Local and national cyber leaders discussed the latest trends in cybersecurity, the Air Force Academy’s cyber efforts and the state-sponsored National Cybersecurity Center as part of the sixth Cyber Security Training and Technology Forum. The gathering was hosted last week by the Colorado Springs chapter of the Information Systems Security Association, which had invited personnel from the military, commercial and private sectors to learn more about insider threats and useful information- sharing, as well as other developments in the cybersecurity industry.
The city of Colorado Springs and the state of Colorado have created a website for the National Cybersecurity Center, and the center’s inaugural event is scheduled in November.
The NCC is still in the development stage, with a temporary office across from UCCS. Its top priority is hiring a full-time, permanent CEO by next month, according to NCC Deputy Executive Director Eric Hopfenbeck.
“The goal is to begin initial operational capability in November and full capability by summer 2017 with all three pillars working together,” he said.
The three NCC pillars: The Cyber Institute; a Cyber Research, Education and Training Center; and a Rapid Response Center.
Retired Army Lt. Gen. Ed Anderson from UCCS has been serving as interim executive director.
“We’ve hired a third staff member [an executive assistant] and each of the pillars has an advisory board that guides and leads the process of developing that pillar,” he said.
The boards are responsible for developing the missions and goals for each of the three pillars.
“The Cyber Institute will be similar to a think tank, focused on cyber topics,” said NCC panelist Ed Rios, CEO of CyberSpace Operations Consulting. “We’ll talk at length on the impacts and effects of cyber, not only in cybersecurity but cyber economics, psychology and all the way to anthropology and sociology.”
The Rapid Response Center will be a call center for nonprofits, government agencies and small-to-mid-sized businesses experiencing a cyber attack.
The nonprofit’s mission is to provide collaborative cybersecurity services for companies and technology, as well as create capabilities for training, education and research. Its first event will be hosted by The Cyber Institute Nov. 13-15 at The Broadmoor hotel, an exclusive event for all 50 state governors, as well as other leaders like school superintendents, county commissioners and state attorneys general.
Cyber companies or individuals who want to get involved with the NCC can submit their information on its website, nationalcybersecuritycenter.org.
Hopfenbeck said the team is “cataloging experts” and making sure services the NCC provides are collaborative in nature. The center wants to be a neutral third party that everyone can trust to work with.
“For the Cyber Institute and Rapid Response Center, there’s going to be a huge need for subject matter experts, not necessarily from large corporations,” Rios said. “The subject matter experts as we envision it will have various roles in the real-time operations at the Rapid Response Center, all the way through the academic and intellectual discussions that could happen at the Cyber Institute — and it will be critical.”
Col. Jeff Collins is the new director for CyberWorx, formerly known as the Air Force Cyber Innovation Center.
Housed at the Air Force Academy, CyberWorx is focused on cyber innovation through design thinking, cadet education and public-private partnerships.
“We are here to deliver cyber capabilities, not to study or articulate the problems further, but deliver these capabilities,” Collins said. “The idea is the warfighting operational advantages we’ve enjoyed over the last years have been eroded because of attacks in, through and from this cyber domain.”
Operators and industry partners can work together to come up with rapid prototypes for what might be solutions operators can take to industry partners and intellectual property can be worked out, Collins said.
“Our cycles of acquisition are too slow for us to keep up with adversaries, and therefore it takes a different type of thinking in order for us to deliver warfighting effects and capabilities for defending in automated ways,” he said.
CYBERSECURITY IN MANUFACTURING
Frank Backes, president of the Center for Technology, Research and Commercialization at Catalyst Campus, spoke about affordable, open-source security options for small- to mid-sized manufacturing businesses.
In a manufacturing space, the No. 1 reason for cybersecurity is business stability and profitability, he said.
“The average lifespan for manufacturing equipment is somewhere between 10 and 30 years — and if it’s 30 years old and a company plans to use it for another 10, the probability of them updating anything on that piece of equipment is zero,” Backes said.
So can you keep 25-year-old equipment and still meet security requirements imposed by the federal government?
“You keep the equipment and maintain productivity by creating a cross-functional team where those in information technology and those in operations technology work together,” he said.
The cybersecurity market is IT-centric with all of the power existing in IT when it comes to security, Backes said.
“If IT professionals are imposing requirements on the operational technology team, it’s not going to work because it doesn’t make sense,” he said. “They have no expertise in that piece of manufacturing equipment and no idea if the patches they’re imposing will keep that machine running or not.”
And that’s why the operations side needs some authority, because operations creates productivity, Backes said.
“You have to create a balanced team with those in operational technology such control engineers, control system operators and subject matter experts who understand what the machines are doing and why,” he said.
The most at-risk pieces of equipment in terms of security are the ones currently being manufactured and purchased, according to Backes.
“They were designed five to 10 years ago and have all of the bells and whistles, but [were] not built with security standards,” he said. “It’s not just old equipment, it’s equipment now coming into the market that’s causing security concerns.”
Backes has worked in IT security since 1993, building offensive and defensive systems in commercial and military environments. He said when it comes to security in manufacturing, it’s not an “all-or-nothing” effort.
“Start now, have one project and then have incremental improvement within the operational technology environment as you move forward,” he said.
CTRAC is exploring already-certified solutions based on open-source approaches that have become more affordable, Backes said.
“Companies talk about how they can’t afford security, it’s too complex and they don’t have the personnel to implement capability or maintain it going forward,” he said. “The key is to start simple, focus on having a plan for the long term, differentiate yourself from competitors and implement your plan.”
Backes said a good reference for more perspective is the updated Guide to Industrial Control Systems Security, tinyurl.com/ICSSguide.