Through the ESTCP effort, the project team demonstrated Building Automation System Enumeration and Configuration (BASEC)'s capabilities for identifying vulnerable and misconfigured building energy systems associated with DoD building and energy infrastructure.

The objectives for the ESTCP effort were as follows:

• Provide secure evaluation of system configurations against Risk Management Framework (RMF) requirements
• Demonstrate ability to automate and track RMF compliance
• Show ease of deployment-design for use by installation/facility control engineers
• Accomplish configuration and compliance auditing in seconds instead of weeks
• Incorporate BASEC with current DoD network solutions with no architecture changes required
• Generate automated reports to identify compliant/non-compliant configuration details
• Provide an enterprise solution that ensures system compliance against RMF requirements
• Identify savings in cost acquisition by imposing configuration standards prior to deployment of new/upgraded building energy systems
• Identify savings in cost associated with manual evaluation for obtaining authority to operate versus the BASEC automated evaluation capability
• Integrate BASEC with Authority to Operate procedures to enhance capabilities and decrease liabilities

To protect against cyber-based attacks, it is critical that the DoD identify misconfigured and exposed devices that monitor and control building energy systems. The BASEC capability provides a solution that establishes and enforces cyber security standards for military installation building and energy systems.

BASEC provides a scalable means to identify, baseline, and certify the cyber security configuration for building automation systems. The heart of BASEC is a secure, cloud-based analysis engine that examines and compares submitted configuration and deployment files against established RMF criteria. QED Secure Solutions has developed algorithms that enumerate configuration parameters and compares them against established acceptance criteria.

BASEC was designed for ease of use and deployment. For implementation, there are no architecture changes required for the building automation systems. Configuration files are uploaded to the BASEC analysis engine and evaluation is accomplished via BASEC processing. As a result, the system-level configuration can be analyzed without risk to impacting system operations.

BASEC demonstrated the ability to meet the technical and performance objectives for the ESTCP onsite demonstration. For the evaluated buildings, BASEC successfully identified 100% of system device configurations, weak configurations, and changes to configurations. BASEC also produced valid reports based on findings and demonstrated a functional web-based interface management.

The following performance metrics demonstrate the effectiveness of deploying BASEC:

• Average time to perform automated analysis (50 seconds)
• Number of vendors (4)
• Average time to train personnel to be proficient using BASEC (1 hour)
• Coverage of assets (100%)

BASEC was able to transform a manual process of evaluating system configurations that traditionally takes weeks to less than a minute. BASEC also demonstrated effective coverage of the four major building automation vendors that were observed at the six military installations.

Findings from the BASEC ESTCP demonstration indicate potential substantial savings to the DoD, while enhancing capabilities. BASEC savings realization include:

• Training: Fully trained on BASEC in one hour vs. assessments requiring cyber operators that must go through extensive training
• Personnel Requirements: Designed for use by installation/facility control engineers
• Time for Assessment: System configuration analyzed in seconds vs. weeks
• Analysis: Consistent findings mapped to defined requirements
• Operational Impacts: Significant potential cost savings with enhanced efficiency and granular results