A recent Government Accountability Organization investigation has turned up a substantial number of network vulnerabilities in industrial control systems used by the US military for monitoring or operating base infrastructure (emphasis added):

For example, “most” Navy and Marine Corps industrial control systems (ICS) “have very little in the way of security controls and cybersecurity measures in place,” according to government documents identified by the GAO.

That leaves many installations exposed to a “cyber-physical effect” attack that could cause the “physical destruction of utility infrastructure controlled by an ICS,” the GAO said.

An example of a successful cyber-physical attack through an ICS was the “Stuxnet” computer virus that was used to attack Iranian centrifuges in 2010. By hacking the Iranian nuclear facility’s ICS, the centrifuges were made to operate incorrectly, causing extensive damage.

“According to DoD, the same type of ICS can be found in the critical infrastructure on numerous DoD installations,” which means “the military services’ ICS may be vulnerable to cyber incidents that could degrade operations and negatively impact missions,” the GAO report said.

In addition to shutting down the basic water and electrical systems at a military base, the ICS vulnerabilities “could be used as a gateway into the installation’s information technology system or possibly DoD’s broader information networks,” the report said.

Last year, a Pentagon order required the military services to identify and secure these computers, but military installation officials said meeting the 2014 deadline was impossible and asked to extend the deadline to 2018, according to the GAO.

Plans for upgrading the military ICS systems remain in the early stages; none of the services has a full and accurate inventory of the ICS systems on its installations, according to the GAO.

This is one area that scares me more than any other when it comes to military cyber security posture. Very few people within DoD know much of anything about industrial control systems, much less how they are connected to the networks, and the vulnerability baggage attached with these unnecessary connections.