Much has been written about the Wild West of the internet of things, the network of physical objects—devices, vehicles, buildings and other items—embedded with electronics, software, sensors, and network connectivity that enables these objects to collect and exchange data—often without a user’s knowledge or consent. Securing the IoT is attracting attention at the highest levels in government because of its potential to be a national security risk.
It turns out the Department of the Navy’s shore infrastructure may be subject to the same vulnerabilities that if exploited by bad actors could cripple an installations electrical grid; introduce malware into control systems, and cause heating, ventilation, and air conditioning (HVAC) systems to malfunction, for example.
A control system typically consists of networked digital controllers and a user interface that are used to monitor and maintain control equipment. There are many types of control systems ranging from building control systems to manufacturing control systems to weapon control systems.
Facility-Related Control Systems (FRCS) are a subset of control systems that are used to monitor and control equipment and systems related to Defense Department real property facilities, such as control systems for buildings, utilities, electronic security systems, fire and life safety systems, and HVAC.
Recognizing the unacceptable risk, Commander, Naval Facilities Engineering Command, and Chief of Civil Engineers, Rear Adm. John W. Korka, signed an instruction in June directing installations to standardize their Facility-Related Control Systems (NAVFACINST 11000.2) due to the threats these systems could pose across the DON’s shore infrastructure. Citing the number and frequency of successful attacks against critical infrastructure in recent years, Korka wrote, securing FRCS is a national security concern. (NAVFACINST 11000.2 resides on the NAVFAC portal.)
It has proven difficult to harden these control systems against modern cyber-attack, Korka wrote. Further, having multiple procedures for maintenance, training, and integration is expensive and distracts from the DON’s focus on warfighter readiness.
Increased standardization will make the task of cyber-securing FRCS far easier. This policy should result in a long-term consolidation in the number of FRCS in place on Naval installations worldwide, with a commensurate increase in cybersecurity, maintenance simplification, and cost avoidance, Korka concluded.
As the Systems Command responsible for Naval facilities, NAVFAC is tasked with assessing and mitigating shore cyber vulnerabilities and authorizing FRCS, and standardizing FRCS per function at each DON installation.
I talked with Robert G. Baker, the Command Information Officer and Enterprise Information Technology Officer for Naval Facilities Engineering Command in August. John Kliem, NAVFAC Executive Director for the Energy Security Program Office, and Tara Houlden, NAVFAC Cybersecurity Director, joined Baker in an informative discussion about the new policy, its challenges and advantages to the DON.
Baker is the command’s senior civilian responsible for enterprise-wide IT and shore infrastructure cybersecurity, competency development, and architecture in support of enterprise business requirements and strategy.
FRCS Variety, Scope, Risk
The vast diversity of FRCS evolved in the absence of any central policy, with engineers and project teams making decisions based on the best value of individual Military Construction (MILCON)/Sustainment, Restoration and Modernization (SRM) projects.
Standardization across the DON’s facility-related control systems, which includes overseas locations, will be a long-term effort due to the range of such systems across the department, Baker explained.
“In the Navy and Marine Corps today are just about 100 installations. On the Navy side there are about 75,000 facilities, on the Marine Corps side, about 50,000,” Baker said. “The Navy has about 260,000 facility-related control systems, in the Marine Corps, probably a number approaching 200,000. The scope of this [effort] is a half a million-control systems. So you can see why this won’t move quickly.”
Kliem added, “It is so enormous and there are facility-related control systems that are added and subtracted all the time. What we are really talking about is a new way of life for the Naval Facilities Engineering Command and the Department of the Navy in that cybersecurity and connectivity for facility-related control systems is a main piece of the strategy and a major consideration going forward.”
The FRCS standardization policy is a living document that that we will work on every day, Kliem explained.
“Just think about the logistics and sustainment as control system vendors upgrade or provide cybersecurity enhancements, the logistics of that and the coding required becomes increasingly complex for our public works and IT folks to keep track of. And the part inventory, it’s too much effort and it takes away from what we should be doing which is supporting the warfighter,” Kliem said. “Just as everybody needs to be a safety officer, everybody needs to be a cybersecurity officer. We all have to be focused on [cybersecurity] and we all have to take an active role.”
