PRE-DESIGN

As long as DOD uses outside contractors to design, construct, and operate FRCS, it is vitally important that contractors and vendors become part of the cybersecurity solution, starting with the supply chain and ending with proper disposal of obsolete equipment. Cybersecurity of the FRCS begins in the planning and design phases; it is imperative that the FRCS design and construction teams understand the NIST RMF process and the various documents and artifacts associated with an Authorization package. The PIT Control System Cybersecurity Lifecycle is shown in Figure 1.

 

Figure 1 - FRCS Cybersecurity Lifecycle

Review Key Design Documents

FRCS Project Teams are required to demonstrate the capability to achieve a Risk Management Framework (RMF) Cybersecurity Authorization for their system, components and devices. The IE and ESTCP Program Office can provide a Cybersecurity Subject Matter Expert to assist the Project Teams to understand the RMF process and create the documentation required. The following key documents should be reviewed by the Project Team, starting with the UFC 04-010-06 document:

• UFC 04-010-06 Cybersecurity of Facility-Related Control Systems (available online at http://www.wbdg.org)
• CNSSI 1253, Security Categorization And Control Selection For National Security Systems 2014
• Department of Defense Instruction 8500.01, Cybersecurity, March 2014 (available online at http://www.dtic.mil)
• Department of Defense Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), March 2014 (available online at http://www.dtic.mil)
• Department of Defense Instruction 8530 Cybersecurity Activities Support to DoD Information Network Operations March 2016 (available online at http://www.wbdg.org/pdfs/DODI_853001_2016.pdf)
• Department of Defense Industrial Control Systems Advanced Tactics, Techniques and Procedures Jan 2016 (available online at http://www.wbdg.org/pdfs/jbasics_aci_ttp_2016.pdf)
• National Institute of Standards and Technology Special Publication 800-53 R4 Security and Privacy Controls for Federal Information Systems and Organizations 2013
• National Institute of Standards and Technology Special Publication 800-82 R2 Guide to Industrial Control Systems (ICS) Security 2015
• UFC 3-580-01 Telecommunications Interior Infrastructure Planning And Design June 2016
• UFGS 25 10 10 Utility Monitoring And Control System (UMCS) Front End And Integration (available online at http://www.wbdg.org)
• UFGS 23 09 00 Instrumentation and Control for HVAC (available online at http://www.wbdg.org)
• UFGS 23 09 23.01 LonWorks® Direct Digital Control for HVAC and Other Building Systems (available online at http://www.wbdg.org)
• UFGS 23 09 23.02 BACnet Direct Digital Control for HVAC and Other Building Systems (available online at http://www.wbdg.org)
• Whole Building Design Guide Cybersecurity Resource Page (http://www.wbdg.org/resources/cybersecurity.php)

In general, the Project Teams will go through the basic steps below, a key objective is to provide the MINIMAL documentation necessary to achieve the RMF capability:

1. Identify the Platform Enclave(s) that will be the project sponsor/host
2. Identify the System Owner (typically the Facilities group) and supporting CIO/Telecommunications Backbone (NIPRNET, PSNET, Commercial Carrier, vendor wireless, etc.)
3. Determine if the project will be a Closed Restricted Network (CRN) also known as a Stand-Alone Network, or will require connectivity to the DoD Information Network (DoDIN), or external commercial carrier
4. Determine the Confidentiality-Integrity-Availability Security Assurance Level (typically will be L-L-M or M-M-H) using the Control Systems Master Naming Convention Worksheet
5. Use the UFC’s, UFGS and FRCS website resources to develop the project design, construction, testing and RMF package documentation (see the Design Sequence Table)
6. Use the recommended tools (CSET, GrassMarlin, Glasswire, Belarc, OSForensics, SCAP etc.) to create a Test and Development Environment (TDE)
7. Submit RMF package documents and artifacts into eMASS and obtain authorization 

DESIGN AND CONSTRUCTION RESOURCES

The FRCS consultants shall comply with the FRCS UFC’s, UFGS, and services/agencies latest construction specifications for FRCS, found on the Whole Building Design Guide, and augmented by other service/agency Policies and Directives.  Additional sections shall be prepared by the designer as necessary to suit the project requirements.

