This webinar will present results from two ESTCP-funded projects on securing DoD control systems and infrastructure from cyber threats. This includes the development of a new baseline automated security enumeration and configuration tool to rapidly identify vulnerable and misconfigured building automation systems associated with DoD building and energy infrastructure, and the use of low-cost data diodes for facility equipment monitoring to meet the needs of critical infrastructure managers across DoD by quickly enabling secure access to equipment data.

________________________________

Webinar #115 (07/09/2020)

Securing DoD Control Systems and Infrastructure from Cyber Threats

Dr. Jonathan Butts and Mr. Billy Rios, QED Secure Solutions

Mr. Colin Dunn, Fend Incorporated

July 9, 2020

12:00 PM ET (9:00 AM PT)

Presentation Slides

Abstracts

“Securing Military Installation Critical Infrastructure Against Cyber Attacks: The Baseline Automated Security Enumeration and Configuration Tool” by Dr. Jonathan Butts and Mr. Billy Rios, QED Secure Solutions ( ESTCP Project Webpage)

This ESTCP project supports Department of Defense (DoD) efforts to evaluate system configurations and cybersecurity vulnerabilities in building automation systems supporting Risk Management Framework requirements. The primary challenges facing the DoD include costs associated with onsite assessments, testing/reporting takes weeks, evaluations are manual and do not readily scale to multiple sites, and evaluation results are not always consistent because the process is manual. Our research examines the Baseline Automated Security Enumeration and Configuration (BASEC) tool designed to protect DoD organizations by providing a scalable means to identify, baseline, and certify the cyber security configuration for building automation systems. Through this effort, BASEC capabilities have demonstrated the ability to rapidly identify vulnerable and misconfigured building automation systems associated with DoD building and energy infrastructure. In addition, BASEC capability has demonstrated the ability to establish and enforce cyber security standards for military installation building automation systems at a significant cost reduction over current manual practices. Service components have been able to leverage BASEC capabilities to meet Congressionally mandated requirements for evaluating critical infrastructure security postures on military installations. This presentation will discuss the findings from military installation field trials and detail the trends discovered in misconfigurations of deployed building automation systems.

“Physical Cybersecurity: Low-Cost Data Diodes for DoD Facility Equipment Monitoring” by Mr. Colin Dunn ( ESTCP Project Webpage)

Managers of critical infrastructure benefit from the situational awareness provided by remote monitoring. This information leads to improved equipment performance and reduced unplanned downtime. However, recent attacks on U.S. and international power grids and building systems highlight the need for improved security on the industrial internet of things. Relatively few manufacturers provide the majority of control systems, exacerbating the impact of distributed cyberattacks. Legacy systems often run outdated, unsupported operating systems and will never receive security patches. Firewalls and software-based security are vulnerable to compromise by hackers. 

Data diodes are security appliances that enable a physically-enforced, one-way information stream about the state of this equipment. These devices physically isolating the equipment from lower-security networks. Data diodes are used today to protect the most critical of assets but at an expense often exceeding $100,000 per connection. 

Fend’s hardware is a low-cost device that provides the one-way data transfers of data diodes while removing the need for extensive on-site configuration. On-board processors enable Fend’s hardware to communicate with protected equipment and transmit this information to an on-site network or cloud service. Fend’s diode would serve the unmet needs of critical infrastructure managers across DoD by quickly enabling secure access to equipment data. This presentation will present the results of an ESTCP-funded project designed to demonstrate the hardware’s interoperability with various equipment types, ease of installation and cost performance.

Speaker Biographies

Dr. Jonathan Butts is a retired Air Force officer and co-founder of QED Secure Solutions. Jonathan is the Committee Chair for the International Federation for Information Processing (IFIP) Working Group on Critical Infrastructure Protection and has served as a representative to the Institute for Information Infrastructure Protection, advisor to the Cyber Security Education Consortium, member of the Department of Homeland Security research and development joint working group, and technical director for cyber security efforts supporting Presidential-directed projects. Dr. Butts has performed research with the Department of Defense, Department of Homeland Security, National Security Agency, Central Intelligence Agency and U.S. Secret Service and is a published author on various topics including critical infrastructure protection, malware analysis, protocol verification and operationalizing military actions in cyberspace. He earned a bachelor’s degree in computer science from Chapman University, a master’s degree in information assurance from the Air Force Institute of Technology, and a doctoral degree in computer science from University of Tulsa.

Mr. Billy Rios is the co-founder of QED Secure Solutions. He is recognized as one of the world’s most respected experts on emerging threats

related to Industrial Control Systems (ICS), critical infrastructure, and, medical devices. He discovered thousands of security vulnerabilities in hardware and software supporting ICS and critical infrastructure. He has been publicly credited by the Department of Homeland Security (DHS) numerous times for his support to the DHS ICS Cyber Emergency Response Team (ICS-CERT). Mr. Rios has worked at Google where he led the front-line response for externally reported security issues and incidents. Prior to Google, he served as the security program manager at Internet Explorer (Microsoft) where he led the company’s response to several high-profile incidents. Mr. Rios earned a bachelor’s degree in business administration from University of Washington, a master’s degree in information systems from Hawaii Pacific University, and an MBA from Texas A&M.

Mr. Colin Dunn is the CEO and founder of Fend Incorporated in Arlington, Virginia. He started Fend because he saw great advances in sustainable infrastructure threatened by hackers who seek to render new technologies useless and put our modern livelihood at risk. Prior to his role at Fend, Mr. Dunn worked as a design engineer, manager, and consultant for 15 years, helping teams bring products to market and improve the resilience of our built environment. He is a Professional Engineer, LEED Accredited Professional, and Certified Energy Manager. Mr. Dunn earned a bachelor of science degree in mechanical engineering from the University of Virginia and an MBA from Penn State.