There is a library-full of Defense Department instructions and Federal Facility Criteria to guide building projects and maintenance regarding cost, energy conservation and green building initiatives. These competing factors contributed to the scope and variety of facility-related control systems in the department today, Kliem explained.
“Look at the green building initiatives where efficiency was a big goal. We had energy-directed controls installed in all our new buildings so we could better manage the HVAC and control prices. But we really didn’t care what system we put in,” Kliem explained. It was an engineering decision made by the builder who did not consult with the CIO… “Or with my folks, who do the control systems engineering, the OT (operational test) piece, that ties into the information technology. We were just focused on what is the simplest way the digital controls could connect to a central location for the purposes of energy efficiency, which then tied back to other programs, like the LEED (Leadership in Energy and Environmental Design) program and those types of conservation programs.”
Baker compared the road to FRCS standardization to the rigor of the multi-year rollout of the Navy Marine Corps Intranet in which the DON succeeded in creating a single, standardized, enterprise-wide computing and communications program.
“It’s about that level of standardization, but if you remember NMCI [standardization] didn’t happen in one day or one year. It took from about 2001 to about 2007 just for getting all the desktop computers in the Navy on one kind of network… You are not just going to replace these control systems for the sake of migrating them to a single standard until they are actually ready [to be replaced]. Unless there is a lot of money, which we don’t see, in the Future Year Defense Program, this is going to be done with the budget we have under sustainment and modernization dollars over a long period of time,” Baker said.
There will be legacy facility-related control systems that NAVFAC will not be able to standardize immediately, concurred Kleim. “We will get there in the course of modernizing those control systems. In the meantime, our guys are going to have to find a way to cyber-secure those legacy control systems so that we can connect them to our IT architecture.”
The shift to focus on cybersecurity occurred in 2015 with the arrival of Task Force Cyber Awakening and the DoDI 8500.01, Baker said. “The Facility-Related Control Systems Standardization Instruction that the Chief (Rear Adm. Korka) signed is an instantiation and formalization of the policy we have had since 2016.”
Installation Actions Required
Two initiatives are occurring simultaneously to fast track standardization explained Houlden. One is a complete inventory assessment. Because bases have varied levels of personnel expertise, Jacobs Engineering Group Inc. will assist commands with completing their inventories should they need help, she explained.
“The ones that have a complete inventory, also have mature and robotic engineering development capability and can do their own J&A (justification and authorization) without external support whether or not through the Jacobs contract … or [with help] from the headquarters teams. They are going to proceed with rolling out this instruction, in accordance with the supporting strategy, as they have expertise in-house, maturity, and an inventory completed already,” Houlden said.
Jacobs will also execute the audit to validate that each installation has an accurate inventory, she said.
In the second part of the initiative, NAVFAC is running a pilot that will serve as a test of the FRCS standardization process strategy.
“The Southwest Region is going to conduct business case analyses in their region. The business case analysis is a standardized template [an enclosure in the instruction]. The intent is to complete three locations in the Southwest Region by the end of September 2020,” Baker said. “The plan is to move forward with the proof of concept in these three locations and meanwhile the parallel effort is to make sure we have a solid inventory at the other 75 locations.”
The idea is that results of the analyses will lead to a reduction in the number of facility-related control systems to three or less per installation, Kliem explained.
Overseas installations pose a more difficult technology challenge for several issues. Foreign nationals are usually employed in facilities management support positions; however, they are not eligible to receive the security clearances necessary to operate on NAVFAC sensitive systems. In addition, the human machine interfaces used with facility-related control systems, along with user and product support manuals, are typically in English and may present a language barrier for some foreign nationals, Kliem explained.
“So we don’t want them as engaged in the process as we would in CONUS [facilities]… There is also some connecting challenges in overseas locations where we are precluded from doing wireless connectivity for some of the facility-related control systems — a lot of challenges overseas,” Kliem said. “We aren’t going to ignore those… Really, those challenges make it more important that we standardize on a common set of facility-related control systems so that we can take advantage of enterprise-wide ATOs (Authority to Operate) to the greatest extent possible.”
While implementation of the policy will be more difficult for some installations. NAVFAC has engineers and cybersecurity teams in each of the regions the Navy has bases.
“NAVFAC has 23,000 employees at over a 100 locations worldwide… Where it is necessary to surge for the local folks absolutely we will be doing that,” Baker said.