The Whole Building Design Guide Cybersecurity Resource Page provides current best cybersecurity practices and references for all types of building control systems and links to several tools to support the development of the RMF IA package and documentation.

ROLES AND RESPONSIBILITIES

• Members: Service Design Manager, Facilities Engineering Acquisition Department (FEAD), Services Civil Engineering Representative (NAVFAC, AFCEC, USACE, DPW, etc.), Integrated Product Team (IPT).
• Responsibilities: Review FRCS Installation Contractor submittals, test reports, and Commissioning reports.

• Members: Contractor responsible for the installation or modification of a FRCS network component.  Includes the contractor’s Control Systems Cybersecurity Specialist and Integration Specialist.
• Responsibilities: Responsible for production and submittal of all project Configuration Items (CI’s), project CI inventories, and design/construction/commissioning documentation associated with the installation or modification of FRCS systems.

• Members: Project mechanical engineer of record, electrical engineer of record, and control system engineer of record (if applicable)  
• Responsibilities: Responsible for modifying the provided UFGS and FRCS Engineering Manual design templates to meet the requirements of the specific project

• Members: Contractor(s) responsible for the operation and maintenance of the installation’s CS network.
• Responsibilities: Following configuration management procedures during required system modifications, security patches, and firmware upgrades.

• Members: Installation Chief Information Officer (CIO)  
• Responsibilities: Responsible for maintaining the current baseline of Configuration Items, management of the CI repository, and managing and tracking the security state of information systems.

• Members: Installation Chief Information Officer (CIO)

REQUIREMENTS FOR SUBJECT MATTER EXPERTS

The FRCS should be designed and engineered by qualified Control System Cybersecurity, Information and Communication Technology, and System Integration specialists complying with the requirements listed below.

Control Systems Cybersecurity Specialist

The Control Systems Cybersecurity specialist shall have a minimum of five years’ experience in control system network and security design and shall maintain current certification as a Global Industrial Cyber Security Professional (GISCP) or Certified Information Systems Security Professional (CISSP). The Control Systems Cybersecurity specialist must have demonstrated knowledge and experience applying IT and OT security strategies such as the application of the NIST security controls, exploitation techniques and methods, continuous monitoring, and utility/building control systems design. The résumé of the specialist must be submitted to the ESTCP Project Manager (PM) for review and approval prior to the concept phase of the project. The qualifications of the firm for whom the specialist works must also be submitted with the résumé.

Information and Communication Technology Specialist

The Information and Communication Technology specialist shall have a minimum of five years’ experience in control system network and security design and shall maintain current certification as a Registered Communications Distribution Designer (RCDD®). The Information and Communication Technology specialist must have demonstrated knowledge and experience applying IT and OT security strategies such as the application of the NIST security controls, cable network design and installation, project management, and data center design. The résumé of the specialist must be submitted to the ESTCP Project Manager (PM) for review and approval prior to the concept phase of the project. The qualifications of the firm for whom the specialist works must also be submitted with the résumé.

System Integration Specialist

The System Integration specialist shall have a minimum of five years’ experience in control system network and shall maintain current certification as a Certified System Integrator (CSI) for the products they are integrating (Tridium, Johnson Controls, Wonderware, Schneider, Schweitzer Engineering Laboratories, Rockwell, etc.) and/or be Control System Integrators Association (CISA) Certified. The System Integrator specialist must have demonstrated knowledge and experience applying IT and OT security strategies such as the application of the NIST security controls, BAS design and installation, project management, quality assurance and commissioning. The résumé of the specialist must be submitted to the ESTCP Project Manager (PM) for review and approval prior to the concept phase of the project. The qualifications of the firm for whom the specialist works must also be submitted with the résumé.

