As cyber attacks become more sophisticated and bad actors shift their focus from informational to operational environments, sector leaders rush to address the growing threats to U.S. critical infrastructure. After more than two years of extensive studies and assessment, the Department of the Army is forging ahead with its Army Critical Infrastructure Cyber Protection (ACICP) project aimed to protect the department’s critical infrastructure from cyber attacks and will invest about half a billion dollars in the project over the next five years with help from the Technology Modernization Fund (TMF).
The Army operates 23 depots, arsenals, and ammunition plants across the United States carrying out a variety of missions, including repairing Humvees and tanks, manufacturing highly specialized equipment, and serving as transportation sites, to name a few.
“These are all one-of-a-kind manufacturing equipment and facilities that don’t exist anywhere in the world. There’s only one in the world, and that’s how sophisticated and niche they are,” Dr. Raj Iyer, Army CIO, said in an interview with GovCIO Media & Research.
As industrial equipment and machinery grow more sophisticated and interconnected, they track a wide range of data through sensors, including humidity levels on the floor, vibration or location of the machinery and equipment, power consumption, predictive maintenance among other things.
The Army’s assessment of its 23 industrial base facilities, directed by Congress through the National Defense Authorization Act several years ago, revealed some critical vulnerabilities that, if not addressed immediately, could pose a grave danger to national security.
“What we found was not that we were completely surprised by it, but quite frankly, you know, there was a lack of cybersecurity controls to the same extent that we would have on our traditional IT equipment,” Iyer said. “This OT was not at the same level of cyber protection as the IT, but yet what we knew was if our adversary was able to come through any of these endpoints, whether it’s OT or IT, because now they have access and entry into the network, they can actually go anywhere on the army network. This created a huge awareness for us in the Army about how severe some of the risks were.”
To fund the initiative, the Army turned to the TMF, established by Congress to address immediate security gaps and support the federal government’s IT modernization efforts. Due to the budget cycles, if the Army wanted to address something immediate this year, it would have had to budget the fix back in 2019.
“We hadn’t really resources, you know, we added in the budget starting in ‘24, but we didn’t have any money in ‘22 and ‘23, so that’s where TMF, Technology Modernization Fund, came in,” Iyer said.
The Army also wanted an avenue where it could address the problem in partnership with other agencies working towards securing the country’s critical infrastructure.
“Because if we go out and try to solve it on our own … we are always very narrowly focused,” Iyer said. “We felt it was important enough that we work with all the other agencies, we get the best practices and things that they are seeing, but also us being able to share with them. This is where I work with Clare Martorana, the White House CIO, the DOD CIO John Sherman, the Federal CIO Council where I sit as the CIO. And we hatched this plan to get after TMF funding.”
To protect the operational technology at its organic industrial bases, the Army will use the Security Operations Center as-a-Service (SOCaaS) model. The SOCaaS is an innovative approach where a third-party vendor fully maintains SOC on a subscription basis.
This solution will allow Army IT leaders to ensure they are censoring all of their networks by tracking network traffic and identifying anomalous behavior in real-time through analytics and artificial intelligence (AI). It will also allow red team assessments to identify who can penetrate the networks, what attack vectors bad actors can use, and potential vulnerabilities.
The Army is moving towards the SOCaaS model because it provides more flexibility and allows the Army to keep pace with ever-developing technology instead of running the risk of buying technology that becomes obsolete in several years.
“When we looked at how we were going to protect all this operational technology, the first thing we realized was the expertise in-house didn’t exist. Even in our traditional IT, it’s taken us years. It was very clear that, at least initially, we needed an approach where we had to rely on industry to help us,” Iyer said. “The other piece, too, was we wanted to make sure that even though we are going to the industry, we needed whoever we brought in to help, kind of teach us how to fish, right? They gotta teach us and train us how to do this so we can become self-sufficient.”
The first transfer for the Army's Critical Infrastructure project from TMF is currently in progress, with a total investment of $15,575,246. According to the initial assessment, the Army has about 500,000 devices across the industrial bases in need of security. The number is a rough estimate due to challenges associated with identifying the exact number of devices across all sites.
“Quite frankly, I don’t even know if it’s 500,000. We think it’s about 500,000, but it might be 700,000, might be a million only because we have never actually cataloged every one of these things,” Iyer said.
Additional funding is needed, but the TMF investment will “stop the bleeding” and allow the Army good cybersecurity overwatch until full funding kicks in starting next year. The Army allocated about $100 million a year for this effort over the next five years.
“We are talking significant amounts of money, about half a billion dollars over the next five years, to actually go back, remediate everything, fix them up, but also modernize, because what we believe is we have a lot of this old control system operation technology from the 1980s and 90s that are not secure and we can never really protect them because of the old technology,” Iyer said.
As for the 2023 goals, the Army's priority is remediating some of the extremely critical vulnerabilities at one of the 23 sites found during the initial assessment. The effort is classified, but it will serve as a pilot to allow the Army to understand how the SOCaaS model works, what changes need to be made to the architecture and distribution, what skill sets or training are needed, and how to work with vendors.
The ultimate goal is to modernize the Army’s industrial bases as opposed to merely patching vulnerabilities.
“This is where we’re also tying this effort into the Army’s digital modernization plan. Army Materiel Command and Army have a plan in place to modernize the entire industrial base,” Iyer said.
In working with the TMF, the Army received good feedback from the board of directors, who expect the Army to brief them quarterly on the progress made with the project. Through this process, the Department of Energy (DOE) has become the Army’s closest partner.
“As the project moves further into the execution phase, the PMO will ensure that the project meets its goals by working with the project team to overcome any obstacles that may crop up. Successful implementation of this project will accelerate crucial protections at the Army’s organic industrial bases and provide valuable insight to other agencies who face similar cybersecurity challenges. The project is anticipated to be complete in FY 2027,” a GSA spokesperson said.