The DoD follows industry and DISA best practices and guidance for designing and operating Telecommunications and Networks. Currently, the DoD is transitioning to the Joint Information Environment (JIE) as defined by Department of Defense Instruction 8530 Cybersecurity Activities Support to DoD Information Network Operations March 2016. DISA, as the lead agency for implementing the JIE, has developed guidance and STIG’s for telecommunications and network components. A second technological objective of DoD is to implement IPv6 and use optical fiber networks to reduce the total cost of ownership of the IT infrastructure. For DOD facilities, this is enables multiple benefits; AMI connections can now support Multi-Protocol Layer Switching (MPLS) for real time demand and supply of electrical power and Microgrids, reduces the number of Telecom Distribution Rooms and associated HVAC cooling, and extends the length of a network segment from feet to miles.
This Guideline covers both the legacy Telecommunications and Networks, and the next generation Gigabit Passive Optical Networks (GPONs). The Unified Facility Criteria 3-580-01 Telecommunications Interior Infrastructure Planning And Design June 2016, provides the primary criteria; this chapter provides supplemental guidance related to cybersecuring the exterior and interior networks that transmit FRCS data.
If the FRCS project involves medical facilities, additional requirements may apply. The DoD and the Department of Veterans Affairs have joint responsibilities for military and veteran healthcare and over the next decade plan to construct multiple joint use facilities. The VA Telecommunications and Network Design Guide was updated in 2016 and coordinated with the Defense Health Agency Facilities Division and incorporated into the joint MIL Standard 1691 and Space and Equipment Planning Systems (SEPS) guides.
This Guideline provides specific requirements for Levels 3-5 of the 5 Level Control System Architecture outlined in UFC 4-010-06 Cybersecurity of Facility-Related Control Systems. FRCS network equipment in these levels includes all of the traditional IT Telecommunications and Network transport backbone, WAN, LAN, firewalls, routers, switches and wireless access points.lly deploy the tools to the new systems being added to the DoD network.
JOINT INFORMATION ENVIRONMENT (JIE)
The JIE vision is “a robust and resilient enterprise that delivers faster, better informed collaboration and decisions enabled by secure, seamless access to information regardless of computing device or location.”
“JIE is comprised of IT capabilities, operations and defense of those capabilities, and overall governance. The overall vision for the future DoD computing environment is the ability to deliver a standardized, agile, and ubiquitous set of computing capabilities available to all authorized users as part of a services-based Information Enterprise (IE). Computing and storage services will be delivered through a set of consolidated and interconnected Core Data Centers, Installation Processing Nodes, Special Purpose Processing Nodes, Tactical/Mobile Processing Nodes, and end-user devices that deliver cloud-based, on demand services while also continuing to support existing/legacy services and applications. The high-level goals are:
- Significantly reduce the number of DoD data centers in support of the Federal Data Center Consolidation Initiative and the DoD IT Enterprise Strategy & Roadmap.
- Reduce excess hardware infrastructure in data centers by adopting virtualization technology and reducing the number of instances of multiple applications
- Reduce software redundancy and rationalize the software infrastructure through the implementation of standardized software platforms (including cloud platforms) that are continuously monitored and respond to emerging threats
- Make common applications and services (e.g., email, collaboration) available to all DoD users that are secure, highly scalable, and can be rapidly configured and deployed
- Ability to provide on-demand capacity and self-provisioned services that can scale, as required, to user needs
- A federation of “franchised” CDCs, IPNs, SPPNs, and TPNs with robust interconnectivity and global accessibility delivering services to all authorized users in all locations
- Authorized users can access needed information from anywhere from any authorized device. Data is visible, accessible and understandable based on security privileges
- Improved security posture and agility (ability to recover from unplanned events) of the computing infrastructure
- Ability to more readily adopt emerging commercial technologies, platforms and services
CYBERSECURITY ACTIVITIES TO PROTECT THE DoDIN - The DoD Component-owned or -operated portion of the DoDIN will be aligned with a NOSC and an integrated capability to conduct cybersecurity activities. This cybersecurity capability may be obtained from within a DoD Component or from an authorized external DoD Component service provider. Figure 1 provides a view of the alignment of systems and relationships between current DoD Component NOSC, USSTRATCOM, and the transition to the JIE
Figure 1 - Notional View of Current and Future Integration of Cybersecurity Activities
Network Operations and Security Center (NOSC) - The term NOSC will be used generically in this instruction for the various types and names used for network operations and security centers organized by joint or DoD Components to direct and manage operations and cybersecurity activities to protect the DoDIN, including JIE enterprise operations centers (EOCs).