TYPICAL FRCS PORTS, PROTOCOLS AND SERVICES

DoDI 8551.01, Ports, Protocols, and Services Management (PPSM), establishes PPSM support requirements for configuration management and continuous monitoring. This includes discovery and analysis of PPS to support near real time command and control of the DOD Information Network (DODIN) and Joint Information Environment (JIE), and coordination with the local network and communications community to ensure they add control system PPS. Examples of FRCS PPS include:

• Modbus: Master/Slave –  Port 502
• BACnet: Master/Slave –  Port 47808
• LonWorks/LonTalk: Peer to Peer –  Ports 1628, 1629
• DNP3: Master/Slave –  Port 20000
• ZigBee: Peer to Peer 2.4 GHz
• Bluetooth: Master/Slave 2.4 GHz

DESIGN

 

The FRCS Design Cybersecurity Requirements are provided in the Unified Facility Criteria Cybersecurity of Facility-Related Control Systems 2016. The UFC was specifically written to provide guidance to the Architectural, Engineering, Construction, System Integrator and Vendor communities that design, construct, operate and support the DoD FRCS inventory. The following sections describe the major sections of the UFC.

This UFC provides criteria for the inclusion of cybersecurity in the design of control systems in order to address appropriate Risk Management Framework (RMF) security controls during design and subsequent construction.

While the inclusion of cybersecurity during the design and construction of control systems will increase the cost of both design and construction, it is more cost-effective to implement these security controls starting at design than to implement them on a designed and installed system. Historically, control systems have not included these cybersecurity requirements, so the addition of these cybersecurity requirements will increase both cost and security. The increase in cost will be lower than the increase in cost of applying these requirements after design.

Note: This UFC is based on NIST SP 800-53 R4 and NIST SP 800-82 R2. As new versions of NIST publications are issued, guidance will be posted on the RMF Knowledge Service (https://rmfks.osd.mil) and will be included in updates to this UFC.

1-1 BACKGROUND.

A control system (CS) typically consists of networked digital controllers and a user interface which are used to monitor, and generally also to control equipment. There are many types of control systems ranging from building control systems to manufacturing control systems to weapon control systems, all with different names and terminology. Facility-related control systems are a subset of control systems that are used to monitor and control equipment and systems related to DoD real property facilities (e.g., building control systems, utility control systems, electronic security systems, and fire and life safety systems).

2-2 5-LEVEL CONTROL SYSTEM ARCHITECTURE.

The 5-Level control system architecture shown in Figure 2-1 is a framework for describing the system architecture of any control system. This architecture allows distinctions to be made between portions of the control system that look like standard IT, and portions that do not look like standard IT. This is important as many security controls can be applied in the normal fashion to the portion of the control system that looks like a standard IT system, but cannot be applied without modification (or sometimes at all) to the portion that does not look like a standard IT system.

2.3 Platform Enclave. Significant portions of the control system resemble a standard IT system which can be implemented in a standard manner for different control systems, regardless of the details of the control system itself. This has led to the creation of the Platform Enclave concept, which groups the “standard IT” portions of the control system, plus related standard policies and procedures, into an entity which can be handled separately from the rest of the control system. In some cases this Platform Enclave will be separately authorized and the overall control system will have two authorizations, one for the Platform Enclave and one for the Operational Architecture which primarily covers the “non-standard IT” components of the system. In other cases a single authorization will be used for the entire system. Even in cases where a single authorization is used, however, it’s helpful to identify and categorize the “standard IT” portions of the control system. More information on the Platform Enclave approach is in APPENDIX D.

The DoD does not procure most installation-wide control systems as an entire 5-Level system as depicted in Figure 2-1. Typically, some Field Control Systems (FCS; architecture Levels 0, 1 and 2 – see Figure 2-2) are procured with a front end, and over time additional FCS are procured. These additional FCS are integrated with the existing front end, and added to the authorization to operate for the existing system to expand the installation-wide system.

