the date of a cyber DSCA Tier 1 exercise to May 2020. [NDAA 2020 SEC.1638].
Section 5726, SECURING ENERGY INFRASTRUCTURE requires establishment of a 2-year control systems pilot program with the National Laboratories for implementation of critical infrastructure cybersecurity research of incidents that could reasonably result in catastrophic regional or national effects, for the purposes of—
(1) partnering with covered entities in the energy sector (including critical component manufacturers in the supply chain) that voluntarily participate in the Program to identify new classes of security vulnerabilities of the covered entities; and
(2) evaluating technology and standards, in partnership with covered entities, to isolate and defend industrial control systems of covered entities from security vulnerabilities and exploits in the most critical systems of the covered entities. [NDAA 2020 SEC. 5726]
Previous Modeling and Simulation with DoD for Cyber DSCA: Jack Voltaic
Modeling and simulation actions pertaining to Cyber DSCA and CI had been done with DoD participation previously, notably Jack Voltaic , organized by the Army Cyber Institute (ACI) at West Point. Starting in 2016, Jack Voltaic (JV) employed the general exercise framework developed by DHS for tabletop exercises and has continued the exercise series to this day . Of interest to potential DoD DSCA respondents is the extent of the public-private partnership model used in JV, which prominently features participation of the Critical Infrastructure Sector-based Information Sharing and Analysis Centers, or ISACs . As we saw above, a stronger public-private partnership was a priority of the 2018 House Energy and Commerce Committee Cybersecurity Strategy Report. Takeaways from the JV series of exercises continue to include two items: the need for effective vertical and horizontal communications across all multi-agency responders, and the need for technical understanding of the operations of, and interactions between, multiple Critical Infrastructure sectors. This includes identifying the need for effective simulations down to the Programmable Logic Controllers (PLC) of a CS.
The OUSD (P) NDAA 2019 Section 1649 Table Top Exercise (TTX)
The Office of the Undersecretary of Defense for Policy (OUSD(P)) held a Table Top Exercise (TTX) on 7 August 2019 per direction provided under Section 1649 of the NDAA for Fiscal Year 2019, “Modeling and Simulation of Cyber Attacks on Critical Infrastructure to Improve Defense Support of Civil Authorities.” The purpose of the TTX was to improve DoD’s ability to respond to requests for DSCA in response to cyber incidents. The legacy of Jack Voltaic informed the OUSD (P) response to NDAA Sec 1649. The OUSD (P) TTX  was attended by nearly 50 participants representing the energy industry, state and local governments, the national laboratories (e.g. Sandia National Laboratories (SNL), Idaho National Laboratory (INL), and Pacific Northwest National Laboratory (PNNL)), and DoD laboratories (e.g. Johns Hopkins University Applied Physics Laboratory (JHU APL)), Federal departments and agencies (e.g., DHS, Federal Bureau of Investigation (FBI), Department of Energy (DOE), DoD), and DoD Components (e.g., OSD, the Joint Staff, USNORTHCOM, USINDOPACOM, and the National Guard Bureau ). The exercise was intended to:
- Examine coordination structures during a cyber incident;
- Identify thresholds for when Federal support might be required, and thresholds for when DoD capabilities might be required to augment other Federal Departments and Agencies;
- Identify potential gaps in processes or capabilities that might impede such activities.
- Explore the intersection of information sharing and the intersection of cyber and physical threats as they affect US critical infrastructure.
- Identify shortfalls in Federal, State, and local government and industry authorities to respond to cyber incidents affecting Critical Infrastructure.
- Identify processes, procedures, roles, responsibilities and “red lines for coordination between government and industry in responding to a cascading event that affects multiple critical infrastructure sectors.
- Identify the means by which threat information is shared between critical infrastructure sectors when the effects of a cyber incident could have cascading impacts.
