Insight by Tenable

Naval Facilities Engineering Command keeps OT, IT separate to reduce cyber risks

The Emergence of Operational Technology

What's happened over that time is that we've had to grow both the technology aspect and the cybersecurity aspect [of operational and information technologies]. In concert with each other--the larger Department of Defense and working with the Air Force and the Army and with us--we put together a unified facilities criteria for the employment of these technologies in buildings. So whether it was just a maintenance project, sustainment of an existing set of control systems or a bigger project like a military construction project, this unified facilities criteria was established and signed out in 2016. All of the Department of Defense uses that, so we're making sure the requirements for these [products] are cyber secure. And that's one of the reason this criteria was created was to get uniformity, and the ability to do risk management to these things. We created kind of a defense-in-depth strategy to deal with this and enclave off the different types of systems into their various enclaves.

IoT Devices and the Risk Management Structure for OT

We have created this thing that we call the control systems platform enclave. It is a suite of equipment that does two things: One, it allows the operators, the public works department folks, the ability to operate their control systems from a remote location, so that they don't have to go out and set the thermostat manually. Second, it also allows things like security and access control to the facilities, and it allows for fire alarms, and things like that to be remotely managed.

Software-Defined Networking

One of the most compelling things that we are finding out about software-defined networking is it enables us to react and restore in such a way that, even if you forget about whether there was a cyber security incident or not, but just say that there was an incident, something happened and the control systems went down for whatever reason, regardless of whether it was a cyber incident, the ability to react and actually respond and recover and restore are critical. The other thing that we're doing in concert with that is model-based systems engineering. We have a control systems test bed, at our Warfare Center in Portland, Calif., where we're able to take the software-defined networking, marry it up with our lab scenarios, and try to drill holes to find out what is going to happen if this happens, how are we going to train and respond so we can establish in in in accordance with the U.S. Cyber Command, some of the advanced cybersecurity tactics, techniques and procedures for industrial control systems.

Data's Impact on Cybersecurity

We have employed some data scientists to come in and take a look at the data itself and try to help us understand which data are more important, which data lacks quality, which is very important to make sure that the data is not being inputted incorrectly. There's a lot of data and a lot of it's not that high quality in some cases. We've also worked on improving the quality of the data to get better quality-based decisions, made with facts and with good insight through business analytics.

For the Naval Facilities Engineering Command, the realization that operational technology like those that run building control systems and connected sensors is as vulnerable as its well-known cousin information technology happened long before most organizations realized the risk.

The Navy received millions of dollars under the 2009 Recovery Act to modernize bases, including installing green technology such as solar panels.

For instance, the Navy pursued renewable energy back in the early 2010s to deliver resilience and security as well as lower costs so it’s less reliant on the traditional forms of electrical production.

Knowing the risks that come with operational technology on a regular network, NAVFAC created a secure enclave for these systems to run on and remain as secure as possible.

Rob Baker, the command information officer for the Naval Facilities Engineering Systems Command, said operational technology has always been there but what is different today is how it has evolved and now is part of the Navy’s risk management effort.

“Back in maybe 2013 or 2014 timeframe, NAVFAC created an operational technology program office, and when the DoD 8500 [the cybersecurity risk management framework] came out, about two years later, we started to look at it and say this is now required to have a risk management framework activity done on it. So this emergence and the cybersecurity kind of grew together over the last seven or eight years,” Baker said on Ask the CIO sponsored by Tenable. “What’s happened over that time is that we’ve had to grow both the technology aspect and the cybersecurity aspect [of operational and information technologies]. In concert with each other–the larger Department of Defense and working with the Air Force and the Army and with us–we put together a unified facilities criteria for the employment of these technologies in buildings. So whether it was just a maintenance project, sustainment of an existing set of control systems or a bigger project like a military construction project, this unified facilities criteria was established and signed out in 2016. All of the Department of Defense uses that, so we’re making sure the requirements for these [products] are cyber secure.”

Baker said the DoDwide criteria ensured uniformity and the ability to do risk management of these operational technology hardware and devices.

