Study: Pentagon fuel supply at risk of hack

The Pentagon should take a page from the Department of Homeland Security’s cyber defense playbook for energy infrastructure to guard against electronic assault on its fuel supply chain, according to a new study.

The Defense Department's use of unsecured networks to oversee the distribution of fuel and other logistical activities has left it vulnerable to the same kind of malware-based cyberattack that crippled 30,000 computers in oil giant Saudi Aramco's networks in 2012, according to "Hacks on Gas: Energy, Cybersecurity and U.S. Defense," a report written by Christopher Bronk, a fellow in IT policy at Rice University's Baker Institute. He produced the report for the U.S. Army War College's Strategic Studies Institute.

DOD's operations manager, the Defense Logistics Agency, should accelerate its protection of supervisory control and data acquisition (SCADA) systems in its fuel-distribution networks, Bronk wrote, just as DHS has done with private-sector energy infrastructure providers through the Industrial Control Systems Cyber Emergency Response Team.

"The DOD would be well served to carefully engage in efforts similar to those undertaken by the Department of Homeland Security to improve the cyber defenses of industrial control systems deployed in electricity," he wrote. The threat to oil and gas production and distribution is real, he added, but the odds of a widespread catastrophic attack remain slim.

Nevertheless, DOD should better protect its logistics networks, particularly DLA's Fuels Automated System, which handles a variety of applications that fall under the Enterprise Business System (EBS).

"DOD fuels management is paperless and utilizes Windows-based client/server applications and Web-based applications where data is entered and received via an Internet browser,” Bronk wrote. Rather than develop its own fuels management system, DLA opted for an enterprise software package that includes commercial technology.

The software allows the system to run on commodity computers that use Microsoft Windows. The operations might be cost-efficient, but the Windows/Intel platform is exploitable by attackers, Bronk wrote. Furthermore, DLA’s EBS Energy Convergence program could deepen that vulnerability as the agency deploys more network elements designed to function easily with the standards and practices of the oil and gas industry.

Sophisticated attackers are likely aware that DOD runs commercially available SAP products on its Non-classified IP Router Network that is connected to the public Internet, while physical disconnects, or "air gaps," protect other DOD networks, Bronk wrote.

However, he concluded that creating and maintaining a classified computing environment to manage fuel acquisition and distribution might be technically infeasible and would certainly be costly.

He recommended instead that DOD develop a better organizational approach to protecting its fuel-distribution system from electronic assault, including recognizing that the threat spans the entire fuel supply chain, not just DOD facilities; developing trusted third-party and clearinghouse relationships to help detect threats; and sharpening detection skills and risk management. Those all require that DOD have reliable intelligence on spikes in fuel demand, local conflicts in oil-producing regions and terrorist threats against fuel supplies, including the likelihood of such attacks.