NDAA Sec 1649 TTX Findings
Although the Federal Government itself was familiar with the mechanisms for sharing and integrating Federal interagency information and actions, State and local authorities were less clear on the Federal processes. DoD was also less attuned to the decision processes of non-Federal civilian agencies in order to understand when a member of a CI sector needed assistance. With respect to Cyber DSCA, there was also some concern about effectiveness of DHS and DoD coordination: “DHS’ Cybersecurity and Infrastructure Security Agency (CISA) lacks the structure and the planners that exist in [the Federal Emergency Management Agency] (FEMA), which may hinder DHS’ ability to plan, coordinate, and lead DHS cyber response. Several TTX participants felt that there may be an opportunity to mirror or connect with the existing Defense Coordinating Officers (DCO) who are currently located in the [FEMA] regions that are already established.” 
It was identified that horizontally, i.e. across sectors and agencies, and vertically, i.e. within a sector’s, private operators, local, state, and federal authorities, that there were only weakly defined “decision points” at which DSCA is to be invoked.
The need for decision support tools was also identified. Decision aids to correctly determine when and what DoD capabilities and resources should be mapped to the DSCA task were lacking. In addition, civil authorities needed more information on just what DoD resources are available. Such tools would help to apprise DoD of when use of its authorities are justified or, conversely, exceeded in their response, and thus adequately respond.
According to current Homeland Defense and Security Information Analysis Center (HDIAC) Director Steve Redifer, who attended the TTX for CSIAC, “as is frequently the case when the DoD develops concepts of support for the civil sector, a major hurdle is the establishment and understanding of civil sector capability gaps. The DoD asks the civil sector for its capability needs, and the civil sector responds by asking for a list of what capabilities DoD possesses; this has historically been a hurdle in all Humanitarian and Disaster Response (HADR) actions, and it was again at the TTX. The DoD provides support from its existing structure to respond to civilian capability needs — since there are few DoD organizations solely dedicated to civil support, DoD needs to understand civil requirements/shortfalls in order to repurpose what are essentially units optimized for OCONUS combat. The civil sector is often unaware of DoD capability, and thus does not know what to ask for. At the conclusion of the TTX, the civil sector agreed to survey its constituents for cyber response capability gaps, and the DoD agreed to look at producing summaries of its cyber capability” .
Effective knowledge of the impact to DoD of cyber physical events on national or local CI was also a weak point, due to the generally voluntary nature of the information shared by private industry within a sector or to an ISAC. There are both technical and administrative decision chains and information access constraints that need to be understood and made accessible to DoD components and industry in order to anticipate DSCA requests. This is not just to fulfill DSCA requirements, but to safeguard internal DoD operations as well, as DoD is also dependent on CI, and is implied by the 2018 Cyber Strategy tasking to protect DCI and the DIB.
With respect to DoD Component DSCA training, it was noted that “DoD has limited experience with Operational Technology (OT), and the civil representatives agreed that this would be important in order for DoD cyber operators to be of assistance during a crisis. The National Guard Bureau representative and the civil representatives highlighted past exercises (CYBER SHIELD) in which the industry had worked with Army cyber operators, instructing them on SCADA systems and providing insight into how OT is utilized; all agreed that this would be necessary knowledge for DoD cyber operators should they be asked to respond to attacks on civil infrastructure.”  Given that DCI FRCS cybersecurity is required at DoD installations OCONUS, it is in the DoD’s interest to train INCONUS active-duty personnel as well.
The purpose and result of the TTX was to carry out NDAA Sec 1649 requirements to improve DoD’s ability to respond to requests for defense support of civil authorities (DSCA) in response to cyber incidents. The TTX was designed to address issues critical for DoD’s long-term efforts to improve the means and mechanisms of providing DSCA in response to a cyber incident and will set the stage for future examinations of DSCA in connection with cyber incidents involving U.S. critical infrastructure. Subsequent exercises are in the planning phase, to include additional CI sectors.
Comparison of the findings of an actual CI Sector attack to the exercises
It will be instructive to compare the findings of the Colorado Department of Transportation (CDOT) Cyber Incident After Action Report (AAR)  to the findings of the above exercises. The CDOT ransomware attack of 2018 took down its internal network by use of a SamSam ransomware malware variant. Of concern, there was no “air-gap” between its IT and OT networks, just a firewall, which fortunately held. On Wednesday, 21 Feb, the Governor’s Office of Information Technology (OIT) declared a security incident when the ransomware became active and infected approximately 150 servers and 2000 workstations.
