By Stephen BaackDecember 20, 2018
HUNTSVILLE, Ala. (Dec. 14, 2018) - Inhabiting virtually every Department of Defense facility is a hidden world of processes and operations, but like many vital functions, they go unnoticed until the moment they are interrupted.
This is the world of facility automation. These functions run the gamut of automated processes for everything inside a facility envelope, such as timely and accurate heating and cooling, proper electrical distribution, routine elevator operation, automatic lighting, and entry and exit measures like badging.
Anything that threatens the security of these systems, by extension, threatens mission readiness and is therefore a significant concern to the Department of Defense, according to Daniel Shepard, chief of Huntsville Center's Information Assurance and Information Technology Branch and the Control System Cybersecurity Mandatory Center of Expertise.
In 2016, Shepard and his team at the Control System Cybersecurity MCX - then called the Industrial Control Systems Cybersecurity Technical Center of Expertise - developed and published the Unified Facility Criteria 4-010-06: Cybersecurity of Facility-Related Control Systems. About a year later, they published Unified Facility Guide Specification 25-05-11, which they are in the process of updating.
"Those were the first two design criteria and specifications focusing on cybersecurity for control systems, and the Corps of Engineers led the authoring and the publishing of that effort for the entire tri-services community - Army, Navy and Air Force," said Shepard.
These documents put forth the design criteria and project specifications for any project that has control systems in place for the entire Department of Defense, and they tell the DOD's industry partners how to design control systems to meet cybersecurity requirements and measures.
It is this set of standards, requirements and measures that protect these systems against a cybersecurity event. While such an event could be the result of the actions of someone with malicious intent, just as dangerous is a system failure due to a design flaw or inconsistent security measures, said Shepard.
"If I had my HVAC system inside of a critical-data center or a mission facility, and that heating and cooling couldn't keep the computer equipment cool, then I can't access intelligence platforms," Shepard said. "If our facilities aren't operational and can't support the mission and the people within those facilities, then having a cyber event in a control system could take down mission readiness, or at least the ability to project force.
"It's not one of those things where the sky is falling, by any stretch of the imagination, but prior to 2016, if anything was done at all, it was done in a very ad hoc manner," Shepard added.
These specifications address numerous areas such as how to coordinate systems within systems, implementing backup systems, reducing extraneous functionality and dependence on the network, and adhering to the National Institute of Standards and Technology's Risk Management Framework
"This is going to give some consistency in approach to design and in construction that, when the Corps of Engineers or any Department of Defense design and construction agent turns over a facility, our stakeholders know that cybersecurity has been accounted for and addressed in the design and then in what we do in construction," Shepard said. "So, that's a good thing."
Now that Shepard and his team have been designated a mandatory center for their technical discipline - he said they are starting to see a lot more work come in from the geographic districts as they help those districts execute design requirements, work through acquisition issues, and write contractual language.
"It's a 100 percent collaborative effort between design and construction agents, facility owners, directorates of public works - pretty much the entire facilities engineering community play a role in this," said Shepard. "We're one small wedge of the pie from the Corps of Engineers, but it's more of a unified, collaborative approach."
The Control Systems Cybersecurity MCX's team includes experts at some of the U.S. Army Corps of Engineers research and development laboratories through the Engineering, Research and Development Center. These include personnel at the Construction Engineering Research Laboratory in Champaign, Illinois, and at the Information Technology Laboratory in Vicksburg, Mississippi.
Shepard added that the Control Systems Cybersecurity MCX's civil works counterpart is the USACE Critical Infrastructure Cybersecurity Center of Expertise at Table Rock Lake in Branson, Missouri. This team focuses on control systems for anything the Corps owns, operates, maintains and sustains such as locks, dams, levees and navigational waterways, whereas Shepard's team focuses on facilities the Corps does not own, operate or maintain.
"We design and deliver based upon someone else's requirements, like a child, youth development center, a gymnasium, a barracks, and any kind of headquarters administration building," said Shepard. "We don't own those. We build them for them and turn them over, but we are not in the Operations and Maintenance piece of it, unless they come back to us where they need support."
Shepard characterizes control system cybersecurity as a growing and rapidly changing technical discipline, which is governed by ever-evolving DOD policy and strategy.
"It's evolving daily," said Shepard "Things change like courses of action and funding streams. The potential to see growth in just this area - it's exponential how much it could grow."