Note: The Platform Enclave (traditional IT Front-End) will typically be a CIO responsibility and budget line, while the Operational Architecture (traditional OT Back-End) will typically be a Installations and Environment responsibility and budget line.

 

 

Navy Platform Enclave and Operational Architecture

 

Marine Corp Platform Enclave and Operational Architecture

 

 

Air Force Platform Enclave and Operational Architecture

 

3-1 OVERVIEW.

The design of cybersecurity for facility-related control systems is a five step process. In some cases a specific step may be performed by someone other than the designer, but may still require input from the designer. Documentation of cybersecurity-related design decisions and input to others is described in CHAPTER 5.

In addition to requirements specific to Control Correlation Identifier (CCIs), design all control systems according to the minimum cybersecurity design requirements in CHAPTER 4 and cybersecurity requirements otherwise standard for the type of control system being designed.

3-1.1 Five Steps for Cybersecurity Design. The five steps for cybersecurity design are:

1. Based on the organizational mission and details of the control system, the System Owner (SO) and Authorizing Official (AO) determine the Confidentiality, Integrity, and Availability (C-I-A) impact levels (LOW, MODERATE, or HIGH) for the control system.
2. Use the impact levels to select the proper list of controls from NIST SP 800-82.
3. Using the DoD master Control Correlation Identifier (CCI) list, create a list of relevant CCIs based on the controls selected in Step 2.
4. Categorize CCIs and identify CCIs that require input from the designer or are the designer’s responsibility.
5. Include cybersecurity requirements in the project specifications and provide input to others as required.

CHAPTER 5 CYBERSECURITY DOCUMENTATION

This chapter describes cybersecurity documentation that is required as part of the control system design package. This documentation is in addition to the documentation required by the relevant control system design criteria.

Product	Date Posted
Unified Facilities Criteria (UFC) 4-010-06 Cybersecurity Of Facility-Related Control Systems Defines the FRCS, Platform Enclave, and high level design guidance.	June 2018
CNSSI 1253 Security Categorization And Control Selection For National Security Systems Provides all Federal Government departments, agencies, bureaus, and offices with guidance on the first two steps of the Risk Management Framework (RMF), Categorize and Select, for national security systems (NSS). This Instruction builds on and is a companion document to National Institute of Standards and Technology (NIST) Special Publication (SP), 800-53, Security and Privacy Controls for Federal Information Systems and Organizations; therefore, it is formatted to align with that document’s section numbering scheme. This Instruction should be used by information systems security engineers, authorizing officials, senior information security officers, and others to select and agree upon appropriate protections for an NSS.	May 2014
DoD Advanced Cyber Industrial Control System Tactics, Techniques, and Procedures (ACI TTP) Establishes the requirement for a Jump-Kit Rescue CD with the Fully Mission Capable Baseline configurations, how to Detect, Mitigate and Recover a FRCS that has been attacked/compromised.	March 2018
NIST SP 800-53 R4 Security and Privacy Controls for Federal Information Systems and Organizations Provide guidelines for selecting and specifying security controls for organizations and information systems supporting the executive agencies of the federal government to meet the requirements of FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems. The guidelines apply to all components of an information system that process, store, or transmit federal information.	May 2013
NIST SP 800-82 R2 Guide to Industrial Control Systems Security Establishes Supplemental Guidance for control systems based on the NIST SP 800-53 R4 Family of Security Controls.	May 2015
Unified Facilities Criteria (UFC) 3-580-01 Telecommunications Interior Infrastructure Planning and Design Defines the high-level design guidance for interior Passive Optical Networks.	June 2018
Unified Facilities Guide Specifications (UFGS) 25 10 10 Utility Monitoring And Control System (UMCS) Front End And Integration Detailed step-by-step guidance on how the components and networks will connect and communicate.	June 2018
Whole Building Design Guide Cybersecurity Resource Page Provides a Cyber 101 overview of Cybersecurity of Control Systems, links to the DoD publications and other key guidance (DHS, Private Sector, NIST, SANS, ISA, etc.)	June 2018