Installation Processing Nodes (IPN) - A fixed DoD data center serving a single DoD installation with local services that cannot be (technically or economically) provided from a CDC. There will only be one IPN per DoD installation but each IPN may have multiple enclaves to accommodate unique installation needs (e.g., Joint Bases).
NOTE: The DoDIN Demarc to the installation/site is a IPN in the JIE.
Special Purpose Processing Nodes (SPPN) - A fixed data center or data servers in a fixed facility supporting special purpose functions that cannot or should not be supported by Core DCs or IPNs due to its association with mission specific infrastructure or equipment (e.g., Meteorology, Medical, Modeling & Simulation, Test Ranges, Classrooms, RDT&E, etc.).
NOTE: The PE Operations Center is a SPPN in the JIE.
Tactical Processing Nodes (TPN) - Tactical/Mobile Processing Nodes of the target state will provide services very similar to those of fixed Core DCs but are optimized for the tactical environment or deployable computing needs. TPNs will connect to the JIE network whether in garrison or deployed, but may do so in different ways (e.g., terrestrial fiber vs. satellite connectivity).
NOTE: Tactical Operational Energy Assets (Generators, Microgrids, Vehicles, Energy Storage Flywheels/ Fuel Cells/Batteries) can now be incorporated into the fixed ashore installation energy production services; a building UMCS could have a direct connection plugin for a Tactical Asset to provide backup or primary power. These would be a TPN in the JIE.
A notional illustration of the JIE with IPN, SPPN and TPN Platform Enclaves is shown in Figure 2.
Figure 2 – Notional JIE FRCS Platform IT Enclaves
Networked FRCS are those systems which have multiple controllers and can have both traditional IP traffic at the Level 3 and up, and Ethernet IP and serial traffic at the lower levels as defined by the UFC 04-010-06 Cybersecurity of Facility-Related Control Systems Reference Architecture Figure 5.1. Depending on the age and type of FRCS, these FRCS MAY have the capability for remote monitoring; almost all 2005 and newer FRCS are IP and web based and typically as part of the vendor service level agreement, most require remote access to the system for maintenance.
Non-networked FRCS are generally those that consist of a single controller, and do not have the capability for remote monitoring.
There are two types of networked FRCS; Internally Networked (IN), also designated as Closed Restricted Networks (CRN), which have multiple components networked together, but does not have a network connection to anything that is not part of the control system, and FRCS that are Externally Networked (EN), where the control system has multiple component networked together, and does connect to a network that is not part of the control system, most commonly the NIPR, Commercial Carrier/Internet, or separate government backbone network such as Navy PSNet or the Air Force CE Community of Interest Network Enclave (COINE), USMC, and the DHA Med COI.
DISA has developed an Enclave Security Technical Implementation Guide (STIG) and a Test and Development STIG: http://iase.disa.mil/stigs/net_perimeter/enclave-dmzs/Pages/enclave.aspx
If the FRCS is a EN (requires a connection to the DoDIN as defined by DoDI 8530.0), it will go through the full 6-step RMF process. If the FRCS is an IN and is a CRN, it can use the shorter Evaluate and Endorse process. Both IN and EN CS will follow the DoD Control Systems Reference Architecture levels as defined by UFC 04-010-06 Cybersecurity of Facility-Related Control Systems. Organizations will use a tailored set of security controls to evaluate automated control systems consistent with the RMF Assess & Authorize process through the implementation of the applicable controls in NIST SP 800-82R2.
US ARMY - If the FRCS Project will be on an Army installation, the Army master architecture is still in development, contact the ESTCP or IE offices for the most current guidance.
PUBLIC SAFETY NETWORK (PSNET) - If the FRCS Project will be on a Navy installation, the Navy master architecture is PSNet which provides the national, regional, and installation level backbone transport and is owned and managed by NAVFAC. The Navy PE is shown in Figure 3.
Figure 3 – Navy PSNet PE
AIR FORCE COMMUNITY OF INTEREST PLATFORM ENCLAVE (COINE) - If the FRCS Project will be on an Air Force installation, the AF master architecture is COINE which provides the national, regional, and installation level backbone transport and is owned and managed by AF CIO and Civil Engineers. The AF PE is shown in Figure 4.
Figure 4 – Air Force COINE PE
US MARINE CORPS - If the FRCS Project will be on an USMC installation, the UMCS master architecture provides the national, regional, and installation level backbone transport and is owned and managed by CIO and Public Works. The USMC PE is shown in Figure 5.
Figure 5 – USMC PE
DEFNSE HEALTH AGENCY - If the FRCS Project will be for a DHA facility, the DHA Medical Community of Interest (Med COI) Isolation Architecture provides the national, regional, and installation level backbone transport and is owned and managed by CIO and Facilities Division. The DHA Med COI PE is shown in Figure 6.