“We created kind of a defense-in-depth strategy to deal with this and enclave off the different types of systems into their various enclaves,” he said. “We’ve completely isolated all of our operational technology on its own platform. So that that’s one key thing is that we don’t allow the public internet to touch this platform. That helps us a lot, as we’re monitoring what’s going on.”

Vulnerabilities still exist

Baker said the enclave still uses routers, switches and servers so there are cybersecurity concerns and challenges. But because the devices basically run in a private cloud, NAVFAC has reduced its risks.

“We still have to perform patch updates. We just need to, let’s just say through the sneakernet,” he said.

At the same time because the devices run in a private cloud, the command also takes advantage of the tools and software to give it real-time situational awareness of the devices and the network.

“We have created this thing that we call the control systems platform enclave. It is a suite of equipment that does two things: One, it allows the operators, the public works department folks, the ability to operate their control systems from a remote location, so that they don’t have to go out and set the thermostat manually. Second, it also allows things like security and access control to the facilities, and it allows for fire alarms, and things like that to be remotely managed,” Baker said. “It also allows us to do continuous monitoring of these control systems, so that we know if something is not operating as it’s supposed to.”

At the same time, Baker said the control systems platform enclave isn’t just about cybersecurity, but it’s about meeting the Navy’s mission goals.

“The operators of the equipment can manage these remotely from a facilities operations center and they can see if in spec or in threshold, or maybe send the trouble team out if they see that some HVAC, for example, has its pressure incorrect in the in one of the valve areas or something like that,” he said. “At the core of this, we maintain this ability to maintain a situational awareness of the cybersecurity posture of the systems as well. And recently, we’ve started to pilot or prototype software-defined networking in a couple of locations that are looking very promising in order to even further isolate these from the internet.”

Software-defined network is the future

By implementing SDN, NAVFAC can fix network problems or address cyber incidents more quickly.

“The other thing that we’re doing in concert with that is model-based systems engineering. We have a control systems test bed, at our Warfare Center in Portland, Calif., where we’re able to take the software-defined networking, marry it up with our lab scenarios, and try to drill holes to find out what is going to happen if this happens, how are we going to train and respond so we can establish in in in accordance with the U.S. Cyber Command, some of the advanced cybersecurity tactics, techniques and procedures for industrial control systems,” he said. “I’ve got to give a quick shout out to the Department of Energy because we partnered closely with several of their national labs, Sandia, Idaho and Pacific Northwest with this to try to improve not only the cybersecurity but the operational abilities of the control systems.”

Baker added the fact that many of these control systems are getting smarter makes it easier to move to SDN.

Data driving decisions

Along with SDN, NAVFAC is trying to take more advantage of its data to drive decisions.

Baker said the command’s chief data officer works in his office and is leading an effort to create and manage an enterprise data warehouse.

“We are putting together the ability to use business intelligence and analytics to perform multiple things and including trend analysis within our data related to the risk management framework, and what security controls are there that maybe are repeatedly having the same types of issues, and then we can look at how can we go and maybe make that a high payoff target because here’s a trend, so let’s go attack it,” he said. “Another way is when control systems are going through the six-step RMF process, probably the most tedious step is step three, which is where all of the controls are applied to the system that were previously agreed upon between us as the cybersecurity lead, and then the owners in the public works department of the control systems. So what are the technical trends that are happening within our environment that we need to pay attention to sure up? The most revolutionary thing that we’re beginning to do with data to drive artificial intelligence and machine learning, to actually take an action on behalf of the human being. If the speed is necessary, to mitigate some type of activity that may be occurring within the enclave.”

This also means NAVFAC needs to have employees who can use the software tools to analyze the data.

“We have employed some data scientists to come in and take a look at the data itself and try to help us understand which data are more important, which data lacks quality, which is very important to make sure that the data is not being inputted incorrectly,” Baker said. “There’s a lot of data and a lot of it’s not that high quality in some cases. We’ve also worked on improving the quality of the data to get better quality-based decisions, made with facts and with good insight through business analytics.”

Related Stories

Featured speakers

  • Robert Baker

    Command Information Officer, Naval Facilities Engineering Systems Command

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts