Full Report
The Defense Department faces a startling capability gap. The post US must prioritize cybersecurity training for the military’s engineers appeared first on CyberScoop.
Analysis Summary
# Best Practices: Integrating Cybersecurity Training into Critical Infrastructure Engineering and Operations
## Overview
These practices address the immediate national security risk arising from a capability gap in recognizing, defending against, and recovering from state-sponsored cyberattacks targeting U.S. critical infrastructure, particularly within Department of Defense (DOD) operational technology (OT) and Industrial Control Systems (ICS). The core focus is bridging the operational technology (OT) engineering response with cyber defense capabilities through mandatory, dedicated training.
## Key Recommendations
### Immediate Actions
1. **Establish Mandatory Basic Cybersecurity Training:** Immediately mandate basic cybersecurity curriculum components—focused on recognizing malicious cyber activity—for all professionals maintaining critical infrastructure, specifically targeting Army Combat Engineers, Navy Seabees, Air Force Red Horse Units, and public works personnel.
2. **Implement Forensic Preservation Protocols:** Develop and enforce strict incident response procedures dictating that engineers encountering operational disruptions **must not** immediately revert systems to a previous state without coordinating with cyber defense/forensics teams to preserve evidence of an intrusion.
3. **Establish Collaboration Mandate:** Direct DOD cyber incident response teams and OT system maintenance engineers to establish formal, documented collaboration pathways for securing and responding to threats against Industrial Control Systems (ICS).
### Short-term Improvements (1-3 months)
1. **Develop Integrated Curriculum:** Create a multi-service cybersecurity training curriculum focused on detecting, responding to, attributing, analyzing, remediating, and sharing information about malicious cyber behavior as it pertains to physical control systems (e.g., power grids, HVAC, water utilities).
2. **Leverage Existing Training Centers:** Designate and empower Fort Leonard Wood (FTLW), specifically the Prime Power School and the Maneuver Support Center of Excellence, as a core hub for delivering this joint-service, cybersecurity-driven engineering training.
3. **Incorporate Cyber-Informed Engineering Principles:** Integrate foundational cybersecurity risk principles into standard engineering maintenance and operational planning processes, moving away from designs prioritizing only reliability toward "cyber resilient engineering."
### Long-term Strategy (3+ months)
1. **Establish Joint-Service Security Schoolhouse:** Formalize the creation of a joint-service training facility co-located with the USACE’s Prime Power School at FTLW to ensure a continuous, organic pipeline of cyber-aware engineers across the DOD.
2. **Mandate Cyber Resilience in Engineering Lifecycle:** Institutionalize the concept of building security into systems from the outset ("Secure by Design") for all new and significantly upgraded operational technology systems, mirroring efforts by CISA and the Department of Energy.
3. **Conduct Adversary Simulation Exercises:** Develop and regularly run multi-service exercises focused on nation-state actor TTPs (Tactics, Techniques, and Procedures) targeting physical control systems to test the newly trained engineers' response capabilities.
## Implementation Guidance
### For Small Organizations
* **Focus on External Partnerships:** Since developing internal, dedicated training centers is resource-intensive, prioritize cross-agency agreements (e.g., with local utilities or CISA guidance) to access existing introductory OT security training modules.
* **Implement Strict "Do Not Touch" Policy:** Establish a clear rule for all system failures: Isolate the component first, and only perform restoration actions after security personnel have verified the cause is not malicious, prioritizing digital evidence preservation over immediate restoration speed.
### For Medium Organizations
* **Adopt Published Standards:** Formally adopt and begin mapping internal operational procedures against established hardening standards like NIST SP 800-160 guidelines for ICS.
* **Cross-Train Key Personnel:** Identify 1-2 senior operational engineers and sponsor them for specialized, external cyber training focused on ICS/SCADA security so they can act as internal champions and trainers.
### For Large Enterprises (Applicable to DOD Components)
* **Establish a Dedicated OT Security Function:** Create or formally dedicate a team responsible for bridging the IT security function and the OT engineering staff, acting as the liaison for Incident Response (IR) and forensics activities.
* **Develop Attribution/Intelligence Sharing:** Create routine reporting mechanisms to share threat intelligence regarding nation-state activity impacting control systems between operational maintenance staff and dedicated cyber intelligence cells.
* **Inventory and Baseline:** Complete a comprehensive inventory of all critical assets (power, water, HVAC) and establish verified secure baselines against which operational deviations can be quickly identified as potential cyber events rather than simple malfunctions.
## Configuration Examples
Since the source material focuses on policy and training gaps rather than specific technical configurations, the following examples are derived from the standards mentioned as necessary steps for the *engineers* to implement:
| Control System Element | Implementation Best Practice (Cyber-Informed Engineering) |
| :--- | :--- |
| **Network Segmentation** | Implement physical or logical separation (VLANs/DMZs) between enterprise IT networks and critical ICS/SCADA networks. *Do not allow direct access from IT endpoints to control systems.* |
| **System Hardening** | Ensure all control system hardware and software, where feasible, are configured according to NIST SP 800-160 guidance for industrial cyber resilience, minimizing unnecessary open ports and services. |
| **Access Control** | Deploy multi-factor authentication (MFA) immediately for all remote access and privileged local access to HMI (Human-Machine Interface) workstations controlling critical assets. |
| **Data Restoration** | Implement immutable, offline backups for ICS configurations and software images, ensuring that forensic readiness is maintained before any system rollback is executed. |
## Compliance Alignment
* **NIST SP 800-160, Vol. 2, Rev. 1:** Cyber Resilient Engineering for Industrial Control Systems (Directly cited reference guiding secure system design).
* **Department of Energy (DOE) Cyber-Informed Engineering Strategy:** Adoption of principles mandating cybersecurity as foundational to energy system engineering.
* **CISA Secure by Design Principles:** Evanglizing the need to incorporate security into systems from the initial design phase.
## Common Pitfalls to Avoid
* **Assuming Malfunction:** Responding to an operational disruption (e.g., unexplained power loss, valve failure) purely as a technical malfunction without considering initial cybersecurity investigation, thereby destroying forensic evidence.
* **Siloed Training:** Training engineers solely on operational reliability without integrating threat recognition and incident response concepts, resulting in high situational awareness gaps against sophisticated adversaries.
* **Ignoring Legacy Systems:** Failing to account for older, non-patchable OT assets by treating them as isolated risks; these must be isolated and monitored rigorously instead.
* **Delayed Attribution:** Waiting too long to capture forensic data risks losing crucial intelligence about the adversary's methods, intent, and provenance, hindering future defense efforts.
## Resources
* **Department of Energy (DOE) Cyber-Informed Engineering Strategy:** (Link provided in text: defanged URL for reference: `https://www.energy.gov/ceser/cyber-informed-engineering`)
* **CISA Secure by Design Initiative:** (Link provided in text: defanged URL for reference: `https://www.cisa.gov/securebydesign`)
* **NIST Special Publication 800-160, Volume 2, Revision 1:** Guidelines for Cyber Resilient Engineering for Industrial Control Systems. (Link provided in text: defanged URL for reference: `https://csrc.nist.gov/pubs/sp/800/160/v2/r1/final`)