The CDOT Cyber Incident did not culminate in a Cyber DSCA action, but a Colorado Army National Guard (COANG) cyber response team was activated by the governor, and a multi-agency Unified Command Group (UCG) was established within the State Emergency Operations Center. The UCG was later augmented with support from DHS, FBI, and FEMA. Only 80% of original service was restored by 23 March, a month later, due to subsequent reinfection.
Findings of the Colorado Department of Transportation (CDOT) After Action Report (AAR)
The most significant deficiency was the lack of integration of a Cyber Incident Response procedure into the State Emergency Operations Plan. It is now being addressed, but the plan will need to be validated by modeling and simulation, and subsequent exercises with local and Federal agencies. The CDOT Continuity of Operations Plan (COOP) did not include a plan for continuing operations after a cyber incident had compromised state networks and servers. The previous assumption appears to have been that a COOP will simply require you to pick up your personnel and IT equipment and move them to a different location. This was identified for correction across all state departments. It was affirmed in the report that future cyber-attack responses will require external support from vendors, the National Guard and Federal assets. Pre-incident planning and coordination will help ensure the right support is provided and integrated as rapidly as possible to facilitate a cohesive response effort that leverages the capabilities of each asset. The need for exercises and improving coordinated disclosure: “The State must remain vigilant against future attacks by continuing to harden its networks, improving and rehearsing its cyber incident response plans and sharing information about this attack with stakeholders and partner agencies.”
The requirements by Congress in NDAA 19 for improvements in the Cyber Defense of Critical Infrastructure and the role of DoD in that protection via improvements in public-private partnerships, multi-agency communication and DSCA exercises is being carried out. The Office of the Undersecretary of Defense (OUSD) for Plans, in conjunction with multiple Federal, State, local and private entities have carried out exercises to validate existing procedures. The recent table top exercise in August 2019 has shown needs for improvements that will be addressed in future exercises. It remains to be seen whether all the conflicts in authorities identified by GAO have been addressed formally by DoD. The need for collection and dissemination of lessons learned to State, local and private actors also needs to be addressed. With respect to Cyber DSCA, collection and dissemination of technical information and lessons learned for the purpose of informing DoD agencies of DSCA-relevant incidents and operations needs to be specifically ensured by either DHS or DoD . It bears repeating that the lessons learned from the CDOT attack included the observation that “future cyber response will require external support from vendors, the National Guard and federal assets. Pre-incident planning and coordination will help ensure the right support is provided and integrated as rapidly as possible to facilitate a cohesive response effort that leverages the capabilities of each asset”. This means that multi-agency exercises need to continue and expand their scope to include multiple CI sectors. The exercises and subsequent information sharing will be essential to mitigate the effects of multisector, cascading effects on the national scale.
- https://www.gao.gov/products/GAO-16-332; p.1
- See DOD Directive 3025.18, Defense Support of Civil Authorities (DSCA); Joint Publication 3-28, Defense Support of Civil Authorities and the 2015 DOD Cyber Strategy.
- https://www.gao.gov/products/GAO-16-332; p.13
- ibid p.19
- Ibid p. 22
- NDAA Section 1649 After Action Report (AAR) is in publication. Contact CSIAC for publication status.
- Army Cyber Institute, Jack Voltaic organizer attended. Significant to GAO 16-332, two geographic COCOMs attended but USCYBERCOM did not.
- CSIAC Trip Report 7 Aug 2019, p3. Available from CSIAC on request.
- Ibid p2.
- Ibid p3.
- CDOT Cyber Incident After-Action Report July 17, 2018, Colorado Division of Homeland Security and Emergency Management, Releasable to the Public; Report is available from CSIAC on request.
- The use of the DOD Information Analysis Centers to collect sector-specific DSCA relevant STI for archiving by DTIC is recommended.