US Military Cyber Vulnerabilities: Operational Technology and Critical Infrastructure Risks

The Growing OT Cybersecurity Challenge

• 💡 Operational Technology (OT) systems, which control physical processes, present unique cybersecurity challenges distinct from traditional Information Technology (IT).
• ⚠️ Adversaries are increasingly targeting OT systems in critical infrastructure, not just for espionage but for potential disruption and sabotage.
• 🎯 The US military is deeply reliant on civilian critical infrastructure for essential services like electricity, water, and natural gas, creating significant vulnerabilities.

Mapping Military Dependencies

• 🔍 Researchers mapped Army installations' dependencies on electricity, natural gas, water, and freight rail using open-source intelligence.
• 📊 This research revealed that even with limited resources, detailed information about critical infrastructure, including specific equipment and supply chain dependencies, is readily available to adversaries.
• 🌐 US military installations are almost universally dependent on civilian critical infrastructure, which is often owned and operated by private contractors.

Vulnerabilities in Operational Technology

• 🔌 OT systems are often connected to the internet, debunking the myth of the "air gap" and exposing them to cyber threats.
• ⚠️ Common vulnerabilities include default or missing passwords, lack of message encryption, and software flaws like buffer overflows, mirroring those found in IT systems.
• 📈 Reports indicate a high percentage of industrial network devices have known vulnerabilities, exacerbated by human error in bypassing security features.

Adversary Activity and Risks

• 🚨 Multiple government alerts highlight persistent intrusions by state-sponsored actors (Russia, China, Iran) into critical infrastructure sectors.
• 💥 Unlike espionage, attacks on OT are escalatory because the intent is to hold physical assets at risk for disruptive purposes.
• 🏭 IT system breaches can spill over into OT, causing disruptions in physical operations, as seen in manufacturing outages.

Addressing the Vulnerabilities

• 🏛️ The Department of Defense is investing in an "Energy Resilience Program" to build on-base capacity, but this can inadvertently import vulnerabilities.
• 📜 A "patchwork quilt" of regulations exists for critical infrastructure cybersecurity, with significant gaps, especially for OT systems on military bases.
• 💰 Procurement power is identified as a key government lever, but current standards for OT are less developed than for IT, and the government must be prepared to pay for increased resilience.
• 📝 Recommendations include creating an inventory of OT assets, assessing connections, developing contract standards, and incentivizing security investments, particularly for sectors operating on thin margins.