How We Can Better Protect Critical Infrastructure

To find out how we can address emerging threats to electromagnetic security and better protect critical infrastructure, Ken Miller talks with David Tilton and Dr. Nathan Hansen of the Electromagnetic Security Consortium (ESC).

Speaker 1 (00:10):
Welcome to From the Crows' Nest, a podcast on electromagnetic spectrum operations or EMSO. I'm your host, Ken Miller, Director of Advocacy and Outreach for the Association of Old Crows. Thanks for listening. In today's episode, we are going to talk about electromagnetic security and a new consortium that is starting up to address some of the emerging threats and pursue new standards for industry as a way to provide greater protection for critical infrastructure. With me today is David Tilton. He is the acting Executive director of the Electromagnetic Security Consortium and VP of Business Development for the Conductive Group, along with Dr. Nathan Hansen, who is the CEO of the Conductive Group, but is also chairman of the consortium. Nathan and David, thanks for joining me here on From the Crows' Nest. It's great to have you on the show.
Speaker 2 (00:56):
Thanks for having us, Ken.
Speaker 3 (00:58):
Absolutely, Ken, thank you.
Speaker 1 (00:59):
We're going to dive into an issue that gets a lot of conversation, but I have to be honest, I don't know a whole lot about, I think when we oftentimes talk about electromagnetic spectrum operations and kind of related capabilities, our minds go directly to overseas to peer competitors, threats, great power, competition concepts, but the electromagnetic security consortium that both of you are starting up as well as the field that you were in terms of electromagnetic security and EP, there's a huge domestic piece to this and so want to kind of talk about the whole EP problem, but I know that there's going to be an element of this about domestic EP that I don't think gets enough air time in our conversation. So to begin, I wanted to go into why did you feel the need to create the consortium as kind of a response to the growing threat or concern that's out there in terms of EP for both critical infrastructure and military systems?
Speaker 2 (01:56):
Well, I think that's a good question, Ken, if you just kind of back up a little bit and think about EP, we like to say that, we spend a lot of time and effort developing offensive capability and often time the countermeasure is overlooked. And that's true of both tactical situations and also here domestically. But if you take that and think about what we're doing with critical infrastructure protection and cyber security, there's always a lot of attention put on the cyber security side of it, the data security side of it, the insider threat and human side of it, and often the RF and physical security side gets overlooked or waived or compromised or in some other fashion so that to make it easier, more cost effective, we see that creates a lot of vulnerabilities, not only in the intelligence community and defense community, but in our critical infrastructure sectors, utilities, power, finance, data centers, telecom, et cetera.
(02:52):
And while there are certain segments of the federal space that pay close attention to this, and they follow the IC705 guidelines and Tempus guidelines within the intelligence community, it's often waived and overlooked in defense. And there is really no industry guidance that's succinct and easy to follow and provided to the rest of the defense industrial base and critical infrastructure sectors. And so we really felt that as an industry we could do a lot more to protect our infrastructure and create market opportunities for the businesses and companies and technologies in this space by forming a consortium and banding together. It's really a highly segmented and underrepresented space in our industry.
Speaker 1 (03:35):
Nathan, could you talk a little bit about some of the instances that we've seen in the news even recently where this has been either the issue had to do with a lack of preparedness or lack of capability from the EP front that may have caused it and I know that there was a solar winds incident. What are some of the other kind of current events that have really brought this issue into focus for you and others in the community?
Speaker 3 (04:01):
Yeah, so Ken, that's an excellent question and I'd like to actually make it even maybe a broader comment against that as well too that explains why we see this as such an emerging need area. And this is really something that all of us understand is the universal dependence that we have on wireless communication. 10 years ago, wireless was an option and now wired is the option, and that's a really quick timeframe for technology for have moved on. And it's really at a level that even consumers every day just reading the headlines understand this is a conversation that translates beyond the defense sector. It turns into a national critical security conversation quickly there, because the more and more reliant we are as a nation on the ability to preserve the integrity of our wireless information, the more important it is to talk about the security of electromagnetics and how that fits in.
(04:59):
So everybody understands that they have a cell phone in their pocket, but we start to then have a conversation about what are the risk factors to the nation if wireless networks are more vulnerable when they think they are or they're susceptible to upset or there's susceptible to any number of attack vectors that it can occur over electromagnetic channels.
