Most people associate cybersecurity with protecting important data on information technology (IT) systems or the internet, however, Operational Technology (OT) systems are vulnerable too. OT describes a class of systems which are programmable systems that control a system with physical response. The US Department of Defense (DoD) also calls these systems Facility Related Control Systems (FRCS). Examples within the vertical build environment include HVAC, Fire Life Safety, Electrical, Metering, Elevators, and Water/Wastewater Systems.The effects of a cyber- attackon an OT system can impact life and equipment safety, environmental or regulatory impact, financial impacts, or may leveraged as an entry point to a higher value target on a common network.
The AEC industry serving the DoD has been adapting to Unified Facilities Criterion (UFC) 4-010-06 Cybersecurity of Facility Related Control Systems requirements since 2017 with many of the early UFC compliant projects recently completing construction.In July 2021 the White House issued “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems”. This call to action has resulted in a renewed focus on securing OT systems and will further develop standards, regulations and requirements.
Cybersecurity risks cannot be eliminated and therefore must be mitigated to an acceptable risk tolerance.
The DoD has implemented the NIST 800-137 Risk Management Framework (or RMF) to analyze the risk and apply acceptable cybersecurity mitigations to achieve acceptable risk tolerance to OT systems and published this process as the Unified Facilities Criteria 4-010-06. Other agencies including Veteran Affairs (VA) and private industry are utilizing RMF methodologies during design to develop construction requirements.
“Cybersecurity risks cannot be eliminated and therefore must be mitigated to an acceptable risk tolerance”
We will review the 6-step RMF process including roles and responsibilities:
STEP 1 –CATEGORIZE SYSTEM(S)
• Designer and System Owners will coordinate early in design (15% per UFC) to determine the potential impact of a cybersecurity incident to each OT system in terms of Confidentiality, Integrity and Availability. This step is critical as it defines the level of investment in cybersecurity mitigations that will be applied to each system based on the potential impact to the mission or operation.
STEP 2 – SELECT SECURITY CONTROLS
• Using the CIA ratings, designer will select security controls to be applied to each control system. Security controls are technical controls from recognized cybersecurity standards. The DoD refers to these at Control Correlation Identifiers (CCIs), it is important to note that the CCI is simply an index number that refers to a particular section of the NIST 800 defined mitigation and therefore this process is easily adaptable beyond the DoD. NIST 800-53 has tailoring tools that a designer may utilize to evaluate baseline controls required for high, moderate and low impact systems. For each security control required by impact level and as agreed upon with the system owner there should be a resulting direction within the contract specifications. Unified Facility Guideline Specifications (UFGS) Division 25 have been develop to translate the selected security controls into biddable direction to the contractors.
STEP 3 – IMPLEMENT SECURITY CONTROLS
• The contractor, in coordination with owner stakeholders, is responsible for implementing the security controls as described within specifications. Implementation will include additional documentation for systems provided, coordination with owner for specific requirements (IP Addresses, Usernames/ Passwords, etc), configuration requirements, training and testing. One specific area of caution is that many equipment vendors are now integrating advanced technologies into devices which traditionally did not have programmable interfaces that need to be secured or follow the contract requirements. An example risk is if the contract specification and security controls require that no radio frequency (RF) interfaces can be utilized but many newer switchgear and instrumentation are supplied with Bluetooth as a native interface.
STEP 4 – ASSESS SECURITY CONTROLS
•The owner or designee will assess as part of commissioning that the system not only functions as required but has had the security controls properly implemented. Similar to other commissioning activities, contractor and security assessor coordination is critical to successful close-out of the assessment/commissioning stage. For DoD projects, the government will typically perform these services with the exception of Navy projects which require the contractor to bring an independent third party assessor as described in UFGS 25 08 11.00 20.
STEP 5 – AUTHORIZE SYSTEM
• This is this the last step in typical design-construct project. The owner will review the work completed in steps 1-5 to ensure that the project has achieved all cybersecurity requirements from design through implementation and as validated in the assessment. When all work is completed the owner will authorize the system or grant an authority to operate. At this stage, the owner has taken acceptance of the systems and will begin to monitor security.
STEP 6 – MONITOR SECURITY CONTROLS
• This step has limited impact on design or construction activities except to recognize that once a system is being actively monitored and maintained, anyone interacting with the system must follow management of change and systems interaction policies to support the long term sustainment of security.
In summary all OT systems have potential cybersecurity risks, however, using the RMF process to engage stakeholders early and develop into biddable construction requirements allows for system owners to receive systems with cybersecurity mitigations that achieve acceptable risk goals including minimization of contractor risk through a clearly defined set of requirements for system configuration, documentation and coordination activities.
David Brearley (GICSP,PMP) is Director of Operational Technology Cybersecurity at HDR. David has nearly 20 years of international experience in providing IT & OT (Operational Technologies / Industrial Controls) solutions, services, and consulting.
He is responsible for HDR’s international OT cybersecurity services program providing consulting, assessment, design and compliance review services in support of HDR’s successful cross-sector businesses. HDR team under David’s leadership has applied UFC-4-010-06 cybersecurity requirements to over 150 projects across all branches of military service.