VIEWPOINT DEFENSE DEPARTMENT
Comply-to-Connect Protects Military Systems
The Defense Department increasingly relies on evolving IT systems and networks to conduct military operations and perform critical functions, such as logistics, budgeting, building automation and power distribution.
Today, it’s clear that while connected defense systems are diverse, they share the same urgent need for secure configuration and other defensive fundamentals.
There is a growing mindset within the department that leaders can no longer afford to view the safeguarding of “cyber things” and “physical things” as distinct, siloed responsibilities.
Aligning security more tightly across connected devices, facilities and other platforms is a long-sought, closely watched Pentagon objective.
An all-inclusive view of cybersecurity becomes even more urgent as lines continue to blur between traditional office IT, internet-of-things enabled gear, and operational technology governing energy, facility access and other physical systems.
The Defense Department is effectively becoming an “enterprise of things.” To fortify it all, Pentagon leadership must recognize information technology and operational technology as a singular, united network environment which requires a holistic, integrated cybersecurity strategy.
Think of integrated information and operational technology defense like homeownership. Homeowners don’t hire one company to place sensors on windows, then turn to separate providers for the front, back and garage doors, and another to monitor smoke detectors. The benefits of having sensors only goes so far. For effective situational awareness, one needs status and indicators from all these sensors integrated in real time.
Similarly, the Defense Department should take a “unified strategy” approach in maintaining combined IT/OT cybersecurity situational awareness and readiness.
Fortunately, there are proven tools and approaches that can accelerate this unified strategy. Installation cybersecurity professionals can incorporate Comply-to-Connect (C2C) to improve the authentication, authorization, compliance assessment and automated remediation of devices and systems.
An already funded program, Comply-to-Connect enables IT teams to authenticate endpoints including: physical and virtual workstations; physical and virtual servers; networked user support devices and peripherals; mobile devices; network infrastructure devices; platform information technology devices; and internet-of-things devices.
They are then assessed for compliance with security policies prior to authorizing network access. In this “zero trust” security model, compliant devices and systems gain access to appropriate network segments necessary for missions, while unauthorized devices do not.
The program brings unique value because its scope goes beyond traditional IT networks that include desktops and servers. Comply-to-Connect also applies to non-traditional networked endpoints including internet of things and operational technology devices such as industrial control systems, building automation systems, weapons and other tactical systems, medical equipment, and many other mission-supporting endpoints.
C2C combines all systems and their components “in one house” as an integrated whole. This kind of approach is good news for administrators of formerly separated facility, IT and operations worlds, because the lines between these are blurring.
The integrated, zero trust approach of Comply-to-Connect means personnel supporting these systems do not need to search for new, piecemeal tactics for defending these blended control systems. The Pentagon’s chief information officer and Defense Information Systems Agency are already providing it.
For installation cybersecurity teams to maximize the effectiveness of Comply-to-Connect, they must include several components in their overarching strategy and execution.
First, there must be comprehensive device visibility, including a complete discovery, classification and security posture assessment. There are almost always more types of devices on a network than periodic inventories suggest. Agencies must achieve complete visibility by combining active and passive network monitoring techniques to identify multiplying numbers and types of connected endpoints before any other security tools can be effective.
Next, there must be automated orchestration of security and management processes. The greatest value of true network visibility is being able to act on what is found. Defense systems are governed by extensive compliance and configuration management tools. To drive return on investment on these existing efforts, Comply-to-Connect is charged with enabling automation and orchestration of actions necessary to restore systems to a trusted state or control their level of access to network data, applications and services until a trusted state is achieved.
Finally, there must be continuous monitoring. The magnitude of devices and connected systems across Defense Department networks, and Comply-to-Connect’s scope across office, data center, cloud, facility and other non-traditional systems means “continuous” is critical.
More than blocking unauthorized devices and remediating vulnerabilities, C2C’s wider value comes from continuously assessing connected devices and users to ensure the integrity of the data sharing and other services these networks provide.
Each user has their own set of challenges. But they all share the same concerns about “what” is connected to their network and “who” is accessing “which” data, applications and services.
By creating a consolidated, integrated approach to cybersecurity with Comply-to-Connect, the Pentagon can replace fragmented, ineffective measures with those that are proven to support comprehensive readiness.
Dean Hullings serves as global defense solutions strategist at Forescout Technologies in McLean, Virginia.
Topics: Defense Department