For mobile, landscape view is recommended.
As long as DOD uses outside contractors to design, construct, and operate FRCS, it is vitally important that contractors and vendors become part of the cybersecurity solution, starting with the supply chain and ending with proper disposal of obsolete equipment. Cybersecurity of the FRCS begins in the planning and design phases; it is imperative that the FRCS design and construction teams understand the NIST RMF process and the various documents and artifacts associated with an Authorization package. The PIT Control System Cybersecurity Lifecycle is shown in Figure 1.
Figure 1 - FRCS Cybersecurity Lifecycle
Review Key Design Documents
FRCS Project Teams are required to demonstrate the capability to achieve a Risk Management Framework (RMF) Cybersecurity Authorization for their system, components and devices. The IE and ESTCP Program Office can provide a Cybersecurity Subject Matter Expert to assist the Project Teams to understand the RMF process and create the documentation required. The following key documents should be reviewed by the Project Team, starting with the UFC 04-010-06 document:
In general, the Project Teams will go through the basic steps below, a key objective is to provide the MINIMAL documentation necessary to achieve the RMF capability:
DESIGN AND CONSTRUCTION RESOURCES
The FRCS consultants shall comply with the FRCS UFC’s, UFGS, and services/agencies latest construction specifications for FRCS, found on the Whole Building Design Guide, and augmented by other service/agency Policies and Directives. Additional sections shall be prepared by the designer as necessary to suit the project requirements.
The Whole Building Design Guide Cybersecurity Resource Page provides current best cybersecurity practices and references for all types of building control systems and links to several tools to support the development of the RMF IA package and documentation.
ROLES AND RESPONSIBILITIES
REQUIREMENTS FOR SUBJECT MATTER EXPERTS
The FRCS should be designed and engineered by qualified Control System Cybersecurity, Information and Communication Technology, and System Integration specialists complying with the requirements listed below.
Control Systems Cybersecurity Specialist
The Control Systems Cybersecurity specialist shall have a minimum of five years’ experience in control system network and security design and shall maintain current certification as a Global Industrial Cyber Security Professional (GISCP) or Certified Information Systems Security Professional (CISSP). The Control Systems Cybersecurity specialist must have demonstrated knowledge and experience applying IT and OT security strategies such as the application of the NIST security controls, exploitation techniques and methods, continuous monitoring, and utility/building control systems design. The résumé of the specialist must be submitted to the ESTCP Project Manager (PM) for review and approval prior to the concept phase of the project. The qualifications of the firm for whom the specialist works must also be submitted with the résumé.
Information and Communication Technology Specialist
The Information and Communication Technology specialist shall have a minimum of five years’ experience in control system network and security design and shall maintain current certification as a Registered Communications Distribution Designer (RCDD®). The Information and Communication Technology specialist must have demonstrated knowledge and experience applying IT and OT security strategies such as the application of the NIST security controls, cable network design and installation, project management, and data center design. The résumé of the specialist must be submitted to the ESTCP Project Manager (PM) for review and approval prior to the concept phase of the project. The qualifications of the firm for whom the specialist works must also be submitted with the résumé.
System Integration Specialist
The System Integration specialist shall have a minimum of five years’ experience in control system network and shall maintain current certification as a Certified System Integrator (CSI) for the products they are integrating (Tridium, Johnson Controls, Wonderware, Schneider, Schweitzer Engineering Laboratories, Rockwell, etc.) and/or be Control System Integrators Association (CISA) Certified. The System Integrator specialist must have demonstrated knowledge and experience applying IT and OT security strategies such as the application of the NIST security controls, BAS design and installation, project management, quality assurance and commissioning. The résumé of the specialist must be submitted to the ESTCP Project Manager (PM) for review and approval prior to the concept phase of the project. The qualifications of the firm for whom the specialist works must also be submitted with the résumé.
TYPICAL FRCS PORTS, PROTOCOLS AND SERVICES
DoDI 8551.01, Ports, Protocols, and Services Management (PPSM), establishes PPSM support requirements for configuration management and continuous monitoring. This includes discovery and analysis of PPS to support near real time command and control of the DOD Information Network (DODIN) and Joint Information Environment (JIE), and coordination with the local network and communications community to ensure they add control system PPS. Examples of FRCS PPS include: