FM Issue: Cybersecurity Evolution
Convening To Combat ThreatsTo meet the challenges of how to cybersecure facility/building control systems, an informal gathering of stakeholders from facilities, IT, physical security, and other areas held a workshop at the National Institute of Building Sciences annual conference in January 2014, “Cybersecurity of Buildings Workshop: OT and IT Convergence—A New Paradigm.” In this workshop, attendees received an overview of the current state of practices, standards, and guidelines; viewed live demonstrations of controls systems being exploited and compromised; and learned about how to identify, contain, and eradicate the threat. While most organizations may not consider their facilities as primary targets, across the nation every sector of critical infrastructure relies on buildings to conduct daily operations. Released on February 12, 2013, the Executive Order, Improving Critical Infrastructure Cybersecurity, along with the Presidential Policy Directive, Critical Infrastructure Security and Resiliency, required NIST, GSA, and DoD to develop a Cybersecurity Framework, update the National Infrastructure Protection Plan, and assess the federal acquisition and procurement process. NIST completed the Cybersecurity Framework in January 2014; GSA and DoD submitted recommended changes to the federal acquisition process in February 2014, and federal agencies are beginning to implement the Framework and change contracting procurement language. For private sector organizations the Framework is voluntary. However, as a standard of care, an organization that does not have a plan in place to identify and protect its IT and OT assets may find itself with extended liability. The Framework has five core functions: identify, protect, defend, respond, and recover. A sector or organization can use the Framework to create their top level cybersecurity plan, augmented with industry specific standards and guides.
NIST SP 800-82 A Fit For FacilitiesFor facilities, the best standard to use is the NIST SP 800-82, which is currently being revised to incorporate new security controls and supplemental guidance. Both the Cybersecurity Framework and the draft NIST 800-82 Rev. 2 are planned to be in the CSET 6.1, with a target release date of summer 2014. A fundamental concept of NIST SP 800-82 Rev 2 is that of “Inbound Protection and Outbound Detection.” All control systems should be on a separate network with multiple levels of DMZs (neutral zones) and sub-networks. Control systems behave in very predictable ways with the data frequency, packet size, and other attributes being fairly constant and amenable to white listing. New OT firewalls able to perform deep packet inspection and OT passive monitoring tools able to identify anomalous traffic provide the inbound protection; the use of continuous monitoring provides the outbound detection capability. Control systems generally do not send megabit or gigabit files to remote servers that are not in the organization’s known network or connected vendors. Exfiltration of data and covert command and control channels to unrecognized IP addresses are key signs of compromise. NIST SP 800-82 also has new controls for acquisition, life cycle software development, and penetration testing.
Other ResourcesAnother effort being led by the DHS Interagency Security Committee is the development of a white paper, “Securing Government Assets through Combined Traditional Security and Information Technology.” This document outlines the Risk Management Framework process applied to physical security systems such as closed circuit video equipment (CCVE) or video systems, intrusion detection systems (IDS), and electronic physical access control systems (PACS). Key to the recommendations is to bring together physical security specialists, facility engineers and managers, IT staff, system integrators, and property owners to conduct assessments and develop system security plans. Another key change is to the procurement process—to initiate the converged systems baseline risk assessment in the planning and design phases, conduct factory acceptance testing (FAT) in the construction phase, and conduct full site acceptance testing (to include penetration testing) for system turnover. GSA has begun to implement many of these changes, starting with the HSPD-12 requirements and conducting FIPS 200/FICAM Testing and managing the Approved Products List (APL). GSA intends to expand this effort to incorporate as many OT systems as funding allows. Finally, a new cybersecurity resource page has been added to the Whole Building Design Guide. This page is primarily for the buildings community but also features information and links to other control systems, workshops, and training. All facility owners and managers, engineering staff, and security staff are encouraged to understand the basic principles of NIST SP 800-82, know how to use the DHS CSET tool, understand how the Shodan, Kali Linux, SamuraiSTFU, and other tools work for penetration testing, and prepare to adopt new acquisition and procurement processes. Whereas the IT community has had almost two decades to learn and implement cybersecurity, member of the OT community will have an accelerated learning curve and will need to work closely with senior management, IT, and other stakeholders to secure assets properly. While the government has established basic standards guides, and best practices, it takes a joint approach to protect both the government and private sector OT systems. Chipley is president of the PMC Group, LLC located in Centreville, VA. He is a consultant to multiple federal agencies that include the Department of Defense, Department of Homeland Security, and Smithsonian Institution. He is a liaison to the NIST SP 800-82 Writers Team, supporting the development of the DHS CSET tool, and organizer of the National Institute of Building Sciences cybersecurity workshops.
Other posts by