With MOSAICS, Johns Hopkins APL Brings the Future of Industrial Cybersecurity into Focus

The vulnerability of industrial control systems (ICS) to cyberattacks has become alarmingly clear in the past year, with a series of headline-grabbing hacks like SolarWinds, Colonial Pipeline and the Oldsmar water treatment facility having laid bare the limitations of the ad hoc, piecemeal solutions that have characterized ICS cybersecurity to date. The Johns Hopkins Applied Physics Laboratory (APL) in Laurel, Maryland, in partnership with Sandia National Laboratories, Pacific Northwest National Laboratory and Idaho National Laboratory, is leading the development of the first-ever comprehensive, integrated and automated solution for ICS cybersecurity.

Known as MOSAICS — from “More Situational Awareness for Industrial Control Systems” — the working prototype has already demonstrated its value to the U.S. Navy, which is expanding its deployment of the system after initial testing demonstrated a 100% success rate with fewer than 1% false positives.

MOSAICS was initially envisioned simply as an ICS cyberattack detection system. APL leveraged its expertise in systems engineering and ongoing work in Integrated Adaptive Cyber Defense (IACD) to develop MOSAICS into a true ICS operational defense capability. The resulting capability allows ICS operators to detect and characterize cyberattacks on their systems in real time, and will eventually support automated — and even autonomous — response and recovery protocols.

“MOSAICS represents a major step forward from existing solutions — the transition from a haphazard and piecemeal cybersecurity approach to an all-encompassing, integrated capability that can be used in the field,” said Ray Yuan, APL’s Cyber Operations Mission Area executive. “It aggregates and applies existing technology in a synchronized way that hasn’t been accomplished before."

The U.S. Navy conducted a military utility assessment in August, deploying the system at Naval Facilities Southwest (NAVFAC SW) in San Diego, California. Over the course of five days, MOSAICS surveilled a 3,000-node network, while 17 adversarial attacks were launched against a simulated control station on the base. The attacks targeted every level of the system, from devices in the supervisory layer such as servers and engineer workstations all the way down to low-level devices like electrical relays and logic gates.

While monitoring the entire network, MOSAICS successfully identified every attack, achieving the aforementioned 100% success rate with fewer than 1% false positives. What’s more, when a contractor showed up at the base unannounced and began installing new components into the electrical system without obtaining proper authorization, MOSAICS flagged the installation as a possible cyberattack, demonstrating its real-world utility.

“Beyond the success of the planned testing, the incident with the contractor demonstrated the true value of MOSAICS — it can help operators determine, when they see a physical effect on their system, whether that’s due to mechanical failure or a cyberattack,” said Harley Parkes, a cybersecurity engineer in APL’s Asymmetric Operations Sector (AOS) who led the design and development of the capability. “That would be very difficult to do at all, let alone instantaneously, without a capability like MOSAICS that gives a full picture of the cyber aspects of an ICS.”

The Navy has licensed MOSAICS to continue using it for a year and is seeking funding to deploy the capability at additional bases. As the work continues, Parkes and his team are working to increase the functionality and make it easier to learn, use and deploy.

“At the moment, APL and our partners at the other three national laboratories are heavily involved in installing, integrating and training operators to use MOSAICS,” he said. “Our current phase of development is focused on enabling MOSAICS to be easily and rapidly deployed in new locations without our help.”

Steve Carder, who manages the Resilient Navy Networks and Systems program in AOS, said that the capability has significant implications — not only for Navy systems but for all of the nation’s critical infrastructure.

“We’re going to leverage the work we’ve done with MOSAICS to enhance cybersecurity for maritime control systems, but that’s only the beginning,” Carder said. “Ultimately, this work will benefit not only the Department of Defense and their systems but also private sector control systems — the electrical grid, water plants, sewer systems, you name it — that constitute the critical infrastructure the nation depends on.”

Moreover, the architecture of MOSAICS is designed to extend beyond automation, and to take advantage of autonomous systems as they become increasingly capable and trusted, said Yuan, who emphasized the importance of trust in the system.

“The next big step is to incorporate autonomy into the system, so that MOSAICS and other capabilities like it can take defense and repair actions without human intervention,” said Yuan. “That will require trust in autonomy, but that’s where we’re headed, and APL will be at the nexus of that work, as well.”

Government technical management of MOSAICS was provided by Rich Scalco from Naval Information Warfare Center – Atlantic (NIWC Atlantic), while operational management was led by USINDOPACOM and USNORTHCOM. Transition management was overseen by NAVFAC.