Kliem added, “With the inventory, we are also going to provide support for teams that need engineering and data analytic support. We have industry partners and intra-agency partners that will assist us.”
FRSC Cybersecurity — a Readiness Issue
In an effort of this scale, partnerships and collaboration are critical to success.
NAVFAC is working with Commander Navy Installations Command, Marine Corps Installations Command and the offices of the Assistant Secretary of the Navy for Energy, Installations & Environment and the Assistant Secretary of the Navy for Research, Development and Acquisition to implement the new standardization policy.
Kliem explained the [Navy] Secretariat is particularly interested in how NAVFAC cyber-secures its systems because it is a readiness issue. “So what policies can we make that would accelerate that process to increase readiness. It’s extremely helpful because that policy drives the resources to implement [the standardization policy].”
“Even though we work very closely with ASN for EI&E, in this particular instance, we are more closely aligned with ASN for RDA in our SYSCOM role. This [process] is acquisition-related, although clearly ASN EI&E has a huge interest as well from an energy, facilities and utilities perspective,” Baker said. “We have been working very closely with the ASN for EI&E for new buildings. When new buildings come onboard, Mr. James Balocki, who is the DASN for Installations and Facilities, has been working on a policy for making sure that the cyber commissioning is aligned with what we are doing. We are getting a lot of mutual support from both ASN EI&E and ASN RDA on this."
Objectives – cybersecurity, transparency, simplicity, efficiency
While CNIC is funding FRCS standardization; there are many benefits to the effort, in addition to cybersecurity. Each individual stakeholder has desired outcomes.
One of the objectives that CNIC considers a priority is to have all DON facility-related control systems connect with their FRCS architecture as quickly as possible, Kliem said.
“The standardization process will enable us to accelerate the process… Our facility-related control systems inventory resides on their enterprise-wide data warehouse [CNIC’s g2 – Gateway 2] as well as on our Maximo (asset management tool) system. We all have a common understanding of where we are at in terms of the inventory. We are working as a very close partner of Navy Installations Command as we work through the standardization process to make these decisions. We, as the SYSCOM expert, are keeping them updated on our process,” Kliem said.
At its core, FRCS standardization across the DON is a data-driven analytical process, Baker explained. “The ultimate objectives are many, but one of those is to be able to gain the data from each of these control systems and get the ability to perform analytics in such a way that it makes operating the shore [infrastructure] a lot more efficient and effective.”
Kliem agreed. “We are just scratching the surface on what we call ‘Smart Grid’ where we can connect, secure and analyze data from facility-related control systems in a way that we can begin to sense when a piece of equipment, like a heating, ventilation and air conditioning system, is going to fail because it is operating out of norm. Then we can repair it before employees become uncomfortable. We can detect when the grid is going to fail or we have an outage because we are connected to the advanced metering infrastructure.”
Risk Management Framework
In addition to other guidance, NAVFAC is using the National Institute of Standards and Technology series 800 publications for implementation of the Risk Management Framework, the DoD designated process for applying cybersecurity to information technology, including control systems.
NAVFAC is the Functional Authorizing Official (FAO) who will determine the Authority to Operate (ATO) for facility-related control systems. FRCS are classified as Platform Information Technology (PIT) systems. DoDI 8500.01 requires that all PIT systems have their cybersecurity controls documented and validated prior to operation and/or deployment. All PIT systems must maintain an ATO from the FAO. Additionally, connection or integration into the Control System Platform Enclave (CSPE), which provides cybersecurity services to FRCS and hosts the Smart Grid application suite, must comply to connect with an installation’s networked facilities control and monitoring system.
In the process, commands send their RMF packages to NAVFAC for review, and Baker, as the security control assessor, makes the risk recommendation to Rear Adm. Korka, who is the authority to sign (or deny) the ATO and accept the risk, Baker explained.
Many stakeholder actions and total commitment are required to succeed in this effort, Kliem explained.
“The other half of my job is to design electrical infrastructure to be resilient so it can operate in all types of contingencies. Where I would like to see this go in the future is to control the flow of power to critical force protection platforms in the event of a grid outage. That’s how a cyber-secure control system can really begin to impact readiness and increase the lethality of our warfighters… First, we have to standardize all our bases on a facility-related control system—or we can’t get to where we want to go.”