National Cyber Strategy’s call to modernize OT is about controlling the future of conflict
Colby Proffitt, a cybersecurity strategist at Shift5, explains why observability is so important to improving the security and modernizing operational technolog...
Strategic objective 1.5 of the 2023 National Cybersecurity Strategy (NCS) calls for the federal government to modernize its defenses – specifically, to “modernize IT and operational technology (OT) infrastructure” and “replace or update IT and OT systems that are not defensible against sophisticated cyber threats.” With continual and innovative attacks by global adversaries, and rapid advances in the deployment of artificial intelligence and advanced technologies by near-peer adversaries, it’s never been more critical to take action laid out in the NCS guidance and modernize the Defense Department’s cybersecurity infrastructure.
Differences between IT vs. OT modernization
IT modernization efforts within DoD have been ongoing for more than a decade, and some of the hard lessons learned from each wave of IT improvements may be beneficial to those responsible for OT modernization. However, given the distinctions between IT and OT – both in terms of design and purpose – there are some unique OT modernization challenges that the DoD must consider.
Different systems: IT modernization focuses on replacing software and systems for things like operations management, records management, information management and cybersecurity, among many others. OT modernization, conversely, focuses on upleveling equipment and systems spanning domains like power control, satellite communications, maintenance and repair systems for military equipment, aircraft avionics and flight control systems and control systems for national defense (e.g., weapon systems).
Viable replacements: Legacy systems often introduce cyber risks for federal IT systems, but replacing legacy IT is a challenge unto itself. For example, a few of its costly, time-intensive hurdles include identifying a replacement technology, working through the procurement process and staffing the expertise required for modernization and integration. Like IT systems, many OT systems are outdated, but they are also deeply complex and specialized. Because of the nature of what these systems do, they often require full availability and cannot be taken offline. That often makes a total replacement unfeasible.
Unique stakeholders: DoD IT modernization is driven by chief information officers and IT departments. However, much of the OT on which the government and the nation depends is owned by the private sector. The Federal Emergency Management Agency estimates that as much as 85% of the nation’s critical infrastructure is privately owned and operated. Therefore, its modernization is not fully under government control.
Implementation timelines: IT modernization projects are often shorter and more agile in nature, with a focus on rapid prototyping and continuous delivery. In contrast, OT modernization projects can be complex and require significant planning, often spanning several years or even decades, depending on the system.
Both IT and OT modernization will yield many DoD benefits. For instance, updating IT will generate cost savings, boost efficiency and enhance security. Addressing OT will increase safety, enhance operational capabilities and improve mission outcomes and cyber resilience. While there is still a long way to go, we have started to see these IT outcomes thanks to significant efforts in DoD IT modernization made in recent years. However, OT modernization is substantially behind, and the NCS highlights the need to accelerate efforts.
Observability is critical to overcoming OT security challenges
Modernizing OT security is arguably the most important task, as many legacy OT systems were not originally designed with security considerations in mind. The security limitations of entrenched OT can only be effectively overcome with innovative solutions that provide both data access and observability — raw data by itself isn’t very useful, but when coupled with context and real-time analytics at the edge, it becomes a critical, foundational component for both improved cyber defense and military action. Such observability can enable faster, smarter decisions — to move, shoot, react, reload and refuel — with greater speed, precision and efficiency than adversaries.
Unfortunately, we are not currently capturing, collecting, monitoring, translating, enriching, storing and processing the vast amounts of data that our heavily digitized and highly interconnected weapon systems are generating—from the control systems on aircraft to other onboard components across military fleets. Their highly digitized “nerve systems” carry tremendous volumes of extremely valuable data, that, if extracted, can advance the DoD’s ability to achieve the top four priorities outlined in the 2022 National Defense Strategy:
Defending the homeland, paced to the growing multi-domain threat posed by the People’s Republic of China (PRC);
Deterring strategic attacks against the United States, allies and partners;
Deterring aggression, while being prepared to prevail in conflict when necessary — prioritizing the PRC challenge in the Indo-Pacific region, then the Russia challenge in Europe; and
Building a resilient Joint Force and defense ecosystem.
Industry has now built foundational tools to enable OT observability for military fleets and weapon systems. There are tools that can provide readily-available certified hardware and software capable of real-time edge computing and full-take data capture from every bus that is found on onboard OT systems, and the capabilities to normalize, translate and enrich the data into a human-readable format. In addition to freeing and democratizing this onboard data, DoD fleet operators and maintainers can gain the system observability required for smarter, faster decisions, ensuring the military’s ability to outperform the decision-making cycles of its near-peer competitors.
Addressing security cannot wait
Modernizing and securing DoD IT and OT is a massive and complex undertaking. The NCS escalates the imperative to fix this aging and ailing infrastructure on which our military depends. Modernization is also essential to achieving the DoD’s Joint All-Domain Command and Control (JADC2) strategy. That massive collaborative initiative, spanning the Army, Navy, Air Force, Space Force and Marine Corps, aims to unite and combine the DoD’s arms, capabilities and data across land, air, sea, space and cyber for military advantage and decision dominance. Sharing intelligence, surveillance and reconnaissance data is critical to JADC2’s success. While arms and ammunition were deciding factors of military victory in years past, data is today’s most critical military asset — and whomever controls the data will control the future of conflict.
Colby Proffitt is a cybersecurity strategist at Shift5.Having directly supported the DoD and multiple civilian agencies, both as a contractor and a vendor, Proffitt deeply understands the challenges of public sector IT and OT modernization, as well as the critical importance of ensuring modernization success.
