HomeOffice of Sponsored ProgramsResearchArticle Display


Defensive Cyberspace Operations and Hunt Kits for ICS, SCADA, and Serial Networks

  • Published
  • By 837 COS

There are a number of serial-based computer networks and Industrial Control Systems/SCADA environments that provide mission-critical impacts to the DoD. However, the traditional CVA/H kit is not designed with ICS/SCADA or these sensitive systems in mind; it lacks the equipment to passively map the network or the parsers for the specialized protocols currently in place. Furthermore, operators are not trained on serial data, do not know how to read anomalies, and are consequently unable to protect these unique environments.

How can a defensive cyber operator effectively identify malicious cyber activity occurring on these serial and ICS/SCADA networks? Can the military build a comprehensive cyber hunt kit with ICS/SCADA-based tools that is all or mostly open-source to effectively hunt on these networks with the lowest risk to the mission partner and the highest success to the team? Specifically, this research must identify both the equipment and the processes required for hunting for malicious activity on serial networks. Ultimately, how can existing, effective open-source tools be combined into a comprehensive kit—alongside knowledge dashboards and playbooks—targeting known adversary tactics, techniques, and procedures (TTPs) in the ICS environment that make their actions stand out from normal traffic?

 

  • Ball, Justin M., "Artificial Intelligence: Implications in the Cyberspace Domain," AFGC thesis, 2025.
    • Ball addresses the challenges of detecting complex cyber threats on large networks by advocating for Artificial Intelligence (AI) and Machine Learning (ML) tools. Rather than relying on static, human-updated signatures that easily fail against polymorphic malware, ML algorithms can analyze massive datasets of network traffic and user logs to perform predictive analytics and identify anomalies. Additionally, the paper cites the MITRE ATT&CK framework as a vital threat-modeling taxonomy that helps cyber protection teams map security alerts to known adversary behaviors and eliminate manual detection errors.
  • Banks, Capt. Jonathan et al, "Venomed Quills: A Systematic Approach to Maximizing Taiwanese Endurance," SOS AUAR, 2024.
    • While this paper does not detail serial or ICS-specific hunting, it describes the hardware and software composition of the Cyber Vulnerability Assessment/Hunter (CVA/H) threat-hunting toolkit. The kit consists of multiple servers, a switch, laptops, and sensors, costing between $50,000 and $100,000 to assemble. To deploy these capabilities flexibly, they are packaged in ruggedized transfer kits and can be pre-loaded with open-source threat-hunting software like Security Onion to analyze vulnerabilities and hunt for malicious cyber activity.
  • Bashore, Brad J., "U.S. Cyber Protection Revolution," AF Fellows (Georgetown), 2014.
    • Outlines how defensive operators can leverage free, open-source tools to build a comprehensive risk-testing and network analysis capability. The author recommends incorporating Snort, a free and open-source network intrusion detection and prevention system capable of real-time traffic analysis and IP packet logging, alongside Suricata, a high-performance network IDS, IPS, and monitoring engine. Integrating these programs allows defensive organizations to perform regularly scheduled, passive testing of critical infrastructure networks to identify vulnerabilities. To optimize success, these tools should be paired with traveling cyber red teams (modeled after organizations like SANS and Cyber Guardian) to inspect public and private utility networks, identify vulnerabilities, and provide proactive protection guidance.
  • Bireley Jr., Robert E., "Constant Contact: The Rationale Behind the US Shift to Persistent Engagement in the Cyber Domain," SAASS thesis, 2024. 
    • Bireley touches on Industrial Control Systems (ICS) by analyzing the 2007 Aurora technical demonstration at Idaho National Laboratory, which tested vulnerabilities in connected physical "spinning machines" like motors and generators. The demonstration revealed that malicious actors could exploit vulnerabilities in digital protective relays, programmable logic controllers (PLCs), and bay controllers to co-opt safety devices and cause physical destruction. This test underscored the critical need for proactive, collaborative partnerships between public and private entities to mitigate ICS vulnerabilities, though it did not detail specific tactical serial hunt procedures
  • Bond, Maj. Cash, "Redefining the Cyber Edge: Operational Technology Should be Foundational to Cyber Training Pipelines," AF Fellows, 2025.
