CSO's Take: Cyber Key Terrain and the Fight to Protect It

I'm often asked how I spend my time as CNF's Chief Strategy Officer. "Not efficiently enough" is usually my flippant answer, but the real answer is that I chart a path for a fast-growing small business as we break out of our size standards. My approach has always been to anticipate our customers' current and future needs. Today, that means a single priority: align our work with the National Security Strategy, the National Defense Strategy, and the Joint Force's planning guidance to defend the homeland, deter China as our primary competitor, and maintain peace through strength around the globe. Aligning our investments to those priorities means understanding the realities our warfighters face.

An old Army buddy of mine used to talk about "the rule of threes." Three days without water. Three weeks without food. Three minutes without ammunition in a firefight. Pershing put it more simply: infantry wins battles, but logistics wins wars.

That's as true today as it was a century ago, but now we must also consider information itself as a medium of conflict, a force multiplier, and an attack surface. As a member of the last generation to join the armed forces before the internet, I find it hard to grasp how completely we depend on our ability to sense, process, exploit, deny, and manipulate information at every level of warfare. Warriors in the air, on land, and at sea will always be the tip of the spear. But our way of war, and of deterring war, now rests on controlling the information domain.

It's hard to maintain that dominance when you can't power your communications or command-and-control systems. When air operations are limited to daylight because you can't run the runway lights, or can't trust them because an adversary is manipulating them. When the fuel you need depends on rail, ports, pipelines, and refineries that may not function when it matters most. The point is simple: the Joint Force's greatest advantages now depend on infrastructure that can fail under pressure.

For years, conventional wisdom in industrial cybersecurity held that the boundary between Operational Technology and Information Technology was a feature, not a flaw. Air gaps, segmentation, and the deliberate isolation of OT from enterprise networks were architectural choices, not just security-through-obscurity. The threat model assumed that keeping PLCs and SCADA systems off the internet was defense enough.

That assumption is now operationally dead.

In February 2024, CISA, NSA, and the FBI issued a joint advisory in unusually blunt language. People's Republic of China state-sponsored actors had compromised IT environments across U.S. critical infrastructure (energy, communications, transportation, water) and were pre-positioning to enable lateral movement into OT assets. Not to steal data, but to be ready to disrupt physical operations during a future crisis. A month earlier, the same actors had been caught hiding behind a botnet of compromised, end-of-life home routers, patient and quiet and invisible to tools built for IT environments. This is not espionage in any traditional sense. It is battlefield preparation, carried out at machine speed through digital terrain.

The deeper problem is that we don't know the terrain. The point where OT and IT converge, the seam between them, is the attack surface, and it is largely invisible. That's because these are physical systems connected by and through cyber. They are not just IT networks. At that physical layer, they interoperate and are interdependent: power generation requires fuel and water; water and wastewater treatment require power. Rail, pipelines, and ports depend on power and infrastructure that transmits it. None of these sectors fails alone; a disruption in one cascades into the others faster than human operators can track. This is the cyber key terrain, the ground a modern cyberconflict would actually be fought over, and most of it is uncharted. Worse, most of this terrain isn't even government-owned. It's fragmented, owned by industry, utilities, and municipalities, and governed by a crazy-quilt of federal, state, and local regulations. That's the infrastructure that underpins the mission-critical OT the Joint Force depends on, and both the cyber and physical vulnerabilities in that foundation propagate up to the cyber key terrain it must defend.

Consider the Big Freeze that hit my home state of Texas in February 2021. An arctic blast drove demand to record peaks just as freezing temperatures, sensor failures, and fuel problems crippled power generation, and the grid came within a handful of minutes of a cascading failure that could have darkened much of the state for weeks. Now picture that event set in motion deliberately by an adversary who picks the timing and tempo and runs the kill chain with autonomous systems at machine speed.

Expanded passive monitoring at the IT/OTboundary, fed by physics-informed sensing below the DMZ, is part of the solution, but it creates its own problems. The more data we collect, the harder it is to process, exploit, and act at the speed the threat demands. And the people who can do that work, cleared operators fluent in both OT and cyber, are among the most high-demand, low-density skill sets in the national security workforce. It's the classic intelligence analysis problem, made larger by the density and interdependence of the systems themselves.

What the mission needs is a different architecture altogether: converged, fused telemetry from both domains feeding AI-enabled analytics that can correlate anomalies neither domain would reveal on its own, with enough awareness of physical process behavior to distinguish a sensor glitch from an adversary attack. And in the environments that matter most, the solution must run where the data lives, air-gapped and self-contained, with no dependence on cloud infrastructure that may not be there in a contested fight. That's where I'm aligning our strategy: investing heavily in best practices for securing this infrastructure, researching and developing cognitive solutions that automate the fusion and extract actionable intelligence from vast data lakes, and building an ecosystem of academic and industry partners to solve this problem. That's how I spend my time as CNF's CSO. The challenge is big, and the work is exciting.

‍