Lessons from LOCKED SHIELDS 2024 cyber exercise

Parham Eftekhari, Executive Vice President of Communities at CyberRisk Alliance, attended the LOCKED SHIELDS 2024 cyber exercise last week. What follows are his takeaways from the event.

On April 18,  FBI Director Christopher Wray warned national security and intelligence experts that the risk the government of China poses to U.S. national and economic security are “upon us now”—and that U.S. critical infrastructure is a prime target. 

“The PRC [People’s Republic of China] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist,” he said during his remarks at the Vanderbilt Summit on Modern Conflict and Emerging Threats in Nashville. 

To neutralize this threat, Wray and other national security leaders have called for stronger partnerships between governments, commercial, and academic institutions.

LOCKED SHIELDS 2024

Last week, I witnessed firsthand how partnerships can combat cyber threats when I had the privilege of attending Exercise LOCKED SHIELDS 2024, the largest and most complex international live-fire cyber defense exercise in the world with more than 3,000 participants from 38 nations.   

As a participant in the exercise’s Distinguished Visitors Day representing the Institute for Critical Infrastructure Technology (ICIT) in my capacity as Chairman alongside ICIT CEO Cory Simpson, I had the opportunity to attend several briefings and roundtable sessions where domestic and international partnerships were highlighted as a mission-critical component of our national security strategy.  Throughout the day I learned about ongoing efforts by state and federal agencies to strengthen critical infrastructure resilience by solving some of today’s most pressing challenges including workforce development, security-by-design, and cross-sector information sharing.

The U.S. Cyber Command's Joint Force Headquarters-Department of Defense Information Network (JFHQ-DODIN ) and its National Center of Excellence for Cybersecurity in Critical Infrastructure led the U.S. team’s operations, consisting of international partners from Norway and Montenegro and domestic partners from across government, industry, and academia.  Exercise LOCKED SHIELDS 2024 U.S. operations were held at the University of West Virginia Campus in Morgantown, W.V., a reflection of the state’s impact on the cybersecurity sector with W.V. natives like Senator Shelley Moore Capito, Karen Evans, Travis Rosiek, and ICIT’s Simpson propelling the state to the forefront of cybersecurity and cloud computing.

The exercise served as a crucible for honing cyber defense capabilities on a global scale, with the U.S. Team's training objectives focused on:

Takeaways from the exercise

The simulation during LOCKED SHIELDS vividly showcased the interdependencies of IT and OT in critical infrastructures under attack, something CRA focused on in our April installment of CISO Stories. Among the lessons learned during this exercise are the fact that attackers are taking particular advantage of the interdependencies of IT and OT in such critical infrastructures as:

As we noted in a related CISO Stories eBook, organizations are so focused on computers, smartphones and artificial intelligence that we often forget about the physical technology that generates the electricity, assembles the hardware and transports the engineers and specialists that computer systems need in order to operate.

Yet this "operational technology" needs cybersecurity too. That's because factories, pipelines, power plants, transit systems and even cars and trucks are managed and regulated by computerized industrial control systems or embedded digital devices.

Unfortunately, the digital security of operational technology lags years, even decades, behind that of traditional information technology. Attackers have learned to exploit this security gap, but in response, industry and government authorities are crafting new guidelines and frameworks to protect OT systems, especially those having to do with critical infrastructure.

The Achilles' heel of operational-technology security is time. Computers and smartphones have short lifespans, with older models being replaced every three to eight years. Except for some "big iron" servers, the cybersecurity industry assumes that IT hardware and personal devices will completely turn over at least every 10 years. Google stops updating Pixel phones after three, five or seven years, depending on the model; Microsoft's Windows 11 won't run on PCs built before 2017.

Anything older is a "legacy" system. Physical technology, on the other hand, needs to run for decades. Commercial airliners are built to last 25 or 30 years. The New York City subway system is still replacing switching and signaling systems that date back to the 1930s. Even regular passenger vehicles, once considered disposable after three or four years, are now expected to last seven, 10 or 12 years before being replaced.

OT networks are often unsegmented, allowing intruders free rein once past the perimeter; communications protocols are weakly encrypted or plaintext; administrative passwords are often unchanged from the defaults (as any SHODAN scan will reveal), or may be shared among several individuals; remote access is often set up without the proper safeguards.

LOCKED SHIELDS 2024 exercises focused on such vulnerabilities and how different agencies and private organizations can work together to mitigate risk and blunt the force of any future attack.

Conclusion

I was honored to be invited to Distinguished Visitors Day at Exercise LOCKED SHIELD 2024 and left feeling inspired and energized to support the National Center of Excellence for Critical Infrastructure Security – a partnership between JFHQ-DODIN, West Virginia University, Marshall University, and private industry – as it works to address shared critical infrastructure challenges.  With public and private sector partnerships playing an increasingly vital role in our national security, please consider how your organization can support our shared mission to create a safer future domestically and abroad.