National Cyber Strategy’s call to modernize OT is about controlling the future of conflict
Colby Proffitt, a cybersecurity strategist at Shift5, explains why observability is so important to improving the security and modernizing operational technolog...
Strategic objective 1.5 of the 2023 National Cybersecurity Strategy (NCS) calls for the federal government to modernize its defenses – specifically, to “modernize IT and operational technology (OT) infrastructure” and “replace or update IT and OT systems that are not defensible against sophisticated cyber threats.” With continual and innovative attacks by global adversaries, and rapid advances in the deployment of artificial intelligence and advanced technologies by near-peer adversaries, it’s never been more critical to take action laid out in the NCS guidance and modernize the Defense Department’s cybersecurity infrastructure.
Differences between IT vs. OT modernization
IT modernization efforts within DoD have been ongoing for more than a decade, and some of the hard lessons learned from each wave of IT improvements may be beneficial to those responsible for OT modernization. However, given the distinctions between IT and OT – both in terms of design and purpose – there are some unique OT modernization challenges that the DoD must consider.
Different systems: IT modernization focuses on replacing software and systems for things like operations management, records management, information management and cybersecurity, among many others. OT modernization, conversely, focuses on upleveling equipment and systems spanning domains like power control, satellite communications, maintenance and repair systems for military equipment, aircraft avionics and flight control systems and control systems for national defense (e.g., weapon systems).
Viable replacements: Legacy systems often introduce cyber risks for federal IT systems, but replacing legacy IT is a challenge unto itself. For example, a few of its costly, time-intensive hurdles include identifying a replacement technology, working through the procurement process and staffing the expertise required for modernization and integration. Like IT systems, many OT systems are outdated, but they are also deeply complex and specialized. Because of the nature of what these systems do, they often require full availability and cannot be taken offline. That often makes a total replacement unfeasible.
Learn how federal agencies are preparing to help agencies gear up for AI in our latest Executive Briefing, sponsored by ThunderCat Technology.
Unique stakeholders: DoD IT modernization is driven by chief information officers and IT departments. However, much of the OT on which the government and the nation depends is owned by the private sector. The Federal Emergency Management Agency estimates that as much as 85% of the nation’s critical infrastructure is privately owned and operated. Therefore, its modernization is not fully under government control.
Implementation timelines: IT modernization projects are often shorter and more agile in nature, with a focus on rapid prototyping and continuous delivery. In contrast, OT modernization projects can be complex and require significant planning, often spanning several years or even decades, depending on the system.
Both IT and OT modernization will yield many DoD benefits. For instance, updating IT will generate cost savings, boost efficiency and enhance security. Addressing OT will increase safety, enhance operational capabilities and improve mission outcomes and cyber resilience. While there is still a long way to go, we have started to see these IT outcomes thanks to significant efforts in DoD IT modernization made in recent years. However, OT modernization is substantially behind, and the NCS highlights the need to accelerate efforts.
Observability is critical to overcoming OT security challenges
Modernizing OT security is arguably the most important task, as many legacy OT systems were not originally designed with security considerations in mind. The security limitations of entrenched OT can only be effectively overcome with innovative solutions that provide both data access and observability — raw data by itself isn’t very useful, but when coupled with context and real-time analytics at the edge, it becomes a critical, foundational component for both improved cyber defense and military action. Such observability can enable faster, smarter decisions — to move, shoot, react, reload and refuel — with greater speed, precision and efficiency than adversaries.
Unfortunately, we are not currently capturing, collecting, monitoring, translating, enriching, storing and processing the vast amounts of data that our heavily digitized and highly interconnected weapon systems are generating—from the control systems on aircraft to other onboard components across military fleets. Their highly digitized “nerve systems” carry tremendous volumes of extremely valuable data, that, if extracted, can advance the DoD’s ability to achieve the top four priorities outlined in the 2022 National Defense Strategy:
Industry has now built foundational tools to enable OT observability for military fleets and weapon systems. There are tools that can provide readily-available certified hardware and software capable of real-time edge computing and full-take data capture from every bus that is found on onboard OT systems, and the capabilities to normalize, translate and enrich the data into a human-readable format. In addition to freeing and democratizing this onboard data, DoD fleet operators and maintainers can gain the system observability required for smarter, faster decisions, ensuring the military’s ability to outperform the decision-making cycles of its near-peer competitors.
Addressing security cannot wait
Modernizing and securing DoD IT and OT is a massive and complex undertaking. The NCS escalates the imperative to fix this aging and ailing infrastructure on which our military depends. Modernization is also essential to achieving the DoD’s Joint All-Domain Command and Control (JADC2) strategy. That massive collaborative initiative, spanning the Army, Navy, Air Force, Space Force and Marine Corps, aims to unite and combine the DoD’s arms, capabilities and data across land, air, sea, space and cyber for military advantage and decision dominance. Sharing intelligence, surveillance and reconnaissance data is critical to JADC2’s success. While arms and ammunition were deciding factors of military victory in years past, data is today’s most critical military asset — and whomever controls the data will control the future of conflict.
Colby Proffitt is a cybersecurity strategist at Shift5. Having directly supported the DoD and multiple civilian agencies, both as a contractor and a vendor, Proffitt deeply understands the challenges of public sector IT and OT modernization, as well as the critical importance of ensuring modernization success.
Read more: Commentary
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Related Stories
A snapshot of the National Cybersecurity Strategy’s implementation
Defense, intel agencies look to “raise the bar” on cybersecurity
Cybersecurity in the cloud coming into focus with CISA configurations, CSRB review