Cyber Resiliency and Readiness: Fortifying Control Systems Against Evolving Threats

Photo By Turner Dilley | In an era when cyber threats are evolving at a greater pace to cybersecurity...... read more read more

Photo By Turner Dilley | In an era when cyber threats are evolving at a greater pace to cybersecurity advancements, cyber resiliency and readiness emerge as essential defense mechanisms. It is not just about protecting systems. It is about certifying systems can endure and recover from the unthinkable, to ultimately preserve critical mission continuity. By simulating sophisticated threats and evaluating response strategies, Control Systems Resilience Readiness Exercises (CRREs) provide a roadmap to fortify defenses, mitigate risks, and safeguard essential operations.  see less | View Image Page

UNITED STATES

05.07.2025

Story by Turner Dilley 

Headquarters Air Force, Office of the Director of Civil Engineers

✔ ✗ Subscribe

13

In an era when cyber threats are evolving at a greater pace to cybersecurity advancements, cyber resiliency and readiness emerge as essential defense mechanisms. It is not just about protecting systems. It is about certifying systems can endure and recover from the unthinkable, to ultimately preserve critical mission continuity.

A key aspect to cyber resilience is ensuring the people who maintain and operate core control systems are equipped with the tools and acumen to both proactively harden cybersecurity measures against threats and respond swiftly and effectively in the face of an attack.

Cyber resiliency and readiness prepare organizations to tackle these scenarios head-on, bridging the gap between traditional cybersecurity and real-world resilience. By simulating sophisticated threats and evaluating response strategies, Control Systems Resilience Readiness Exercises (CRREs) provide a roadmap to fortify defenses, mitigate risks, and safeguard essential operations.

The Department of Defense, in collaboration with each of the Services, routinely conducts CRREs across military installations to proactively address threats and to identify deficiencies, gaps, and strategies for mitigating and eliminating identified system vulnerabilities. In 2021, the Department of the Air Force carried out its first CRRE at Wright-Patterson Air Force Base, Ohio, which set a strong foundation to be able to replicate and scale the exercise at other Air and Space Force bases since then.

CRREs are an invaluable tool within the DOD’s and the DAF’s cyber preparedness strategic toolkit, intentionally inducing outages and cyber-attacks on live installation control systems to provide realistic training grounds for response tactics. When a critical control system is compromised – as they often are during a simulated CRRE – participants are forced to maintain operations and minimize disruptions to the mission manually.

Such stress tests enable installations to pinpoint any breakdowns in response procedures, processes, and coordination, allowing for the refinement of these elements to ensure optimal response readiness and recovery.

An effective CRRE aims to uncover vulnerabilities in control systems that could be exploited. Hardened control systems are vital for critical infrastructure like energy grids, water treatment plants, and transportation systems, ensuring their safe and efficient operation in support of DAF missions.

Much of the benefit of conducting a CRRE is derived in the months of lead-up – before even executing the real-time readiness exercise on base. During the extensive planning and coordination phase, stakeholders from across an installation work with DOD and DAF cyber experts to zero in on the technical connections and dependencies between Air Force Civil Engineer-owned real-property infrastructure and the supported mission-owned systems and capabilities.

According to Minta M. Huddleston, HAF/AF A4C Chief of Civil Engineer Control Systems and AODR, some of the most important questions base civil engineers should consider in preparing for a CRRE – but also in day-to-day operations, broadly – include:
-- Are the appropriate local and mechanical controls in place to prevent damage to potentially compromised equipment?
-- Does the system operate in hand?
-- Do I have a spare?
-- Do we have compensating controls, like emergency power generation to keep our critical systems online during an outage?
-- Is the generation properly sized?
-- Is the critical system connected to the generation?

It’s in the preparation stage, when taking a deeper look at the interconnectedness of control system and an inventory of current cybersecurity measures and incident response plans, that potential gaps and areas for improvement are brought to light.

Reflecting on the lessons learned over the course of conducting these exercises, Huddleston shared, “It is important to understand that the control system and the operational system it supports are not one in the same.”

“Control systems are deployed to optimize manpower, and we absolutely need control systems to augment operations,” Huddleston continued. “However, there are daily and emergency conditions that require our engineers to operate without a control system. It’s standard operating procedure for the squadron, and this is where civil engineers excel!”

Air Force Civil Engineers have an instrumental role in assuring robust cybersecurity as the on-base operators and maintainers of critical control systems and infrastructure. They are integral in conducting CRRE exercises – from initial preparation for the simulation to live assessments of impacted control systems, coordination of targeted response and recovery efforts, and then in the development of forward action plans to mitigate future cyber threats and fortify security measures.

Every Airman has an active responsibility in preventing cybersecurity breaches of critical control systems. They must be adept in cyber resiliency and readiness tactics to ensure effective safeguarding of base infrastructure, proactively combat cyber-attacks, and respond to and recover from cyber incidents.

“We are not looking to make engineers into cyber defenders, but rather to build up the expertise to instill basic cybersecurity practices, awareness, and understanding across our career field to prevent adversarial threats,” said Huddleston.

In terms of formal cyber resilience and readiness education, the Air Force Institute of Technology offers courses specifically designed for civil engineers. The Cybersecurity for Control Systems course (WENG 170) familiarizes Air Force Civil Engineers with the basic principles of control systems cybersecurity to mitigate and defend against cyber-attacks, while the Advanced Control Systems Cybersecurity course (WENG 270) includes hands-on exercises targeting wireless access points, fire alarms, traffic lights, and other critical infrastructure components. Additionally, the Control Systems Cybersecurity for Civil Engineer Leaders course (WENG 370) provides knowledge on threats, vulnerabilities, and mitigation strategies.

Whereas formal cyber education can only go so far in building readiness, CRREs take it one step further to offer a distinct immersive learning opportunity for participants to apply abstract learned principles, methodologies, and tactics in real-world, high-pressure settings.

The importance of cyber resiliency and readiness cannot be overstated. As the threat landscape continues to evolve, it is imperative for organizations, especially those responsible for critical infrastructure, to be prepared for, respond to, and recover from cyber incidents. After all, in today’s day and age, it's not a matter of if an attack will occur. It's a matter of when.