(05:18):
So that's my first comment is that, there's really a more broadly understood need case around electromagnetics than there really ever has been before. So circling that back to some of the defense specific components of this and some of the critical infrastructure specific components of this, there are instances, and not all of them can be discussed here obviously. There's specific instances of things that are happening and information leakage and the problems that occur with wireless vectors. And it's not just information security and information leakage, right? It's also the possibility of having systems damaged over wireless channels. And even to the point where there's concerns about threats to humans as well too over these channels. We see in the headlines concerns with things like Havana syndrome and there's still discussion in the community about what exactly is going on there, but radio frequency energy is a key component that underscores all of these things. So that's really part of the impetus for addressing this.
Speaker 1 (06:25):
I wanted to pull the thread on, you were talking about the EP community and the people working in that field. One of the challenges that we've always had as EMSO community is that, like you mentioned at the beginning of your answer, a lot of the time intention's been focused on the offensive side. When you think of the "war fighter" it's offensive minded. We have offensive communities that are electronic warfare officers, but when we get into EP, these are more technologies, countermeasures capabilities that we are part of systems and are baked in at systems at different points in time. And so we don't really have an EP community that we can easily identify. So sometimes it's hard when we're raising the issue of EP to really know who's the right person or who are the right people or the right offices to talk to. Is that the same from your perspective when you're dealing not just with DOD, but a host of other agencies, both in federal government and commercial?
Speaker 2 (07:19):
Yeah. Our industry is really a reflection of our customer base. We have a lot of highly segmented agencies that we have to work with, a lot of three letter agencies that by design don't talk to one another or even communicate within their own agencies. So the EP community tends to reflect that.
(07:36):
We have a lot of smaller players, regionally focused, segmented, that have developed their businesses based on past relationships and who they know or their former role within the government. That's not necessarily a bad thing, but it is difficult then from an industry perspective to unify a voice and to represent the needs of the industry and to help push on standards and adoptions of new technology, which has been one of our challenges at the conductive group is to get some of our more innovative shielding solutions adopted simply because as you pointed out, there is no central belly button that there are some agencies obviously, that carry greater weight than others, but there a lot of times making their own independent decisions about what technologies they adopt or blacklist even. So we're really trying to tackle that from an industry perspective and provide what we feel is the right solution to solve these challenges and unify that voice.
Speaker 1 (08:36):
Now, one of the challenges, I want to ask you a little bit about kind of getting your message out there because in the past when I've been exposed to this issue or AOC has stepped into this issue, we've gotten quickly into this discussion where I feel like there's two camps. There's the camp that is either really ignoring the problem or saying it doesn't exist, and then there's this other camp that also almost makes the threat seem unrealistic. Do you feel that there is a need to redefine the sense of urgency for addressing this matter of electronic protect, particularly of critical infrastructure so that we do not spend too much time talking about unrealistic scenarios that are out there?
Speaker 2 (09:21):
I think you're right there. Traditionally, there's been a lot of, boy the pride wolf type activity, especially within the EMP community, and that's good and bad, right? It has, I think in some ways made it harder to cut through that noise and to talk about practical solutions. And in fact, we are partnering and working with some of the groups that are really concerned with EMP because we share some common threat and synergy and vision for what should be done. And really the conversation with that community is shifting to practical solutions. We know we can't redo the entire power grid of the United States, right? But we can go in and protect the water utility district in Washington DC and the power grid in Washington DC and other critical major population centers. Strategically target areas where there's greater population and critical assets that really should be protected because yeah, maybe it never will happen, but the day that it does is a really, really difficult day.
(10:20):
I mean, you look at natural disasters and what happens when we're not properly prepared and people don't have food and water and how things disintegrate and deteriorate so quickly. So the event of an EMP is a really frightening scenario that we all hope never happens. But I think there are some practical ways that we can address that. In fact, we're cosponsoring a bill called the Infrastructure Resiliency Act that specifically does that. It targets very specific pieces of our infrastructure. We can't protect the whole country, but if we can hit a large portion of the population, that's a good thing to do. We also see a shift within the defense and intelligence community just due to the elevation of nuclear threats from China and Russia. And we all know they have greater EW capabilities, whether that's shooting down drones or the recent demonstration of China's high power microwave weapon.
(11:14):
We know they have capabilities that we haven't had to deal with in the last couple of decades in the Middle East. And so now we've talked to command and control groups that said, we're naked out there or our whole command and control system is completely vulnerable. We've pushed, and not just from EMP, but from high power microwave jamming other EW capabilities. We spent two decades through the Perry Initiative pushing for commercial office shelf electronics to reduce cost and improve performance and all the good things that come along with that. But that also then creates vulnerabilities that if you don't bake in the electromagnetic shielding into those systems, yeah, you have great capability, but you're also very vulnerable. So we've seen a shift in folks that are going, Oh, we really do need to start thinking about EP. We're seeing a shift in the DOD community that normally relies on standoff.
