Air Force Was ‘Hyper Focused’ on Cybersecurity for IT Networks. Now Other Systems Need Protection.

DAYTON, Ohio—Looking to address Air Force Secretary Frank Kendall’s operational imperatives, cybersecurity leaders with the Air Force Life Cycle Management Center recently analyzed their networks and systems to see how they would hold up against cyber threats.

The leaders came away with a “sobering” observation: Key IT networks and data centers were secure, but the networks that support base facilities, weapons systems, and infrastructure were less so.

“From a defensive cyber point of view … before we were hyper-focused on information systems and protecting them,” James Robison, materiel leader for AFLCMC’s Defensive Cyber Systems Branch, said in a panel discussion at the Life Cycle Industry Days conference. “Through the work on the operational imperative, it became clear that it was those control systems, weapon systems—we need situational awareness across that entire landscape.”

The importance of cybersecurity beyond IT systems has become a “great concern,” added Danny Holtzman, a cyber technical director assigned to AFLCMC.

“The fact is, the adversary is going to take the easiest path forward,” Holtzman said. “And if they can disrupt our facilities and turn on the fire suppression systems so our stealth fighters are covered with fire suppression material, that doesn’t help us, right? So I think that’s a great concern. We are aware of it. We are trying to work it at an integrated level.”

Certain corners of the Pentagon have been sounding the alarm on the issue for years now, highlighting the fact that as weapon systems and their facilities increasingly leverage new technologies and become connected, they also become potential targets for adversaries. AFLCMC’s work emphasized that those targets need more protection.

“One of those sobering things we found during the operational imperative work was that gap … the disconnect between a lot of the IT and the networks and the data centers that host capabilities that we rely on, [and] the actual base infrastructure and those control systems that are across many of our air bases,” said Brian Kropa, AFLCMC technical adviser for advanced cyber technology.

Experts had several suggestions for how to remedy that gap. On one hand, Kropa noted the importance of protecting the data that feed into systems. Adversaries seeking to disrupt base infrastructure systems could try to manipulate or corrupt data to cause unexpected, disruptive actions.

One of the Air Force’s key efforts in that regard is implementing zero trust, which makes it harder for hackers to move inside a network once they’ve penetrated its walls by interrogating traffic at every juncture as it tries to move inside the network.

“Zero trust is coming along,” Kropa said. “That term can mean many things to many different people. Part of zero trust in my mind is protecting the data and the data integrity piece and building access control into our system. So we really don’t need classification levels anymore or separate infrastructures or air-gapped networks, because we’re really trying to concentrate on the data in and of itself. Much harder problem—it needs a lot of R&D work and a lot of innovation.”

The problem can also be addressed by attacking it early in production cycles, added Matthew Aguirre, technical director of AFLCMC’s cryptologic systems group.

“We have all of these operational activities that need to be supported on the back end. But there’s a lot of processes and activities that happen on the front end, in terms of design, production, provisioning, certification, production, all of these activities,” Aguirre said. “What we’re trying to do as an organization is to think through how we support system concepts through modeling out all of the activities that need to happen in order to support that system. Whether it’s a control system or an operational weapon system, the idea is that we should understand all of the activities that go into producing, delivering, and sustaining capability, and then understanding where those operational activities are, what the inputs and what the outputs look like, what the threats are for each of those operational activities.”