- Tools and Training
- Webinar Series
- Installation Energy and Water
- Overview of PIT, OT & FRCS
- Architecture, Networks & Components
- Design and Commissioning
- Test and Development Environment
- Continuous Monitoring & Auditing
- Registering FRCS in eMASS, DITPR, SNaP-IT
- Legislation, Instructions, Manuals, Policies, Plans and Memos
- Resources, Tools, and Publications
- Templates and Checklists
- FRCS Protecting CUI
- Medical Facilities-Related Control Systems
- Energy Projects, Third-party Financing
- Energy Planning & Assessment
- Energy Storage
- Environmental Restoration
- Munitions Response
- Resource Conservation and Resiliency
- Weapons Systems and Platforms
As long as DOD uses outside contractors to design, construct, and operate FRCS, it is vitally important that contractors and vendors become part of the cybersecurity solution, starting with the supply chain and ending with proper disposal of obsolete equipment. Cybersecurity of the FRCS begins in the planning and design phases; it is imperative that the FRCS design and construction teams understand the NIST RMF process and the various documents and artifacts associated with an Authorization package. The PIT Control System Cybersecurity Lifecycle is shown in Figure 1.
Figure 1 - FRCS Cybersecurity Lifecycle
Review Key Design Documents
FRCS Project Teams are required to demonstrate the capability to achieve a Risk Management Framework (RMF) Cybersecurity Authorization for their system, components and devices. The IE and ESTCP Program Office can provide a Cybersecurity Subject Matter Expert to assist the Project Teams to understand the RMF process and create the documentation required. The following key documents should be reviewed by the Project Team, starting with the UFC 04-010-06 document:
- UFC 04-010-06 Cybersecurity of Facility-Related Control Systems (available online at http://www.wbdg.org)
- CNSSI 1253, Security Categorization And Control Selection For National Security Systems 2014
- Department of Defense Instruction 8500.01, Cybersecurity, March 2014 (available online at http://www.dtic.mil)
- Department of Defense Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 2014 (available online at http://www.dtic.mil)
- Department of Defense Instruction 8530 Cybersecurity Activities Support to DoD Information Network Operations March 2016 (available online at http://www.wbdg.org/pdfs/DODI_853001_2016.pdf)
- Department of Defense Industrial Control Systems Advanced Tactics, Techniques and Procedures Jan 2016 (available online at http://www.wbdg.org/pdfs/jbasics_aci_ttp_2016.pdf)
- National Institute of Standards and Technology Special Publication 800-53 R4 Security and Privacy Controls for Federal Information Systems and Organizations 2013
- National Institute of Standards and Technology Special Publication 800-82 R2 Guide to Industrial Control Systems (ICS) Security 2015
- UFC 3-580-01 Telecommunications Interior Infrastructure Planning And Design June 2016
- UFGS 25 10 10 Utility Monitoring And Control System (UMCS) Front End And Integration (available online at http://www.wbdg.org)
- UFGS 23 09 00 Instrumentation and Control for HVAC (available online at http://www.wbdg.org)
- UFGS 23 09 23.01 LonWorks® Direct Digital Control for HVAC and Other Building Systems (available online at http://www.wbdg.org)
- UFGS 23 09 23.02 BACnet Direct Digital Control for HVAC and Other Building Systems (available online at http://www.wbdg.org)
- Whole Building Design Guide Cybersecurity Resource Page (http://www.wbdg.org/resources/cybersecurity.php)
In general, the Project Teams will go through the basic steps below, a key objective is to provide the MINIMAL documentation necessary to achieve the RMF capability:
- Identify the Platform Enclave(s) that will be the project sponsor/host
- Identify the System Owner (typically the Facilities group) and supporting CIO/Telecommunications Backbone (NIPRNET, PSNET, Commercial Carrier, vendor wireless, etc.)
- Determine if the project will be a Closed Restricted Network (CRN) also known as a Stand-Alone Network, or will require connectivity to the DoD Information Network (DoDIN), or external commercial carrier
- Determine the Confidentiality-Integrity-Availability Security Assurance Level (typically will be L-L-M or M-M-H) using the Control Systems Master Naming Convention Worksheet
- Use the UFC’s, UFGS and FRCS website resources to develop the project design, construction, testing and RMF package documentation (see the Design Sequence Table)
- Use the recommended tools (CSET, GrassMarlin, Glasswire, Belarc, OSForensics, SCAP etc.) to create a Test and Development Environment (TDE)
- Submit RMF package documents and artifacts into eMASS and obtain authorization
DESIGN AND CONSTRUCTION RESOURCES
The FRCS consultants shall comply with the FRCS UFC’s, UFGS, and services/agencies latest construction specifications for FRCS, found on the Whole Building Design Guide, and augmented by other service/agency Policies and Directives. Additional sections shall be prepared by the designer as necessary to suit the project requirements.
