The need to secure federal facilities and systems against a wider range of cyber threats has become much greater in recent years. Target’s well-publicized cyber attack in late 2013 was traced back to a smaller network breach using network credentials stolen from a regional heating, ventilating and air conditioning subcontractor that received access to Target’s network for HVAC system project management and billing.
Building automation and industrial control systems (ICS) – like HVAC, utility monitoring, fire and natural gas control systems – have in the past been physically isolated systems that only communicated locally, such as within a building. Those systems are more and more frequently being integrated into installation networks so data can be remotely monitored, aggregated and analyzed at higher levels. This increases the vulnerability and cyber security risks of not only the individual systems, but also the entire network.
The challenge: information technology (IT) and ICS systems – while they share similar characteristics – have very different priorities and risks. In addition, IT technicians and facility engineers speak different languages, according to Stacey Hirata, chief of the U.S. Army Corps of Engineers’ Installation Support Division in the Military Programs Directorate.
“We need technical experts who understand industrial control systems, what they are and the unique risks associated with those systems,” Hirata said. “And we need USACE IT network experts who understand the engineering dialect and can translate the IT language into something our USACE project managers and engineers can understand.”
To ensure consistent delivery of efficient, cyber secure facilities and systems to its customers, the Engineering and Support Center, Huntsville established an Information Assurance and Information Technology (IA/IT) Branch in its Engineering Directorate in January. Shortly thereafter, Huntsville Center was also designated the USACE Industrial Control Systems Cybersecurity Technical Center of Expertise (TCX).
“We are holistically looking at our programs and customer needs, and we bring it all together with a facilities engineering background and cybersecurity focus to ensure our customers receive systems with the integrated security solutions required to operate facility and installation related systems on government networks,” said Dan Shepard, who is chief of both the TCX and the IA/IT Branch.
In June Hirata hosted a USACE-wide webinar on delivering cyber secure facilities to customers. He said every program and project manager should be asking themselves, “Are we delivering cyber secure facilities? Are we applying the appropriate standards and criteria in our facility design, and do our contracts have the right specifications?”
With seven information technology (IT) specialists assigned to the IA/IT Branch supporting Huntsville Center project delivery teams (PDTs), Shepard said his goal is to have one IA cybersecurity specialist assigned to each PDT to ensure program managers understand cybersecurity requirements for their project(s) and contracts contain the appropriate cybersecurity language. The TCX provides expertise and guidance for military programs and customers across the Corps of Engineers and the Army.
Shepard said his team collaborates a great deal with the USACE Critical Infrastructure Cyber Security Center of Expertise at Little Rock District (focused on civil works infrastructure like locks, dams and levees) and USACE laboratories, as well as Huntsville Center’s Energy Division and the USACE Utility Monitoring and Control Systems (UMCS) and Electronic Security Systems (ESS) Mandatory Centers of Expertise at Huntsville Center, to identify ways to support those missions and enhance cybersecurity efforts across USACE. He said they also participate on several Army and Department of Defense cybersecurity and information assurance working groups to assist with policy development.
“While there’s a ton of expertise in cybersecurity for traditional IT platforms across the Army, there is not yet a lot of expertise in our niche area of cybersecurity for facilities,” Shepard said. “We are trying to be that voice with a facility engineering focus for the Army. The Corps of Engineers brings that to the Army; no one else in the Army does that.”
Shepard said that as garrisons and installation directorates of public works have experienced budget and manpower cuts in recent years, many have lost critical on-site expertise in cybersecurity. They now have to not only manage their installations, but also understand infrastructure and network cybersecurity requirements for acquisitions and contracts.
“We can help fill that knowledge gap; we’re a resource for the entire Army,” Shepard said. “We take great pride in delivering sustainable, secure systems for our customers and sharing our expertise to make the entire Army and DOD more secure as it relates to the facilities and systems we deliver.”
Two key drivers for the increased emphasis on ICS cybersecurity are Department of Defense Instructions 8500.01 “Cybersecurity” and 8510.01 “Risk Management Framework for DOD Information Technology,” both released in March 2014, as well as the National Institute of Standards and Technology (NIST) Special Publication 800-82 Revision 2, Guide to ICS Security, dated May 2015. The DOD risk management framework replaces the Defense Information Assurance Certification and Accreditation Process (DIACAP) and applies to all industrial control systems – those that are connected to the Army network as well as those that are isolated. Army implementation guidance has not yet been published.
In conjunction with the Army, Air Force and Navy, the ICS Cybersecurity TCX is developing a Unified Facilities Criteria (UFC) that will address cybersecurity requirements for facility related Platform Information Technology (PIT) systems, expected to be published in fiscal year 2016. These PIT systems include but are not limited to ICS, UMCS, ESS, Building Automation Systems (BAS), Supervisory Control and Data Acquisition (SCADA) systems, and similar control systems. USACE is also developing a cybersecurity Unified Facilities Guide Specification (UFGS) expected for release in FY16 that will document all execution requirements and contract submissions.