In today’s age of being able to perform and/or access any activity electronically from anywhere, cybersecurity has become a critical part of the Department of Defense’s (DoD’s) research and development. As DoD facilities incorporate more networked systems as part of a transition to smart buildings, threat and vulnerability to cyber-attacks has increased. In order to protect and defend the DoD’s information and information technology, the DoD has established a cybersecurity program.

According to the DoD Instruction 8500.01, the cybersecurity program supports the DoD’s vision of effective operations in cyberspace where:

  • DoD missions and operations continue under any cyber situation or condition.
  • The IT components of DoD weapons systems and other defense platforms perform as designed and adequately meet operational requirements.
  • The DoD Information Enterprise collectively, consistently, and effectively acts in its own defense.
  • The DoD has ready access to its information and command and control channels, and its adversaries do not.
  • The DoD Information Enterprise securely and seamlessly extends to mission partners.  

Managing cybersecurity risk is a complex task that warrants the involvement of the entire organization. Cybersecurity risk management is a subset of the overall risk management process for all DoD acquisitions, which includes cost, performance, and schedule risk associated with the execution of all programs of record, and all other acquisitions of DoD. The risk assessment process extends to the logistics support of fielded equipment and the need to maintain the integrity of supply sources.

Control Systems (CS) range from building environmental controls to large scale systems such as the electrical power grid, and are often integrated with mainstream organizational information technology (IT) systems to promote connectivity, efficiency, and remote access capabilities. This level of interconnectivity poses security, operability and reliability threats. Within the DoD, there are an estimated 2.5 million unique CS systems that are used in over 300,000 buildings (each building may have 5-20 subsystems such as HVAC, lighting, fire, etc.) and over 250,000 linear structures (airfield lighting, pipeline, rail, etc.). 

The DoD's Unified Facilities Criteria (UFC) 4-010-06, Cybersecurity of Facility-Related Control Systems, document provides criteria for the inclusion of cybersecurity in the design of control systems in order to address appropriate Risk Management Framework (RMF) security controls during design and subsequent construction.

ESTCP recently hosted a webinar on cybersecurity that included an overarching presentation on DoD’s cybersecurity program and two presentations from ESTCP’s ongoing cybersecurity related Energy and Water projects:

  • The DoD Perspective on Cyber Security and its Impacts on Installation Energy Management, by Dr. Michael Chipley from The PMC Group LLC 
  • Cyber Security of Control Systems and its Impacts on Installation Energy Management (EW-201607) by Mr. Kevin Jordan from Resurgo, LLC. The objective of this project is to demonstrate an intrusion tolerant cyber-secure defense-in-depth of an electrical power plant against attacks representative of Tier V/Nation-state actors. This project will demonstrate to the DOD and commercial energy providers a new capability to mitigate and recover quickly from online and insider cyber activities directed against SCADA (Supervisory Control and Data Acquisition) infrastructure.
  • Cyber-Security Integrity for Electric Grid Facilities Management (EW-201608) by Dr. Daniel Quinlan from Lawrence Livermore National Laboratory. The objective of this project is to demonstrate how to mitigate the risk of a cyber-attack from software upgrades to both critical electric grid infrastructure and building automations systems.

An archived version of the webinar and its associated presentation material is available on the SERDP and ESTCP website.