The Defense Department is lacking strategy, funding and skilled labor to protect its buildings and building systems from cyber attacks.
DoD does not have an executable strategy to inform base commanders and other DoD leaders how to protect, prevent and mitigate cyber attacks on department maintained buildings, said John Conger, the acting assistant defense secretary for Energy, Installations and Environment.
“People are sitting there wondering ‘What the heck am I supposed to do?’” Conger said Nov. 17 at the Federal Facilities Council Building Control Systems Cyber Resilience Workshop in Washington. “We need to be able to team up with everybody to let everybody know what they need to do and get our arms around this problem. … The problem is real and ignoring it is not going to solve anything.”
DoD has more than 300,000 buildings under its umbrella, Conger said. A DoD chief information officer directive puts the developer of a platform in charge of its IT cybersecurity. That means DoD’s installations department is responsible for the cybersecurity of its buildings.
“This is one of those crossover issues, it’s not quite just IT and it’s not quite just building stuff… it’s not just a traditional IT world issue,” Conger said.
Buildings, however, are just as susceptible to cyber attacks as any other electronic platform. Not only can hackers get into things such as the heating, ventilation and cooling systems and electrical grids, but they can also access more critical infrastructures, compromising intelligence and safety.
Conger said one of the reasons DoD does not have a strategy for the cybersecurity of its buildings is that it does not have an inventory of building systems that are vulnerable to cyber attacks in the first place.
“There are any number of [industrial control systems] in a building … and who knows you plug into one port and the password will be ‘password’ or there won’t even be a password,” Conger said. “There are vulnerabilities everywhere and we don’t have an inventory.”
In addition, Conger said he does not have the labor that is skilled in both building maintenance and IT security.
He likened it to a mechanic, before cars used computers a mechanic could look at basically any car and figure out the problem. Now, mechanics need to be trained to use devices at dealerships that plug into cars to diagnose certain computer problems.
Conger said DoD building maintenance now is at a similar crossroads where its employees need both mechanical and computer skills.
That poses a significant problem when DoD’s funds aren’t even covering what is needed to maintain bases and buildings.
Conger said DoD already is running risk with just basic building maintenance because it is underfunded.
“Cyber threats are getting a lot of attention in the department, [U.S. Cyber Command] is getting plenty of money,” Conger said. But, the subset of building cybersecurity is not.
Conger has been nominated to be the next DoD deputy comptroller.
Conger said DoD needs to bring together people that are “bi- and tri-lingual,” who speak building maintenance language, IT language and “Pentagonese” to get together and come up with an executable strategy for DoD installments. That may be in the form of policy, a manual or something else.
Conger noted that implementing the risk management framework (RMF) is a start, but eventually DoD is going to have to sink some real money into building cybersecurity.
The RMF is a common information security framework for the federal government and its contractors.
DoD began its transition to the RMF in March 2014. DoD required the establishment and use of an integrated enterprisewide decision structure for cybersecurity risk management and a three-tiered risk management approach.
DoD recently released a guidebook for program managers on how to implement RMF into program lifecycle plans.
Conger said the J-Basics, a procedures and practices guideline for cyber attack prevention and mitigation, was another good step.
J-Basics will be released in its final version on Jan. 5, 2016, said Frank Honkus, lead cyber analyst at Command Post Technologies.
The procedures will eventually be released to the private sector.
Other government agencies have tried to get ahead of the building cybersecurity problem. The General Services Administration proposed rules on building cybersecurity as long as five years ago. Conger said building cybersecurity is easier for other agencies, however.
He said even GSA only has about 1,500, compared to the 300,000 DoD maintains.