Transcription
Facility Related Control SystemInventory07 November 2017Laura Vaglia, Office of the Assistant Chief of Staff forInstallation ManagementJey Castleberry, Pacific Northwest National LaboratoryUNCLASSIFIED / FOUO07 NOV 2017Leadership, Energy, and ExecutionMr. Marcus De La Rosa/703-806-6721 1
Learning Objectives Why is this inventory taking place? What are the program's overall cybersecurity objectives and howdoes this strategy accomplish them? What is my role within the FRCS process and what tools andtraining will be available to me?UNCLASSIFIED / FOUO07 NOV 2017Leadership, Energy, and ExecutionMr. Marcus De La Rosa/703-806-6721 2
ARMY CybersecurityFacility-Related Control SystemsLaura VagliaOffice of the Assistant Chief of Staff for Installation ManagementInformation & Technology Directorate
ARMY CybersecurityCommon Control edicalCivil
ARMY CybersecurityFacility-Related Control Systems(FRCS) Risks to the Army’s missioncaused by electronic systems Evolving understanding of risksand mitigation– 2014 DODI – Cybersecurity – RiskManagement Framework (RMF)– 2015 Army Directive RiskManagement Framework (RMF) forIT Systems– 2015 – ASA IEE directs IPT led byCIO-G6 for FRCS– 2016 – OSD Memo “Managing Cyberrisks to FRCS– 2017 – Task Force Cyber Strongestablished Army Approach– Governance under Army CyberspaceCouncil– New construction meets UFC forcybersecurity– Assess and Authorize systems– Inventory legacy based on risk– Address vulnerabilities
ARMY CybersecurityFRCS Exploitation VectorFrom FY2011 to FY2014 the number of cyber incidents reported to the Department of Homeland Services(DHS) involving industrial control systems increased from 140 to 243. In 2017, the City of Dallas experienced a cyber incident that activated 156 tornado sirens for one and ahalf hours. In 2015, Ukraine experienced a cyberattack that successfully compromise information systems ofthree energy distribution companies in Ukraine and temporarily disrupt electricity supply to the endconsumers. In 2014, a federal agency reported a cyber incident at a wastewater treatment plant. In 2013, the retailer Target experienced a breach in its payment card data, which the companybelieves occurred after intruders obtained a heating, ventilation, and air-conditioning system vendor’scredentials to access the outermost portion of its network. In 2010, a sophisticated computer attack known as Stuxnet was discovered that targeted controlsystems used to operate industrial processes in the energy, nuclear, and other critical sectors. In 2009, a security guard at a Dallas-area hospital loaded a malicious program onto the hospital’scomputers, one of which controlled the heating, ventilation, and air-conditioning control system for twofloors, which, according to court records, could have affected patients’ medications and treatments. In 2006, Los Angeles city employees hacked into computers controlling the city’s traffic lights, anaction that disrupted signal lights and caused substantial backups and delays.* Source: GAO Report 15-6 Federal Facility Cybersecurity
ARMY CybersecurityIncreased Interest for SecurityNew IT Regulations at DoD levelDoDI 8500.01 Cybersecurity All ICS have cybersecurity considerations and must be assessed forsecurity Establishes specific roles for ICS and ITDoDI 8510.10 Risk Management Framework Shifts from the current certification and accreditation process (DIACAP) Specifically addresses lifecycle cybersecurity risk of both IT and ICS Uses the NIST documents to identify actual security controls that must beappliedForce ProtectionNational Infrastructure Protection PlanGAO Report on securing critical infrastructureHigh profile exploitsStuxnet - computer worm that targets the types of industrial control systems(ICS) commonly used in infrastructure supporting facilities (i.e. power plants,water treatment facilities, gas lines, etc)Target Breach – implied entry was gained through HVAC system (actuallythrough improper access control)
FRCS CybersecurityMilestones Publishednew policyFeb 2017 – US Army’s Cybersecurity Strategy for Facility Related ControlSystems Inventory Existing Facility-Related Control Systems Assess and Enhance the Cybersecurity Posture Sustain Effective Cybersecurity Insure Adequate Resourcing May 2017 - Task Force Cyber Strong established toprovide overarching governance for control systems November 2017 – Implementation Guidance Issued ControlSystem Cybersecurity Technical Center ofExpertise – U.S. Army Corps of Engineers
FRCS CybersecurityInventoryThe US Army Engineering and Support Center, Huntsville(Huntsville Center), serving as the US Army Corps of Engineers(USACE) Technical Center of Expertise (TCX) for Control SystemCybersecurity, has developed a Control System InventoryMethodology.The inventory focuses on components/devices residing withinLevels 2-5 of the Control System Architecture referenced in UFC4-010-06, “Cybersecurity of Facility Related Control Systems”.The current inventory requirements focus is on devices that usethe Internet Protocol (IP) for communication.
ARMY CybersecurityAssessmentSix step RMF process – Risk decision is made by the Army CIO/G-6appointed Authorizing Official (AO)
ARMY CybersecurityAssessmentAssess Only Construct Assess & Approve for use Assess and approve for use but not added to an existing authorizationboundary Single Purpose Devices/Products where 6 step process against securitycontrols is not required. (e.g. noise canceling headsets, calibration tools) IT Services evaluated against an identified standard (e.g. DoD Cloudcomputing Security Requirements Guide (SRG)) Assess & Incorporate Assess and then incorporated into an existing authorization boundary Hardware – devices or products with embedded software may not need toundergo the full categorization, selection and tailoring process. (e.gcontrol sensors/operational technology) Applications – assessed using vulnerability scans, industry standards (e.g.software independent of operating system)
ARMY CybersecurityAssessmentWhat is the Risk? Availability is a priority attribute for control systems What is the likelihood that availability will be compromised What is the impact on the mission if the service is notavailable, for whatever reasons Technology Nature Man made Dependencies must be considered, not just the originallocation Integrity and confidentiality need to be considered Quality of service Security of transmission
Assistant Chief of Staff for Installation ManagementQUESTIONS?
CONTACT INFORMATIONAssistant Chief of Staff for Installation ManagementDenise FaldowskiOACSIM Operations Directoratedenise.m.faldowski.civ@mail.milDan ShepardUSACE Huntsville CenterDaniel.A.Shepard@usace.army.milSally DixonCIO/G6 Cybersecurity Directoratesally.a.dixon6.civ@mail.milLaura VagliaOACSIM Information & Technology Directoratelaura.s.Vaglia.civ@mail.milNovember 2017
Levels 2-5 of the Control SystemArchitecture referenced in UFC 4-010-06, “Cybersecurity of Facility Related Control Systems”. The current inventory requirements focus is on devic
