Cyber Defense Review

Indiana Exercising Plans to Combat Cyber Threats: Preparing for CRIT-EX 2016

By CPT Mike McDonald, Doug Rapp, LTC Ernie Wong | May 06, 2016

On the 21st and 22nd of March, 2016, Indiana hosted its inaugural Defense Cyber Summit (DCS), which aimed to advance the state’s cyber readiness and preparations against a cyberwarfare attack. Spurred on by Admiral Michael Rogers, the Commander of the U.S. Cyber Command, who in 2014 called cybersecurity “the ultimate team sport,” Indiana has purposefully adopted a culture of collaboration between government organizations, private firms, non-profits, and academia to improve the state’s response and resiliency to a significant cyber incident. This team approach will counter cyberattacks intent on degrading Indiana’s economic capacity and threating the critical services of its citizens [1]. Under the umbrella of the Applied Research Institute (ARI), organizations such as Purdue University, Indiana University, Crane Naval Surface Warfare Center, the Cyber Leadership Alliance, the Indiana National Guard, and the Indiana Department of Homeland Security have partnered together to address and propose solutions to Indiana’s cyber security challenges. This effort is boosted by the Indianapolis-based Lilly Endowment support of nearly $16.3 million that is funded through a grant from the Central Indiana Corporate Partnership Foundation. The ARI is working to foster collaboration, research, and problem solving on cyber threats to Indiana’s critical infrastructure [2].

Purdue University Professor Joe Pekny welcomes attendees to the Inaugural Defense Cyber Summit (photo by Tony Chase)

 

The DCS concept was conceived during visits to US service academies by an Indiana delegation. Representatives from Purdue’s Burton D. Morgan Center for Entrepreneurship, the Purdue Research Foundation, and the Cyber Leadership Alliance, had originally concentrated on partnering Purdue University with the service academies in order to provide the most cutting-edge knowledge and technology to future cyber warfighters. “It didn’t end up that way,” professed Chad Pittman, Purdue Research Foundation’s Vice President for the Office of Technology Commercialization. “We realized there was a bigger need here so we brought together even more problem solvers looking into improving our cyber resilience and expanded the audience to include all cyber forces in defense,” Pittman continued. Upon reflecting on just how many more participants and organizations the delegation would be partnering with, Pittman jokingly remarked, “Despite having a lot of corn in Indiana, we don’t all work in silos.”

DCS attendees listen to Indiana University Professor Steve Myers (Photo by Michael McDonald)

 

While total prevention against a cyberattack is not possible, the DCS has bolstered the understanding that healthy cyber hygiene practices, and relatively inexpensive cyber protection measures can provide enough prevention that the incidence of successful attacks becomes manageable. Furthermore, the summit emphasized that it takes not only technical means to help monitor and detect a cyber threat, but, perhaps more importantly, a network of people with sound processes to quickly, effectively, and efficiently respond to the determined actions of an active and intelligent cyber adversary. Finally, a robust intelligence sharing architecture helps to immediately alert key nodes in our cyber ecosystem of an attack so it can be treated at a localized level as possible rather than become overwhelmed by a sufficiently broad attack; consequently, the initial stages of recovery can begin to restore people’s trust and confidence in the security of our cyber infrastructure. All these discussions at the DCS are consistent with the prevailing US Department of Homeland Security construct on cybersecurity (see Figure 1).

Figure 1: US Department of Homeland Security’s Prevailing Cybersecurity Construct [3]

 

Purdue Computer Science Professor Mikhail Atallah summarized Indiana’s approach to cybersecurity best when he articulated his research team’s philosophy on improving anti-counterfeiting of digital media through innovative cryptographic methods: “What we are simply trying to do is to make it harder for adversaries to attack our systems; and this is particularly effective when it costs us just a little bit more to succeed while disproportionately increasing the expense for the adversaries in their attempt to win.” By applying Professor Atallah’s sensible proposition to the notional taxonomy of cyber adversaries that the US Defense Science Board has introduced (see Figure 2), we can reduce the likelihood of cyberattacks from every threat tier. If we can systematically increase the cost for cyberattacks to succeed, we can diminish nuisance threats operating at the lower levels using malicious code developed by others or exploiting pre-existing known vulnerabilities, but also make it more difficult for those existential cyber threats at higher levels that create new vulnerabilities in our otherwise adequately protected systems through full spectrum techniques, such as acquiring unauthorized access through blackmail and bribery, or employing proximate physical or electronic means for gaining system penetration. The innovative thinking and research into complex cyber challenges taking place at its universities are a strong testament to Indiana’s marketing campaign of “A State that Works.”

 

Figure 2: US Defense Science Board’s Notional Cyber Threat Taxonomy [4]

 

The DCS was attended mostly by experts in cyber-related fields, to include academic scholars informing the attendees of their research into cutting-edge solutions to cyber challenges, and cybersecurity authorities explaining their collaborative procedures, methods, and tools to help protect against, and respond to a critical cyber incident in Indiana. One of the most noteworthy commentaries at the summit, however, was delivered by Carolene Mays-Medley, the Commissioner and Vice Chairman of the Indiana Utility Regulatory Commission. Her appeal for Indiana to be better informed of cyber threats that can significantly impact not just our individual privacies, but also seriously cripple basic services that we collectively depend upon on a daily basis, such as electricity, water, and telecommunications, resonated splendidly with the audience. But unlike most cybersecurity conferences where cyber-experts preach mostly to one another—a group of like-minded individuals already cognizant of the need to be vigilant with increasing dependence on digitally connected technologies—Comissioner Mays-Medley readily admitted that she is a technological neophyte who only recently gained an appreciation for the enormous dangers and significant vulnerabilities our digitized society has with the continuously expanding internet. With key government officials championing this cause and promoting the need for better cybersecurity, Indiana is ensuring that it has created cooperative partnerships that can plan and prepare for a broad-scale cyberattack, and can successfully practice, rehearse, and continually improve how it employs cyber best practices for the collective good of the entire state. Through the DCS, Indiana is showing that it is on the right path to making sure the state is cyber-resilient.

 

DCS Participants board a UH-60 Blackhawk en route to the Muscatatuck Urban Training Center (Photo by Doug Rapp)

 

Indiana will be hosting Crit-Ex 16.2 on the 18th and 19th of May, which allows participating organizations from across the public and private sectors to improve their understanding of the cyber ecosystem [5]. Crit-Ex officially launched in March 2016 with a tabletop exercise (TTX) held at Camp Atterbury, during which exercise players discussed their response to a coordinated cyberattack on Indiana power generation and transmission facilities. With the lessons learned from the Crit-Ex 16.1 TTX, the Indiana Department of Homeland Security in conjunction with the Indiana National Guard, Indiana Office of Technology, Cyber Leadership Alliance, and over 16 other public and private partners have developed a controlled functional cyberattack exercise that will allow participants to deploy resources and communicate with response partners to mitigate adverse effects and expedite recovery. With expert teams executing a real-world attack on a “production” water utility SCADA system located at the Muscatatuck Urban Training Facility, exercise participants will gain an enhanced understanding of their protective, response, and recovery postures, and provide additional insights into gaps in communication, resources, and coordination. The purpose of Crit-Ex 16.2 is to improve the overall security and responsiveness of Indiana’s critical infrastructure in the event that an advanced cyberattack disrupts basic essential services and presents a public safety threat. Through its Defense Cyber Summit and upcoming Crit-Ex, Indiana is showing why it considers itself to be the Midwest cyber center of gravity.

 

 

Notes

[1]  C. Roulo, “Cyber Defense a Cooperative Effort, Rogers Says,” DoD News, Defense Media Activity, November 15, 2014.  Available at http://www.defense.gov/News-Article-View/Article/603656.

[2]  D. McGowan, “Lilly Endowment Pumping $42M Into Southwest Central Indiana,” Inside Indiana Business, December 23, 2015.  Available at http://www.insideindianabusiness.com/story/30812018/lilly-endowment-pumping-42m-into-southwest-central-indiana.