Figure 6 – DHA Med COI PE
NIPRNET AND COMMERICAL CARRIER NETWORKS - On Joint base, off-site commercial lease space, or VA facilities, the transport backbone could be the NIPRNET or commercial carriers. The PE Operations Center (OC) Inherits all of the security controls provided by NIPRNET or the commercial carrier. The OC is responsible for the FRCS network and supporting LANS.
OPERATIONS CENTER (OC) - The is the central point for all monitoring, controlling, programming, and service for all FRCS systems. The OC and FRCS HMI operators console provides the Continuous Monitoring capability, and is divided into the Production System, and the Test and Development Environment. All patches, requests for configuration changes, and verification of SCAP/ACAS scans are completed in the TDE before deploying to the Production system.
OPERATIONAL TECHNOLOGIES, WAN, LAN, WIRELESS
OPERATIONAL TECHNOLOGIES (OT) - Throughout industry, and informally within DoD, the term Operational Technology (OT) is used to differentiate control systems from traditional information systems (IS). Operational technology (OT) is hardware and software that detects or causes a change through the direct monitoring and/or control of physical devices, processes and events in the enterprise. (Gartner OT http://www.gartner.com/itglossary/operational-technology-ot/). Other emerging terms related to control systems include Hybrid/Converged Systems, Cyber Physical Systems, the Internet of Things, and the Industrial Internet of Things.
WIDE AREA NETWORKS (WAN) - DISA provides the WAN backbone circuits for the Army and Air Force. PSNet is the WAN used across the Navy for national, regional and installation backbone transport. For joint use, off-site commercial lease space, and VA facilities, NIPRNET or commercial carriers provide the WAN. In general, the FRCS Project Team/System Integrator will only need to contact and coordinate with the PE for connection from the LAN to the appropriate WAN.
LOCAL AREA NETWORKS (LAN) - The local engineering function is responsible for FRCS LANs and other associated stand-alone networks. For FRCS projects that require use of the DoDIN, the Project Team/System Integrator should ensure that the FRCS cross-domain connections are secured; most FRCS are cross-connected to other facility or building control systems such as the Fire Alarm, Fire Suppression, and HVAC fire dampers; Stairwell and Elevator safe haven and Smoke Purge systems; Patient Comfort; and Weather systems, etc..
WIRELESS NETWORKS - Within the DoD and Navy PSNet master architecture, wireless networks and Land Mobile Radios are part of the approved backbone transport. Industry is also rapidly adopting wireless technologies to include 802.XX, Bluetooth, ZigBee, and HART. All wireless networks used within a FRCS must be FIPS 140-2 compliant.
PORTS, PROCTOCOLS AND SERVICES (PPS) - DoDI 8551.01, Ports, Protocols, and Services Management (PPSM), establishes PPSM support requirements for configuration management and continuous monitoring. This includes discovery and analysis of PPS to support near real time command and control of the DOD Information Network (DODIN) and Joint Information Environment (JIE), and coordination with the local network and communications community to ensure they add control system PPS. Examples of FRCS PPS include:
- Modbus: Master/Slave – Port 502
- BACnet: Master/Slave – Port 47808
- LonWorks/LonTalk: Peer to Peer – Ports 1628, 1629
- DNP3: Master/Slave – Port 20000
- ZigBee: Peer to Peer 2.4 GHz
- Bluetooth: Master/Slave 2.4 GHz
MEDICAL FACILITIES TELECOMMUNICATIONS AND NETWORK DESIGN REQUIREMENTS
DoD and the Department of Veterans Affairs provide healthcare services through a combination of on-site installation/campus and off-site clinics and Medical Office Buildings (MOB’s). The DoD and VA are also building joint use medical facilities. The connectivity between the facilities typically uses commercial telecommunications carriers (AT&T, Verizon, Sprint, etc.)
For joint DoD-VA projects, or where the VA builds a VA facility on a DoD installation, the System Integrator should review the VA Telecommunications Design Manual 2016 for Telecommunications and Network Design requirements and coordinate with the VA Construction Facilities Management office. As an example, in 2013, California was selected as the first ever joint Navy-VA Central California Health Care System (VACCHCS) site (http://www.fresno.va.gov/FRESNO/features/2013_11_22_JIF_.asp); and the VA Palo Alto Health Care System is building a new joint Community-Based Outpatient Clinic (CBOC) that is scheduled for opening spring 2017. (http://www.paloalto.va.gov/construction_monterey.asp).
Refer to UFC 3-580-01 01 Jun 2016 Change 1, 01 Jun 2016 and the VA Telecommunications Design Manual 2016 for Telecommunications and Network Design requirements.