By Greg Gerten & Geoffrey Hella, Centauri Corp.
Greg Gerten, Centauri Corp.
With the rise in public unrest from COVID-19 and increasing numbers of remote operations, the susceptibility and vulnerability of a cyber attack has never been greater.
On a regular basis, we hear intelligence experts proselytize an eventual cyber doomsday where our critical infrastructure (CI) — communications systems, information technology (IT) capabilities and financial networks — are compromised or disabled. These kinds of attacks could devastate our national and economic security and even disrupt basic day-to-day activities like turning on lights or buying groceries with a debit card. Even worse, a significant cyber event could escalate to the point of military actions between nation-states.
In 2012, Defense Secretary Leon Panetta warned about a potential “Cyber Pearl Harbor.” These threats were echoed by then head of Cyber Command, Gen. Keith Alexander, with hope the public, private and CI sectors would take notice of the broad, detrimental impacts of cyber threats.
Geoff Hella, Centauri Corp.
In kind, the Obama administration took aggressive steps to protect CI networks, and the Trump White House followed suit by enacting measures to strengthen the resilience of other technologies integral to our CI.
The latest White House Executive Order specifically addresses our reliance on position, navigation and timing (PNT) services and directs agencies to work in close coordination with the private sector to identify, secure and continue to improve the resilience of these technologies.
PNT services, such as GPS, are an extension of our IT systems, but despite this, PNT has been a relatively invisible utility and is oftentimes unknowingly utilized by most CI owners and operators. In the coming years, our reliance on PNT will only increase, making now a critical time to foster close collaboration between public and private sectors and determine which systems, networks and assets are dependent on PNT services. Identifying these dependencies will allow us to verify appropriate resilient PNT services being used, determine downstream effects of the disruption and manipulation of PNT services, and manage the associated risks to dependent systems.
The new directive is fast paced — outlined in 90-, 180- and 360-day increments — and instructs agencies to utilize existing public-private sector cybersecurity and CI information sharing relationships, such as Sector Specific Agencies (SSA), to share threat data, educate stakeholders and promote a responsible use of PNT.
What’s the Rush?
So, why is this happening right now? PNT systems are crucial to American life, and successfully securing them requires a coordinated response and sooner rather than later. In fact, malicious nation-states, such as Russia, are spreading their wings into new threat vectors to inflict damage and are shifting their attention to PNT.
Because of these risks, we must do more as a country to establish safeguards around these technologies. That being said, agencies and organizations cannot expect their current workforce to become PNT security experts overnight. Rather, business owners and operators would be better served bringing in third-party experts that have been building security into PNT even prior to this directive.
These private-sector partners can map out a systematic approach to prioritize PNT security in a three-step plan:
- Find. Identify PNT systems and “profile” them — establish point A.
- Fix. Find and correct vulnerabilities — many can be non-material/tactics, technique and procedures (TTP) solutions.
- Fortify. Develop TTPs, timelines and guidance for users to upgrade CI where needed — the path to Point B.
When PNT services were first developed, the systems could be openly used by anyone and security was not built into the original PNT architecture — similar to when the internet was created. This has made it easy for adoption into almost everyday life and revolutionized the world. Likewise, it has also made it easy for bad actors to access and compromise it, forcing the country to scramble, backtrack and implement cybersecurity best practices.
The good news is that we aren’t completely starting from scratch. The Department of Defense has been working to secure its PNT systems and will be updating its processes and practices as part of the recent White House directive.
The security community can also look to best practices in assessing risk of vital systems and model PNT security measures on existing guidelines such as Federal Information Processing Standards (FIPS) and NIST Special Publication 800 Series.
Path Forward
Per the Executive Order, lead agencies such as the Department of Transportation and the Department of Commerce will work in concert with the private sector to define “PNT profiles” and share these attributes with stakeholders. The coalition of partners will then be able to account for where and how PNT is used by CI owners and operators and will promote the responsible use of PNT services moving forward.
Beyond defining PNT profiles, the EO allocates new research and development funding for Commerce to develop an alternative to GNSS, which provides real-time PNT data to planes, trains, ships and automobiles that transport vital goods and resources — all in an effort to reduce the level of acceptable risk.
The White House also requires the public and private sectors to develop vulnerability testing and incident response plans and, simultaneously, encourage the private sector to use and develop more robust PNT services in anticipation of new Federal Acquisition Regulatory Council (FARC) contract requirements.
While these changes may seem like a fast moving and overwhelming process, there are many cases where CI owners and operators will not be required to integrate material solutions, but rather procedural training and behavioral adjustments. The information sharing processes already exist to provide improved situational awareness, coordination among the public and private sectors, increased reporting, solidified baseline risk assessments and a broader understanding of how systems rely on PNT. The challenge is facilitating widespread adoption across all stakeholders, increasing collaboration and education among and across the CI groups.
For this effort to be successful, it will require a whole-community, multi-pronged approach to operating in a new “threat top-of-mind” paradigm that is grounded on cross-sector information sharing, training and education. Both public and private sectors should also outsource expertise and leverage existing models like the DoD PNT doctrine, NIST standards and incident response capabilities.
Gregory Gerten is director of PNT Operations at Centauri, supporting the PNT enterprise through innovative use of modeling and simulation, hardware-in-the-loop and field testing, and process automation. He earned his master’s degree in electrical engineering from the University of Dayton, and has completed post-graduate courses in GPS from the Air Force Institute of Technology. He has more than 20 years of experience in system design, development and integration in the areas of communications, navigation, electronic warfare tactics and weapon systems.
Geoffrey Hella is a senior engineer for Centauri assigned to a Space Command contract through the Joint Navigation Warfare Center (JNWC). He has worked to achieve a Master of Aeronautical Science (MAS) from Embry-Riddle Aeronautical University in 1994. During his 40 years of experience, he has been a leader in product development and system design to successfully carry out a vast range of assignments in multiple engineering disciplines. His assignments include: aircrew member of the United States Air force (USAF); National Air Space (NAS) engineer for the Federal Aviation Administration (FAA); Special Nuclear testing and safeguards engineer for the Department of Energy/Sandia National Laboratories; and Supervisory Control and Data Acquisition (SCADA) engineer for both public and private Industry, electric and gas utility companies. Hella currently holds a six-sigma certification and a general radio operator license from the Federal Communication Commission (FCC) and a remote pilot operator certificate from the Federal Aviation Administration (FAA).