Adversary emulation exercises using our open-source Caldera™ for Operational Technology platform enable critical infrastructure operators of all sizes to prepare for mounting cyber attacks.
MITRE Connects: Protecting U.S. Critical Infrastructure
- There has been far too little public focus on the fact
that PRC hackers are targeting our critical infrastructure,
our water treatment plants, our electrical grid,
our transportation systems,
and the risk that poses
to every American requires our attention.
Now.
- You interact with probably 10
or 20 different critical infrastructure systems every day
just in your morning routine. You get up,
you brush your teeth, the water works, you take a shower,
you drive to work, you take the train or the metro.
These systems impact and enable modern life,
and so with a nation state adversary, they're looking
to hold our infrastructure and our way of life at risk.
A lot of these critical infrastructure systems
that are known as OT or industrial control systems were
deployed 20, 30 years ago,
and they were never really designed
to be interconnected in the ways that they are today,
let alone under attack by our adversaries.
- MITRE is working with government
and industry to protect our nation's critical systems
and democratize security testing in preparation
for cyber attacks.
- There are so many utilities in this country
that run on these razor thin margins of operating costs.
They have three people that do you know all
of their IT work, and they don't have the budget
or the resources to invest in these more complicated
comprehensive tools.
- In partnership with our federal sponsors,
we developed a capability called Caldera
for operational technology
or Caldera for OT that allows operators of all sizes
to emulate cyber adversaries.
Our model city takes it a step further enabling users
to visualize the cascading effects cyber breaches can have
on different municipal environments.
- Behind me are equipment
and systems that represent actual setups in the real world,
actual substation equipment, actual controllers
that you would find in water treatment manufacturing.
- We often think about
and treat critical infrastructure sectors individually in
silos, but in reality, they're all interlinked.
Our water infrastructure depends on pumps.
Those pumps are powered by our power grid.
Our power grid relies on our telecommunications
infrastructure to share a sensor information across
transmission lines,
and so if any one
of these major lifeline sectors is disrupted, we start
to see cascading failures in others.
As we think about defense,
rather than defending just the power grid
or defending just the natural gas system,
when you think about how we defend all of them in parallel
so that they all stay up
and are able to deliver their services.
- We are very privileged in the Western world
to have not had major cyber effects
that actually impact our day-to-day life,
but that is now the goal of the adversary
and as individual citizens, we need to be mentally
and practically prepared for our infrastructure
to go away due to a cyber effect.
The power of MITRE is that we can connect industry,
government, other parts of private sector
to make resilient infrastructure.
We all have to work together to solve these big problems.
Last fall, an Iranian government-linked group hacked a small water authority serving 15,000 residents in Pittsburgh. The breach, one of several by the same state actor, targeted Israeli-made equipment in response to the Israel-Hamas war.
The attack was identified, averted, and didn’t ultimately affect civilian end users, but the incident served as a reminder of our nation’s critical infrastructure vulnerabilities against the backdrop of an increasingly contentious geopolitical landscape.
Earlier this year, in an op-ed in The Hill, our Chief Technology Officer Charles Clancy sounded the alarm about China’s dramatically escalating threats. President Xi Jinping publicly announced he would be ready to invade Taiwan by 2027—plans that likely include disrupting our military’s ability to step in.
In addition to an increasingly targeted water sector, energy, communication, transportation, and natural gas are all at risk of being hacked. "We are very privileged in the western world not to have had major cyber effects that impact our day-to-day life," says Mark Bristow, director of MITRE’s Cyber Infrastructure Protection Innovation Center. "But now that’s the goal of the adversary."
MITRE is working with government agencies and operational technology (OT) operators to develop technologies, practices, and approaches to protect critical infrastructure.
We all have to work together to solve these big problems.
A Complicated Landscape
While some critical systems are run by local, state, or the federal government, most are operated by private industry. For example, the U.S. has more than 150,000 independent water utility operators. Small utilities running on thin margins don’t have the resources to dedicate to cybersecurity.
Additionally, their systems—many of which deployed 20 to 30 years ago—were not designed to be interconnected in the ways they are today, giving adversaries an advantage.
"It's unfair to ask a regional or even a city water utility to defend itself from China," Bristow says. "At the end of the day without help, they're not going to win that fight."
Democratizing Security Testing
Smaller utilities can prepare for attacks by running real-world adversary emulation exercises using MITRE’s Caldera for OT open-source tool.
The first Caldera for OT extensions were developed in partnership between the Homeland Security Systems Engineering and Development Institute™, the federally funded research and development center that MITRE operates for the Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency (CISA).
We’ve taken it a step further at MITRE headquarters in McLean, Va. Our Smart Connected Analytic Learning Exchange Lab features a large-scale model city with a typical municipal environment segmented by hospital, military, residential, nuclear, transportation areas.
Coined "Cyber City," the tabletop is available for government entities and asset operators to test worst case cyberattack scenarios using Caldera for OT. The tactical demonstrations help users visualize the cascading effects of attacks and the interdependency among systems.
"That's really where the power of this modeling comes in," Bristow explains. "In addition to being an effective communication tool, it also enables us to do integrated research and analytics across multiple different types of technologies."
By bringing together government and industry, MITRE is bolstering the nation’s critical infrastructure. "We all have to work together to solve these big problems," Bristow says.
Contributors: Catherine Trifiletti, Joshua Gottschling, Cooper Bennett, and Mike Mahoney
Interested in solving problems for a safer world? Join our community of innovators, learners, knowledge-sharers, and risk takers. View our Job Openings and Student Programs. Subscribe to our MITRE 360 Newsletter.