ESTCP invested in a project to develop an automated, scalable solution for assessing the configuration of military installation energy control systems against Risk Management Framework (RMF) requirements. The project is helping identify security weaknesses in critical military infrastructure and securing facilities against cyber-based threats.

Energy control systems provide an innovative and cost-effective means to improve efficiency, expand functionality, enhance safety, and increase reliability. The trend, however, to interconnect management and monitoring capabilities through networking technologies has introduced a myriad of cyber vulnerabilities. For Department of Defense (DoD) installations, the risks are exacerbated due to the use of non-secure configurations associated with varying implementations across different bases. Indeed, multiple vendor platforms and disparate unpatched systems deployed over varying infrastructures have created an environment with no standard cyber security management practices or protection mechanisms in place to prevent attacks.

Currently, the DoD lacks the capability to efficiently evaluate system configurations of automated building energy control systems. Because the current assessment process is manual, evaluation results are not always consistent. The primary challenges the DoD faces evaluating automated building energy control systems include:

  • An extensive onsite assessment can cost upwards of $30k
  • Testing and reporting takes weeks
  • Evaluations are manual and do not readily scale to multiple sites
  • Extensive training of skill-sets is required to correctly evaluate systems
  • The evaluation is a one-time snapshot of the current security posture 

Baseline Automated Security Enumeration and Configuration (BASEC) provides a new technology that scales cybersecurity baseline criteria to millions of devices using customizable rule sets mapped to designated criteria. For ESTCP, BASEC demonstrates the ability to perform secure evaluations of system configurations against RMF requirements and accomplish auditing in seconds.

The heart of BASEC is a secure, cloud-based analysis engine that examines and compares submitted configuration and deployment files against established RMF criteria using custom algorithms. A building control system configuration file is uploaded to the BASEC analysis engine. BASEC performs automated analysis on the configuration and provides a report on the selected criteria to identify compliant and noncompliant findings. The resulting process enables rapid, consistent evaluation of systems that readily scales.

A web-based management interface is designed to provide end-users a secure means to examine device configurations, audit system settings, define security policies, and obtain reporting from anywhere in the world. BASEC reporting helps identify specific weaknesses associated with individual configuration files (e.g., weak passwords, missing security patches, insecure services, insecure default configurations and weak/insecure protocols in use). 

Current solutions for examining the security and configuration posture of building automation systems focus on vulnerability assessments or specific vendor implementations. Although helpful for examining specific installations, these methods do not scale and are not sufficient for meeting the holistic requirements across DoD installations. BASEC provides an innovative solution that helps standardize, enforce, and secure DoD building energy systems across all potential vendors and installations. The ease of deployment is designed for use by installation/facility control engineers and provides detailed reporting without the requirement for advanced cyber security skill sets.

For more information on BASEC, which includes a recorded webinar on deploying BASEC to secure military installations against cyber-based attacks, visit the BASEC ESTCP project overview.