    • Provides a critical foundation for Defensive Cyberspace Operations (DCO) in Operational Technology (OT) and Industrial Control Systems (ICS). Bond explains that the military historically separates Information Technology (IT) and OT, leaving civil engineers or commercial entities responsible for critical physical dependencies (such as power and HVAC). This creates a culture of unfamiliarity where cyber operators are not trained on unique OT data transmission methods. To effectively hunt on these sensitive systems, Bond advocates integrating OT training into traditional IT pipelines. Operators can learn to passively identify ICS components and map network connectivity by participating in courses at the Idaho National Laboratory (INL) and utilizing Cybersecurity & Infrastructure Security Agency (CISA) frameworks. Ultimately, Bond highlights that by uniting IT and OT monitoring, defenders can enhance logging, build higher-fidelity alerting systems, and utilize open-source intelligence to evaluate risks and detect lateral adversarial pivots before they cause physical destruction.
  • Dorsey-Spitz, Jenni S., "Safe from Stuxnet: Leveraging Air Force Cyber Expertise to Secure Industrial control Systems and Critical Infrastructure," AFGC thesis, 2019.
    • Addresses the personnel requirements and local technical processes needed to secure decentralized control networks. The author highlights that while Civil Engineer (CE) units are responsible for installation utilities, they lack the organic Information Technology Management Series (2210) expertise required to protect ICS from attacks. The study recommends permanently embedding 2210 personnel into local units to implement risk management frameworks and continuous monitoring. To be successful, these embedded professionals must understand the physical and logical layout of the entire ICS network to determine where to place firewalls and how to securely manage communication between programmable logic controllers (PLCs) and operator workstations.
  • Edwards, Maj. Joshua R., "Determining the Defensive Cyber Competencies for A United States Space Force Cyber Weapons Instructor Course," AFGC thesis, 2024.
    • This paper outlines the general process and challenges of threat hunting, emphasizing that defensive cyber operators must maneuver through friendly network terrain to detect advanced persistent threats (APTs). Edwards warns that threat hunting requires a capable sensor suite and data logging, but notes that these tools can be highly resource-intensive, risking system slowdowns or operational shutdowns. Furthermore, because military networks often run on contractor-built weapons systems with proprietary protocols, gaining access to relevant cyber terrain to perform hunts and clear intrusions is exceptionally challenging.
  • Evans, Lt. Col. Joshua M., "Unrealized Risk: Why a True JADC2 Technical Environment Requires a Relearned culture to Understand Cascading Interdependencies," AF Fellows (Idaho National Laboratory), 2021. 
    • Provides the specific equipment assessments, processes, and playbooks needed to hunt for anomalies and map critical OT terrain. The author explains that defenders must first realize that Operational Technology (OT) networks prioritize the AIC (Availability, Integrity, and Confidentiality) triad, which directly contrasts with IT's standard CIA priorities. To map interdependencies and establish playbooks, the paper details Consequence-driven Cyber-informed Engineering (CCE), which trains operators to think like the adversary and focus on physical consequences (like hard-breaking a 27-ton generator with a cyber effect) rather than simple software risks. This is augmented by Decomposition of Energy Assurance and Electrical Power Resilience (DEEPR) modeling to physically map critical hardware to mission threads, and Cyber Testing for Resilient Industrial Control Systems (CyTRICS) to evaluate hardware and software components down to the physical manufacturing supply chain layer. Finally, the paper advises mandating periodic "black-start" or disaster recovery exercises to expose hidden connections and teach operators realized risk.
  • Kearnes, Maj. Catherine A., "Pay Now or Pay Later: Defending US Critical Infrastructure from Russian Cyberattacks," AFGC thesis, 2022.