(12:07):
They'll say, oh, we have a skiff, but you know what? We're in the middle of a base. We have tons of standoff. We don't need to worry about shielding. We'll wave that requirement. Well, those waivers aren't being granted. There's locations that are at risk of losing their ability to operate because they don't have the RF protection. We also have more and more encroachment on the military bases, especially in the case of the Navy, where that standoff gets shrunk and shrunk and shrunk over time. We have Chinese buying up land around military bases. So there's definitely a shift in awareness of the threats that we may be facing, and we're hoping to be on the front end of finding solutions to mitigate those threats.
Speaker 1 (12:47):
Nathan, do you have anything you wanted to add on that particular issue?
Speaker 3 (12:52):
Yeah, actually I just have a quick comment on this, Ken. There's obviously a reason that both of those extremes believe the way that they do, but they also can't both be completely right. There has to be this common sense middle ground where solutions just simply make it to the field where they need to be. These are the type of threats that are occurring around us right now. This isn't the type of area where we can wait a generation to put a response in place.
Speaker 2 (13:16):
One other comment I would add, we're seeing that manifest in the CHIPS and Science Act legislation, for example, where it's a very subtle legal reference, but all these CHIPS foundry sites must be "measurably secure". And what that means and how it's being interpreted is that they essentially need to be built to SCIF standards. So we're working, a number of our consortium members are involved in CHIPS Act foundry construction projects and managing the security aspects of those. And that's indeed what they're doing. They're specing in, RF shielding. They're worried about all aspects of physical security from biometrics and access control to RF, in addition to making sure that the staff inside are vetted and cleared and not just going to leak information out to our adversaries. And I think that's really been highlighted in that recent case, and I forget the name of the company, forgive me for bringing it up, but we had developed a new nanometer chip that was the latest and greatest state of the art thing.
(14:16):
And right before it was even announced by the company that developed it, China released the exact same chip, copied it down to the errors in the design, said, look at our fancy new chip. So how did they get that? That was probably insider threat to get that level of detail. But nevertheless, it's all part of the mitigation strategy. And if you're building something out, the cost to include electromagnetic protection versus not doing it is not that much greater. And it certainly then mitigates that threat. Retrofitting is harder but possible. So we're just trying to get people to think about this upfront, think about building standards in a different way, envision a lead standard, but for electromagnetic shielding and RF protection and other aspects of physical security.
Speaker 1 (15:03):
What was interesting when we sat down and talked about this earlier was you're obviously not just dealing with DOD, you're dealing with multiple agencies at the federal, state, local level, and trying to come up with a set of standards that can be adopted and adhered to from an industry perspective, what is your approach to raising awareness for the standards across so many different players at this federal state and local level?
Speaker 2 (15:31):
Yeah. I think there's a couple of things that we're trying to emulate. I mentioned one on the second ago with the lead standards having something that's akin to that. But if you also look at what NIST did with NIST800, and we've been in communication with the folks at NIST that help set standards. NIST800 was a pretty well thought out cyber security standard that got adopted into the CMMC model, the cyber security maturity model certification or something. I can't remember exactly what the acronym stands for, but that's now something that's being prescribed and mandated. If you want to be a DOD and defense contractor, you have to achieve your CMMC level one, two, or three to receive contracts or to even keep contracts that you have. So if we can create a standard that is akin to a building and construction standard, but then can be adopted across these critical infrastructure sectors, that's really our approach.
(16:25):
And DHS is another key player in this because DHS has the CSA organization, the cyber security infrastructure security agency, and they've defined the 16 critical infrastructure sectors. They also provide guidance as to how they should protect themselves against these different threat vectors, but they don't pay a lot of attention to the physical and RS security side of things. And that's where we hope to partner with them as well as other groups within the intelligence community. Our goal isn't to replace the standards that exist today for the DOD and the intelligence community, but rather create a parallel industry standard that can be adopted in other areas. And maybe someday it's referenced or somehow incorporated, what we intend to do could certainly meet the requirements of the DOD and intelligence community, but this would be a more industry driven, user friendly, open standard that others could adopt.
Speaker 1 (17:18):
So I want to go into the consortium. Could you talk to us a little bit about where the consortium is today? What are you working on currently and what is kind of your pathway forward for the consortium?
