The utility systems that provide water, electricity and other essential services to military installations worldwide have limited defenses against cyber-attacks, putting many bases at risk for a "serious mission-disabling event," a new Government Accountability Office report says.
A recent GAO investigation identified a disturbing vulnerability in the military's network of "industrial control systems," the computers that monitor or operate physical utility infrastructure.
For example, "most" Navy and Marine Corps industrial control systems (ICS) "have very little in the way of security controls and cybersecurity measures in place," according to government documents identified by the GAO.
That leaves many installations exposed to a "cyber-physical effect" attack that could cause the "physical destruction of utility infrastructure controlled by an ICS," the GAO said.
An example of a successful cyber-physical attack through an ICS was the "Stuxnet" computer virus that was used to attack Iranian centrifuges in 2010. By hacking the Iranian nuclear facility's ICS, the centrifuges were made to operate incorrectly, causing extensive damage.
"According to DoD, the same type of ICS can be found in the critical infrastructure on numerous DoD installations," which means "the military services' ICS may be vulnerable to cyber incidents that could degrade operations and negatively impact missions," the GAO report said.
In addition to shutting down the basic water and electrical systems at a military base, the ICS vulnerabilities "could be used as a gateway into the installation's information technology system or possibly DoD's broader information networks," the report said.
Last year, a Pentagon order required the military services to identify and secure these computers, but military installation officials said meeting the 2014 deadline was impossible and asked to extend the deadline to 2018, according to the GAO.
Plans for upgrading the military ICS systems remain in the early stages; none of the services has a full and accurate inventory of the ICS systems on its installations, according to the GAO.
Taken together, the shortfalls in this area will make meeting even the 2018 deadline a challenge, defense officials told the GAO.
To help track DoD's "utility resilience efforts," military installations are required to report data about utility outages and problems. But installations are not reporting that information accurately and the existing data is unreliable, according to the GAO.
U.S. Cyber Command, created just five years ago, is working toward an operational fleet of 133 teams of active-duty cyber experts by the end of next year. One of that fleet's three primary missions will be "cyber protection" and defending DoD's networks.
This year, Cyber Command officials planned to include in their annual cyber training exercise testing procedures "to detect, mitigate, and respond to cyber incidents on DoD ICS perpetrated by advanced persistent-threat actors, such as nation states," the GAO said.
Defense officials are all too aware of the vulnerabilities. In a March 2014 memo, DoD noted that "cyber infiltration through ICS used to control and monitor utilities could result in a serious mission-disabling event," according to the GAO report.