Cybersecurity for power grids, water supply systems, telecom networks and transportation systems is an increasingly important business for defense contractor BAE Systems.
And odds are good that if a utility uses BAE Systems technology to keep its assets secure, technical staff at its Rancho Bernardo facility played a role. The San Diego suburb houses BAE Systems’ Software Development Center of Excellence.
The corporation has been providing cybersecurity in the utility, commercial and industrial space on a small scale for about five years, said Damon Brady, director of advanced GEOINT systems in Rancho Bernardo, adding that it has been ramping up in the utility space for the past two or three years.
“We’re intent on being a valuable and important solution to help defend critical infrastructure,” Brady said. “Our San Diego facility is an important part of making that happen.”
BAE Systems sees a “significant value proposition” in applications for critical infrastructure. Growth in the space has been in the 20-30% range, Brady said. “We see that as a significant growth engine going forward.”
Many aspects of power grids, water works and other critical infrastructure can be managed by remote control. There are benefits to that, but the arrangement can also leave such infrastructure at the mercy of bad actors.
Case in point: hackers demanding a ransom took control of Colonial Pipeline in May 2021. Colonial Pipeline responded by shutting down the flow of fuel from Texas to the Eastern Seaboard for about seven days as a precaution, the Department of Energy reported. Reuters reported the hackers got access by stealing a single password, which they plugged into a legacy system that had single-factor authentication.
Not everyone has the budgets of major corporations or investor-owned utilities. Many water systems are run by municipal governments and have “very low budgets,” BAE Systems’ Brady said.
BAE Systems applies its defense contracting skill set to offer cybersecurity for industrial controls. Part of its approach is that it has its own proprietary computer code. The company wrote its own secure operating system, called STOP. If a bad actor wants to attack, “we have a very small attack surface,” Brady said.
During its 30 years of operation, STOP has not required a security patch. Utility staff can learn it because its user interface is similar to Linux.