Speaker 3 (17:31):
Yeah, actually I'm happy to jump in on that a little bit right here. And Ken, what underscores this, just to build on Dave's last comment, is it there's a number of communities that really need to be starting to have this conversation about electromagnetics. There's some that are already having the conversation about it. We do know for sure that if we just tried to scale out exactly the way the government handles this today that it just wouldn't work, the infrastructure doesn't line up with that. So it's really been this call to action across industry and across companies like ours and all of our collaborators that work in this area to elevate our posture and to elevate the way that we can provide support to the government, but also to all these sectors that we see are going to need shielding going forward. So my favorite analogy for the ES consortium is that this is a rising tide that is meant to lift all the ships.
(18:25):
It's meant to lift the government security posture. It's meant to lift industry's ability to serve it. And that's the tone with which we take to it right here. And so to get to some of the specifics, the consortium is a member company model. So those that join our companies and we work to collaborate in five main topic areas. And we have working groups that are assigned to each of those areas. And so those working groups are policy, also standards and best practices, also test and certification and threat vulnerability and countermeasure monitoring, and then directly addressing securing critical infrastructure.
(19:03):
And they all overlap each other in these really nice ways while also still having a focus on addressing some of the specific needs that are unique to each of those topic areas. So as we've brought members on board with the consortium, as we've worked with all of our peers and all those that the support in this area, it's been a really natural conversation to explain why there's a need to harness our energies and why there's a need to get our energy together as industry in a way that we specifically want to collaborate with the government and with academia to start to advance some issues to this and not just to solve the specific government issues, but also an anticipation of being able to address this at a national level?
Speaker 2 (19:44):
Yeah, I mean, I think as you pointed out, we're in our infancy essentially only having been formed earlier this year and then taking on members just over the last couple of months. And as Nate pointed out, we're finding it easy to find an affinity with other companies like ours that say, oh yeah, this is exactly what I want to be participating in. So just through word of mouth and very limited LinkedIn post, we're up to close to three dozen members now and growing. And we're sort of preparing for our first annual member meeting, which Association of Old Crows is so graciously partnered with us to help us launch that. So we intended to get to that towards the end. So if I didn't steal any punchlines.
Speaker 1 (20:23):
So since you did mention a couple things so that we don't neglect to mention it properly at the right time, if people did want to learn more about the consortium, you are on LinkedIn, Electromagnetic Security Consortium, and you're having the introductory member meeting at the AOC 2022, which will be actually the first day of our event on October 25th, on Tuesday, October 25th at the DC Convention Center. So there'll be more information on that on the AOC website, at event website at fiftynine.crows.org. So you can learn more about the consortium or about the event by going to either site there and getting that information. So you're still in the early stages, but pretend for a second that you're now coming back on the show next year. What are some of the short term things that you're really going to put a lot of energy in to knock out the early successes for this consortium?
Speaker 2 (21:17):
Good question. I think first is building the membership. Obviously if we don't have enough members, then you can't claim to represent that industry voice. So first and foremost, we've got to attract members and participants that can help us in our mission and help unify that voice for industry. Having said that, we're already seeing a pretty dramatic shift in how we can engage and how our delegation, congressional delegations are interested in speaking with us. Now that we are a consortium and representing industry, they're a lot more eager to hear what we're doing. Because now we have multiple members that they care about getting support from. So that's interesting. We're seeing a shift in other organizations saying, hey, we'd love to partner with you. This is great what you're doing, see a common vision. How can we work together? What we're trying to do next and really kick off at the annual member meeting is get some energy behind our working groups and start to produce real work, get results, set some goals and objectives over the next year for work product and things that will push back out into the membership and into industry.
(22:19):
So we're trying to get a foothold with that and generate some of those results. Where we hope to be ultimately is a consortium that's managing OTAs and running larger projects and executing on work that needs to be done, not just talking about it. There's a lot of advocacy groups out there that sort of rattle the sabers about EMP and other things like that. We want to get out and actually just do the work and protect infrastructure. And that's why our companies are joining and they're joining because they see it as an avenue, get to projects and the revenue and to make good things happen. And as Nate pointed out, rising tide raises all ships. So ultimately a year from now we hope to be saying, hey, we did this, we got our working groups going, we're executing on our first contracts, our membership has tripled, or whatever it ends up being, but we're not setting too lofty goals, but that's what we're working towards. Again, step one, build the membership, unify that voice. From there, I think we can do good things together.
Speaker 3 (23:15):
I think Dave nailed it pretty well there. It's probably just worth adding on as well too, that in terms of the scope of membership, it's really anybody that deals with electromagnetic issues and critical infrastructure. Anybody that sits in that space, be they on the customer side, be they on the provider side, even on the R&D side, we're really looking to have an ecosystem that gathers a lot of energy around the way that we can start to address this issue in a much more meaningful way, both as a body of industry and as a nation.
