HVAC units and fire alarms and electricity monitors used to be just simple additions to brick-and-mortar facilities that could be protected by physical security.
With the advent of cyber and the interconnectivity of everything from watches to refrigerators, that reality is a thing of the past and the Defense Department is playing catch up.
The Pentagon is still at pains to protect those facilities even after it received warnings about them years ago.
Now DoD estimates it could cost more than a quarter of a billion dollars to identify, register and implement current vulnerabilities over the next four years in facilities control systems.
A report from the Defense undersecretary for acquisition and sustainment predicts it will cost between $11 million and $96 million per military service to complete all the requirements laid out in current memorandums and instructions to get facilities-related control systems cybersecure.
Estimated costs include an inventory of control systems, meeting risk management framework requirements, training, mitigation manpower and equipment and the operation and maintenance sustainment of the systems.
“These new estimates are the best and most accurate in the facilities-related control systems space; however, most services have not completed a full inventory of systems,” the report to Congress stated.
The report continues to state the inventory is incomplete because DoD is lacking the tools and expertise necessary to perform the work.
“Consequently, cost estimates will likely increase as more systems are discovered outside of the highest priority systems currently under assessment and remediation,” the report reads.
The Pentagon was supposed to deliver a plan for the evaluation of cyber vulnerabilities of critical infrastructure six months after the enactment of the 2017 defense authorization bill.
The Pentagon still has not delivered the plan and requested an extension.
The plan is supposed to identify each of the military installations that need to be evaluated and how much it would cost to evaluate them.
“Several key areas are identified for immediate protection, notably the nuclear strike capability, as well as standardizing protection for all DoD networks to ensure mission availability, along with additional education efforts aimed at DoD culture change toward cyber operations and cybersecurity,” the report stated.
As of 2016, an assessment from the assistant secretary of defense for energy, installations and environment found DoD facilities had numerous attack surfaces that contained both cyber and physical vulnerabilities.
Even before that assessment, some in DoD were flashing caution lights about facilities and control systems cyber issues.
In 2015, then-acting Assistant Defense Secretary for Energy, Installations and Environment John Conger said DoD does not have an executable strategy to inform base commanders and other DoD leaders how to protect, prevent and mitigate cyber attacks on department maintained buildings.
“People are sitting there wondering ‘What the heck am I supposed to do?’” Conger said Nov. 17 at the Federal Facilities Council Building Control Systems Cyber Resilience Workshop in Washington. “We need to be able to team up with everybody to let everybody know what they need to do and get our arms around this problem. … The problem is real and ignoring it is not going to solve anything.”
Conger brought up some of the same issues in the report as well.
He said one of the reasons DoD does not have a strategy for the cybersecurity of its buildings is that it does not have an inventory of building systems that are vulnerable to cyber attacks in the first place.
“There are any number of [industrial control systems] in a building … and who knows, you plug into one port and the password will be ‘password’ or there won’t even be a password,” Conger said. “There are vulnerabilities everywhere and we don’t have an inventory.”
In addition, Conger said he does not have the labor that is skilled in both building maintenance and IT security.