    • Outlines standardized, playbook-driven processes for containing, eradicating, and recovering from cyber incidents on critical infrastructure networks. Kearnes notes that sophisticated adversaries use long-term reconnaissance to learn an ICS environment, steal credentials, and log in (often via Virtual Private Networks) to issue commands as a human operator would. To disrupt this activity and identify anomalies, the paper suggests that defenders actively share threat actor tactics, techniques, and procedures (TTPs), Indicators of Compromise (IOCs), and attack patterns. Once an intrusion is detected, operators must execute playbooks to isolate affected networks, update firewalls, close unauthorized ports, change passwords, and rotate private keys. To study the adversary’s methods with minimal risk to the mission partner's system, defensive operators can redirect the malicious traffic to a secure, isolated "sandbox" for further monitoring.
  • Meissner, Capt. Patrick, "Assessing Russian Cyber Effects," SOS AUAR, 2021.
    • Provides a real-world case study of the 2015 cyber-attacks on the Ukrainian power grid to demonstrate how adversaries execute physical, non-kinetic disruptions within an ICS environment. In this attack, Russian threat actors used 'BlackEnergy' malware to gain an initial foothold, steal legitimate credentials, and pivot directly to the SCADA networks controlling the regional power distribution grid. By studying these specific TTPs, defensive cyber operators can build dashboards and playbooks to identify known adversary behaviors: specifically, how the attackers manipulated breakers across 27 substations, uploaded malicious firmware to network gateway devices to deny remote command execution, and launched telephonic denial-of-service attacks to delay the recovery response. Analyzing these synchronized, multi-pronged attack vectors enables cyber defenders to compile specific Indicators of Compromise (IOCs) and design playbooks that make adversary actions stand out clearly from normal traffic.
  • Neate, Joshua,  "A Method for Allocating Cyber Resources to Defend Critical Civilian Infrastructure," AWC SSP, 2019.
    • Outlines the strategic and tactical processes required to conduct active cyber defense and threat hunting on legacy, resource-constrained environments. Neate notes that because many critical infrastructure networks run on aging ICS and SCADA systems, installing modern, automated cyber defense tools is technically unfeasible. Consequently, the military must deploy specialized cyber defense teams to manually hunt for threats on these networks. To maximize the success of limited hunt assets, Neate proposes using Data Envelopment Analysis (DEA) to map and prioritize which systems are most critical based on threat actor motivations and potential cascading impacts. At the tactical level, the paper explains how defensive operators can adapt traditional threat modeling frameworks—specifically combining Microsoft's STRIDE and MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) models—to map adversary behaviors, compare them to system vulnerabilities, and implement tailored, effective countermeasures against long-term, coordinated attacks.
  • Powell, Maj. Erin K., "Who's on First: Defending U.S. Critical Infrastructure against Cyber Attacks," AFGC thesis, 2025.
    • Highlights the immense risk of connecting remote sensors, programmable logic controllers (PLCs), and SCADA networks to IT environments without adequate security. Powell emphasizes that legacy physical devices were originally built without basic security features like encryption, authentication, or access controls, making them prime targets for sophisticated nation-state adversaries, such as China. To effectively identify and limit malicious activity, Powell advises implementing strict, defense-in-depth network architecture hardening. Cyber operators can mitigate risks by enforcing strong network segmentation, grouping similarly purposed devices on separate Virtual Local Area Networks (VLANs), and placing firewalls defensively. These architectural processes restrict an adversary’s ability to move laterally within the network. This ensures that even if an attacker uses inexpensive, common entry vectors like phishing or credential compromise to breach an IT system, they are physically blocked from reaching and manipulating critical SCADA components.
  • Ramtahal, LTC Eldred K., "Power Projection Platforms--Protecting Critical Infrastructure against Cyber Intrusion to Maintain America's Strategic Military Advantage," AWC SSP, 2021.