Speaker 1 (23:48):
As we've talked about it quite a bit over the recent weeks, it's been a lesson for me cause we are much more vulnerable than I think we are even aware that we are in almost every sector. And so trying to get a handle on that and to prioritize that is no easy task. So there's a whole host of challenges when we talk about this. So what are some of the things that are keeping you up at night? How do we address some of these ongoing problems that we haven't had that maybe we're not able to think about fully yet?
Speaker 2 (24:18):
Workforce development is a big challenge. Workforce development and training and enforcing standards. I think that's kind of getting at the heart of what you're saying. We share that concern as well. I mean even today we're seeing challenges in our industry because the folks that are in charge of specifying shielding and then going back in and approving it and certifying and saying, yes, you're allowed to operate. They're not even coming from the same basis of knowledge. They're not necessarily being trained consistently. They have different views. One guy may say, I want it this way, another guy tries to do something completely counter to that. And so we see inconsistency even within the existing customer base, within the intelligence and defense communities. So some of our members are actively engaged in trying to help solve that with training and certification programs for the current intelligence standards.
(25:06):
And so we intend to partner with them to help train and provide certification and say there's a new technology that comes on the market. We can provide training certification courses so that installers and tradesmen know how to put it in properly and they're certified to install a certain product. A good example of that is Palmer Security Solutions that generate... they manufacture shielded doors, ark doors, soundproof doors, and they have a training certification program where they can bring in installers and certify them on how to install these doors properly so that they perform as they're intended to in the field. So there is a big element of that. We've got to constantly work on workforce development. Sorry that sounds redundant, but I can make a political comment there but I won't. It is a big challenge. It's also a huge concern in the CHIPS and Science Act.
(26:02):
Great we're building all these foundries. Who are we going to get to work in the foundries? 70% of our middle school kids think that they're going to be an Instagram influencer when they grow up. So how do we start to influence younger minds to want to get into technical fields, to adopt a trade that may be critical to national security and infrastructure. It's not a small challenge. And so I think this problem stem, it's much bigger than we're going to solve at the consortium, but it stems all the way back into what our youth are doing and seeing and aspiring to be and how we're training our existing workforce and the folks who have already in the industry and professionals that have been there forever, how do they learn new things? How do they adopt new technologies and get up to speed? And how to do that across an industry is not a small task.
(26:51):
It definitely will take an industry to accomplish that. That's one reasons why we're... one of the reasons we're partnering with universities as well. I see them playing a role in that, whether it's community colleges and trade schools or at the university level. Really what we're doing spans a pretty broad spectrum of skill sets and education levels. Whether it's a guy out in the field rolling on paint or someone who's setting up the whole architectural design and shielding plan for the whole facility and everything in between.
Speaker 3 (27:19):
Yeah. I've got a quick comment here, Ken. One of the things that keeps me up at night on this is that this is the type of area where by the time you've discovered that you've had a problem, it's too late. This is really an area that requires a proactive posture. It's difficult to have a proactive posture for everything, right? There's got to be some lines and some balance in there. So I think there really has to be a focus on solutions that are practical, that are reasonable, that'll be done quickly. The solutions need to be such that they're in range, that we can actually do them, but the alternative of going without could lead to some pretty bad days.
Speaker 1 (27:56):
Well, that's all the time we have for today's episodes. So Nate and David, thank you for taking some time out of your busy schedule to join me. And again, the consortium is up and running and you can learn more on LinkedIn by going to the Electromagnetic Security Consortium group page. You can also look into attending the initial member meeting that is going to be held at AOC 2022 on Tuesday, October 25th at the DC Convention Center. And of course, if you have any questions about the consortium, you can contact them directly and we'll have links, all the appropriate links here on the episode. But I thank you for joining me on From the Crow's Nest and look forward to working with you on this topic.
Speaker 3 (28:38):
Thanks, Ken. Yeah, appreciate it very much.
Speaker 2 (28:41):
Thanks for having us, Ken.
Speaker 1 (28:42):
That will conclude this episode of From the Crow's Nest. I'd like to thank my guest, David Tilton and Dr. Nathan Hansen for joining me. Don't forget to review, share, and subscribe to this podcast. We always enjoy hearing from our listeners, so please feel free to share your thoughts and recommendations. That's it for today. Thank you for joining me.

Creators and Guests

Ken Miller
Host
Ken Miller
AOC Director of Advocacy & Outreach, Host of @AOCrows From the Crows' Nest Podcast
How We Can Better Protect Critical Infrastructure
Broadcast by