[3]  US Department of Homeland Security, “Enabling Distributed Security in Cyberspace: Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action,” March 23, 2011.  Available at https://www.dhs.gov/enabling-distributed-security-cyberspace.

[4]  US Defense Science Board, “Task Force Report: Cyber Security and Reliability in a Digital Cloud,” January 2013.  Available at http://www.acq.osd.mil/dsb/reports/CyberCloud.pdf.

[5]  Indiana Department of Homeland Security and Cyber Leadership Alliance, “Crit-Ex 2016: Advancing Cybersecurity for the State of Indiana,” fact sheets 1 and 2, January and April 2016.



US Army Comments Policy
If you wish to comment, use the text box below. Army reserves the right to modify this policy at any time.

This is a moderated forum. That means all comments will be reviewed before posting. In addition, we expect that participants will treat each other, as well as our agency and our employees, with respect. We will not post comments that contain abusive or vulgar language, spam, hate speech, personal attacks, violate EEO policy, are offensive to other or similar content. We will not post comments that are spam, are clearly "off topic", promote services or products, infringe copyright protected material, or contain any links that don't contribute to the discussion. Comments that make unsupported accusations will also not be posted. The Army and the Army alone will make a determination as to which comments will be posted. Any references to commercial entities, products, services, or other non-governmental organizations or individuals that remain on the site are provided solely for the information of individuals using this page. These references are not intended to reflect the opinion of the Army, DoD, the United States, or its officers or employees concerning the significance, priority, or importance to be given the referenced entity, product, service, or organization. Such references are not an official or personal endorsement of any product, person, or service, and may not be quoted or reproduced for the purpose of stating or implying Army endorsement or approval of any product, person, or service.

Any comments that report criminal activity including: suicidal behaviour or sexual assault will be reported to appropriate authorities including OSI. This forum is not:

  • This forum is not to be used to report criminal activity. If you have information for law enforcement, please contact OSI or your local police agency.
  • Do not submit unsolicited proposals, or other business ideas or inquiries to this forum. This site is not to be used for contracting or commercial business.
  • This forum may not be used for the submission of any claim, demand, informal or formal complaint, or any other form of legal and/or administrative notice or process, or for the exhaustion of any legal and/or administrative remedy.

Army does not guarantee or warrant that any information posted by individuals on this forum is correct, and disclaims any liability for any loss or damage resulting from reliance on any such information. Army may not be able to verify, does not warrant or guarantee, and assumes no liability for anything posted on this website by any other person. Army does not endorse, support or otherwise promote any private or commercial entity or the information, products or services contained on those websites that may be reached through links on our website.

Members of the media are asked to send questions to the public affairs through their normal channels and to refrain from submitting questions here as comments. Reporter questions will not be posted. We recognize that the Web is a 24/7 medium, and your comments are welcome at any time. However, given the need to manage federal resources, moderating and posting of comments will occur during regular business hours Monday through Friday. Comments submitted after hours or on weekends will be read and posted as early as possible; in most cases, this means the next business day.

For the benefit of robust discussion, we ask that comments remain "on-topic." This means that comments will be posted only as it relates to the topic that is being discussed within the blog post. The views expressed on the site by non-federal commentators do not necessarily reflect the official views of the Army or the Federal Government.

To protect your own privacy and the privacy of others, please do not include personally identifiable information, such as name, Social Security number, DoD ID number, OSI Case number, phone numbers or email addresses in the body of your comment. If you do voluntarily include personally identifiable information in your comment, such as your name, that comment may or may not be posted on the page. If your comment is posted, your name will not be redacted or removed. In no circumstances will comments be posted that contain Social Security numbers, DoD ID numbers, OSI case numbers, addresses, email address or phone numbers. The default for the posting of comments is "anonymous", but if you opt not to, any information, including your login name, may be displayed on our site.

Thank you for taking the time to read this comment policy. We encourage your participation in our discussion and look forward to an active exchange of ideas.