The Whole Building Design Guide Cybersecurity Resource Page provides current best cybersecurity practices and references for all types of building control systems and links to several tools to support the development of the RMF IA package and documentation.
ROLES AND RESPONSIBILITIES
- Members: Service Design Manager, Facilities Engineering Acquisition Department (FEAD), Services Civil Engineering Representative (NAVFAC, AFCEC, USACE, DPW, etc.), Integrated Product Team (IPT).
- Responsibilities: Review FRCS Installation Contractor submittals, test reports, and Commissioning reports.
FRCS Installation Contractor/System Integrator
- Members: Contractor responsible for the installation or modification of a FRCS network component. Includes the contractor’s Control Systems Cybersecurity Specialist and Integration Specialist.
- Responsibilities: Responsible for production and submittal of all project Configuration Items (CI’s), project CI inventories, and design/construction/commissioning documentation associated with the installation or modification of FRCS systems.
FRCS Engineer of Record
- Members: Project mechanical engineer of record, electrical engineer of record, and control system engineer of record (if applicable)
- Responsibilities: Responsible for modifying the provided UFGS and FRCS Engineering Manual design templates to meet the requirements of the specific project
FRCS Service Agreement Contractor
- Members: Contractor(s) responsible for the operation and maintenance of the installation’s CS network.
- Responsibilities: Following configuration management procedures during required system modifications, security patches, and firmware upgrades.
DoD FRCS Information Owner/Steward
- Members: Installation Chief Information Officer (CIO)
- Responsibilities: Responsible for maintaining the current baseline of Configuration Items, management of the CI repository, and managing and tracking the security state of information systems.
Security Control Assessor (SCA)
- Members: Installation Chief Information Officer (CIO)
REQUIREMENTS FOR SUBJECT MATTER EXPERTS
The FRCS should be designed and engineered by qualified Control System Cybersecurity, Information and Communication Technology, and System Integration specialists complying with the requirements listed below.
Control Systems Cybersecurity Specialist
The Control Systems Cybersecurity specialist shall have a minimum of five years’ experience in control system network and security design and shall maintain current certification as a Global Industrial Cyber Security Professional (GISCP) or Certified Information Systems Security Professional (CISSP). The Control Systems Cybersecurity specialist must have demonstrated knowledge and experience applying IT and OT security strategies such as the application of the NIST security controls, exploitation techniques and methods, continuous monitoring, and utility/building control systems design. The résumé of the specialist must be submitted to the ESTCP Project Manager (PM) for review and approval prior to the concept phase of the project. The qualifications of the firm for whom the specialist works must also be submitted with the résumé.
Information and Communication Technology Specialist
The Information and Communication Technology specialist shall have a minimum of five years’ experience in control system network and security design and shall maintain current certification as a Registered Communications Distribution Designer (RCDD®). The Information and Communication Technology specialist must have demonstrated knowledge and experience applying IT and OT security strategies such as the application of the NIST security controls, cable network design and installation, project management, and data center design. The résumé of the specialist must be submitted to the ESTCP Project Manager (PM) for review and approval prior to the concept phase of the project. The qualifications of the firm for whom the specialist works must also be submitted with the résumé.
System Integration Specialist
The System Integration specialist shall have a minimum of five years’ experience in control system network and shall maintain current certification as a Certified System Integrator (CSI) for the products they are integrating (Tridium, Johnson Controls, Wonderware, Schneider, Schweitzer Engineering Laboratories, Rockwell, etc.) and/or be Control System Integrators Association (CISA) Certified. The System Integrator specialist must have demonstrated knowledge and experience applying IT and OT security strategies such as the application of the NIST security controls, BAS design and installation, project management, quality assurance and commissioning. The résumé of the specialist must be submitted to the ESTCP Project Manager (PM) for review and approval prior to the concept phase of the project. The qualifications of the firm for whom the specialist works must also be submitted with the résumé.
TYPICAL FRCS PORTS, PROTOCOLS AND SERVICES
DoDI 8551.01, Ports, Protocols, and Services Management (PPSM), establishes PPSM support requirements for configuration management and continuous monitoring. This includes discovery and analysis of PPS to support near real time command and control of the DOD Information Network (DODIN) and Joint Information Environment (JIE), and coordination with the local network and communications community to ensure they add control system PPS. Examples of FRCS PPS include:
- Modbus: Master/Slave – Port 502
- BACnet: Master/Slave – Port 47808
- LonWorks/LonTalk: Peer to Peer – Ports 1628, 1629
- DNP3: Master/Slave – Port 20000
- ZigBee: Peer to Peer 2.4 GHz
- Bluetooth: Master/Slave 2.4 GHz