    • Defines the core technical architecture of Supervisory Control and Data Acquisition (SCADA) and Internal Control Systems (ICS). Ramtahal clarifies that ICS computers monitor and operate physical utility infrastructure, while SCADA represents the hardware, software, and applications used to monitor and manage those industrial networks. Common weaknesses in these environments include inadequate training, poor application development, and deficient network and system maintenance. This makes them vulnerable to hackers, malware, and human errors where untrained operators inadvertently expose the infrastructure. To combat these threats and identify intrusions, Ramtahal recommends deploying specialized, trained cyber workforces to monitor networks and maintain SCADA security. Additionally, the paper advocates for technical solutions, such as building isolated microgrids, to enhance the resilience of the physical utility networks that underwrite military power projection installations.
  • Terry, LTC Erick, "Critical Infrastructure Risk by Cyber Threats," AWC SSP, 2021.
    • Examines the inherent vulnerabilities of ICS/SCADA architectures and how malicious activity manifests. The paper notes that industrial control systems are highly susceptible because security was excluded from their original designs, they utilize aged equipment, and they are increasingly incorporated into internet-facing networks. Threat actors exploit these systems using specialized malware like Industroyer, which does not need to infiltrate the systems but natively executes valid commands based on legacy communication protocols, maps the network, and installs backdoors. To mitigate these massive risks, the author recommends that utility and control networks must be strictly airgapped to prevent remote internet access and sever external threat vectors.
  • Welcome, Lt. Col. Erick O., "Air Force Mission Defense Teams: Not Your Grandparent's Communications Squadron," AWC SSP, 2019.
    • Details how base-level defensive cyber teams can organize to persistently map and defend unique weapon system networks. The author defines defensive "hunting" as the active search for key cyber terrain to establish the exact link between the physical networks and the operational missions they enable. To do this, Mission Defense Teams (MDTs) must perform a Functional Mission Analysis (FMA) and Network Characterization of weapon systems to identify critical terrain and dependencies, allowing them to detect and respond to abnormal traffic patterns. Additionally, the paper recommends integrating an organic, base-level intelligence cell into the team to guide operations with timely threat data, while routinely codifying cyber defense and red-teaming into joint exercises to ensure the team can effectively "fight through" a cyber-attack.
  • Wisniewski, Capt. Michael A., "Using AI Guided Threat Hunting to Provide Improved Context for Prioritization and Response to Cyber Security Incidents," SOS AUAR, 2021.
    • Explains how to integrate threat-hunting tools into central dashboards targeting adversary Tactics, Techniques, and Procedures (TTPs). Rather than relying on rigid, rule-based systems or easily bypassed IP blocks, the author advocates for structured hunts built around known adversary TTPs or Indicators of Attack (IoAs). To filter the massive volumes of raw data collected by endpoint detection and response (EDR) and SIEM systems, the paper recommends utilizing Machine Learning (ML) algorithms combined with Rank Aggregation. This math-driven approach processes raw network logs and generates a single, prioritized threat list of scores across multiple attributes (such as Reconnaissance, Implant, C2, and Exfiltration), providing defenders with immediate context to isolate anomalous activity.
  • Wittmaack, Capt. Philipp, "Mission Defense Team Training Gap Analysis," SOS AUAR, 2021.
    • Highlights why traditional cyber protection platforms fall short on sensitive serial networks. The author notes that the primary military cyber defense tool, the Cyberspace Vulnerability Assessment/Hunter (CVA/H) weapon system, is not a one-size-fits-all solution because it is designed to interact exclusively with TCP/IP-based networks. Consequently, if a defensive team is assigned an operational mission set that utilizes legacy serial communication, the traditional CVA/H kit provides no operational utility.
  • Zimmerman, Lt. Col. Christina Faith, "The Achilles Heel of Military Logistics: How Cyberspace Attacks on Commercial Sector Partners Impede Force Protection," AWC SSP, 2024.
    • This paper highlights the vulnerabilities of Operational Technology (OT) and industrial control systems within commercial maritime and port infrastructure. Zimmerman explains that critical logistics nodes rely heavily on automated systems, such as terminal operating systems, which are increasingly connected to wider networks. This connectivity has eliminated the historical "air gaps" that once protected physical OT assets (like sensors and switches), widening the attack surface and leaving critical infrastructure vulnerable to malicious cyber manipulations that could trigger physical accidents or logistics halt.