Recently, the NATO Cooperative Cyber Defence Center of Excellence (CCDCOE) executed their annual Locked Shields exercise in which participating blue team countries defended networks from a NATO-supported red team attacks. In 2016, participating countries saw industrial control systems added to the list of cyber assets they were required to defend. So, how did the U.S. do in this exercise? Unfortunately, in its inaugural year of 2016, the U.S. came in dead last amongst 19 other countries. In 2017, the U.S. finished 12th out of 25 countries. Ok, not bad. We jumped from 19th to 12th in just one year. We are clearly getting better. But wait…hang on a second…maybe not.
Assuming the six newly added countries finished towards the bottom, then the U.S. team may have only jumped one spot higher in the rankings against its previous year’s peers. Not good! At best, we are making modest gains from lessons learned. A more cynical view is that there are 11 other countries who are better prepared than the U.S. to protect their nations’ critical infrastructures.
PLCs and other industrial control systems are at the heart of ensuring reliability and safety in industrial process facilities and power plants. Were these systems compromised by an adversary in the real world – whether internal or external – we risk losing power to our homes, drinking contaminated water from our faucets, running out of gasoline for our cars, or experiencing other events that would fundamentally alter our daily lives. What was particularly concerning about the 2016 exercise is that the U.S. adopted the tactic of turning off the industrial control systems to protect them from compromise. Turning off a PLC or DCS is a completely unusable strategy in a refinery or chemical plant. Thankfully, in 2017, they left the ICS running. Progress, I suppose.
It is good we participate in these kinds of exercises as sunlight is the best sanitizer, but if the U.S. is finishing in the middle of the pack and the Czech Republic and Estonia are taking first and second place respectively, then the U.S. needs to take a long look in the mirror. To quote the great bard, Ricky Bobby, “if you’re not first, you’re last.” This is particularly true for the systems that run U.S. critical infrastructure.