Expert Q&A: Jason J. Cook Discusses the Importance of Industrial Control System Cybersecurity
Jason Cook is a senior project manager with Tetra Tech and is a Professional Engineer and Uptime Institute Accredited Tier Designer for critical infrastructure supporting data centers and critical missions. He has nearly 25 combined years of experience as an active duty Air Force Civil Engineer Officer, Air Force Civil Servant, and project manager for Tetra Tech. His expertise is in highly available critical infrastructure systems after eight years serving as the engineer responsible for the survivability, endurability, and availability of the infrastructure in Cheyenne Mountain Air Force Station’s (CMAFS) underground complex.
Jason is the lead design engineer for the “Plug-and-Play Defensible Network Backbone” concept currently under construction for CMAFS. This first-of-its-kind system for the Air Force incorporates a standardized network switch assembly, resilient network topology, and machine learning/artificial intelligence (AI)-based security overwatch. The system allows for near real-time threat detection and alerts for Industrial Control Systems (ICS)/Facility-Related Control Systems (FRCS)/Operational Technology (OT) networks.
He has a bachelor’s degree in Engineering Mechanics from the United States Air Force Academy and a master’s degree in Engineering Management from the Air Force Institute of Technology.
What experiences led you to your work in industrial control system (ICS) networks and cybersecurity?
I served as the Operations Flight Chief and Deputy Base Civil Engineer at CMAFS for nearly eight years—think NORAD and Wargames, or maybe Stargate SG-1, if CMAFS doesn’t ring a bell. The complex had Chairman of the Joint Chiefs of Staff Instruction (CJCSI) mandated infrastructure availability as it related to the numerous classified missions housed there. So over time, I became an expert in designing, operating, and maintaining highly available critical infrastructure. My duties included serving as the responsible engineer for the unique survivability systems and critical infrastructure availability of the 5.5-acre underground complex at CMAFS.
The ICS network was unique because it was used to operate the survivability systems and critical infrastructure in the complex. Manpower reductions made to the automation and functions of the ICS network critical to meeting the complex’s mission requirements. I took an interest in the security of our network as it related to my responsibilities, and it became a personal interest because I saw the potential as well as the risks of automation.
When I left government service and joined Tetra Tech, I wanted to expand my expertise in highly available infrastructure. I tested for the Uptime Institute Accredited Tier Designer certification to expand my knowledge and capabilities. As part of the certification, you further explore the relationship of ICS to critical infrastructure and the data center—or critical mission in Department of Defense (DoD) parlance. I realized I needed to expand my ICS design and cybersecurity knowledge and capabilities to be effective for my clients. Since then, I have made some strategic partnerships with IT installation and ICS cybersecurity experts to help increase my personal capabilities and bring a full-service, turn-key solution to the Air Force (now United States Space Force).
Why do defense clients care about ICS cybersecurity?
The risks associated with traditional IT are easy to understand: loss of classified or sensitive information or giving away our plans to our enemies. Those associated with your building’s lighting control system are not. When I talk about ICS, I am talking about all automation systems. You will hear the terms operational technology (OT), FRCS, and ICS, often interchangeably. Generally, I’m referring to OT as non-IT computing and communication systems.
Like all systems, you have to understand the true impact and consequences of a compromise. Rarely do we have a single purpose with our OT network, and a vulnerability in your lighting controls may be exploited to gain access to other systems like heating and cooling. Maybe the attacker can raise the temperature in your computer room without an alarm sounding and shut down critical missions all from failure to employ minimal security for your lighting controls. Unfortunately, most of the OT infrastructure in place at the DoD was put in long before the focus on its cybersecurity. Now we are playing catchup with the IT world trying to achieve the same level of capability in defending our networks. Defense clients care about ICS cybersecurity because it affects their ability to protect and execute their missions.
What makes cybersecurity for OT different from standard IT network security?
In some cases, OT cybersecurity does benefit from standard IT security, where the risks and threats overlap. An OT network still runs on a Windows-based computer, so the IT cybersecurity we employ on our defense communication networks can and should be applied to our OT workstations. To minimize vulnerabilities in these areas, we can employ Common-Access Card (CAC) authentication and ensure patches to the operating system and software are applied.
However, our traditional IT approach to detecting threats is generally signature-based. In simplified terms, we find a new virus, identify its signature, update our databases with the information, and then push these updates out to every workstation through antivirus software. For defense IT networks all operating on the same OS with the same approved software, keeping pace to threats to this environment is possible, and the signature-based approach works. Where the OT networks are not standardized, do not have the same workstation setup, and contain thousands of options for devices and software employed, we need a different approach.
We can employ machine learning/AI to bridge the gap. As of 2019, the average time to detect a network intrusion for OT was over 180 days. That is 6 months for an adversary to gain full access to the setup and impacts of changes to your OT network. Using AI, we can monitor the data on that network and identify behavioral changes—whether in a device or human using the network—to detect intrusions within seconds of when they occur and identify where the attack is coming from shortly thereafter. Using AI as a security overwatch for the network, defense clients can arm their cyber defense teams with the tools and information needed to detect attacks, minimize the impact of the attack, and then counterattack as needed.
What tools and approaches should defense agencies consider as they address OT cybersecurity?
Defense clients need to avail themselves of all the options available for OT cybersecurity, commensurate with the risks and consequences of attacks. Employing a risk management approach, perhaps lower risk systems need only adopt a compliance-based approach to policy, such as ensuring passwords are changed frequently and patches applied. However, higher risk systems should have the tools and capabilities embedded to handle that increased risk. That is what made me so excited to participate as the lead engineer for the “Plug-and-Play Defensible Network Backbone” project at CMAFS. The location came up with the concept, and it employs an AI-based security overwatch system that will allow for near real-time detection of attacks, including insider threats. I know from my past experience the criticality of the ICS network to the missions working in the underground complex. Like all defense agencies, the DoD needs enhanced cybersecurity, especially for its Defense Critical Infrastructure Program (DCIP) critical assets. I think this new design approach fills a critical gap in capability for OT cybersecurity needs.