Energy and water control systems provide an innovative and cost-effective means to improve efficiency, expand functionality, enhance safety, and increase reliability. The trend, however, to interconnect management and monitoring capabilities through networking technologies has introduced a myriad of cyber vulnerabilities. For Department of Defense (DoD) installations, the risks are exacerbated due to nonstandard configurations associated with varying implementations across different bases. The utilization of multiple vendor platforms and disparate unpatched systems deployed over varying infrastructures have created an environment with no standard cyber security management practices or protection mechanisms in place to prevent attacks.

Currently, the DoD lacks the capability to efficiently evaluate system configurations of installation energy/water control systems. The primary objective of this project was to demonstrate and validate the use of the Baseline Automated Security Enumeration and Configuration (BASEC) tool to help strengthen DoD posture against cyber-based attacks targeting military installation critical infrastructure. BASEC provides a scalable, enterprise solution intended to integrate specifically with mission assurance efforts and the automation of cyber hygiene assessments.

The current method of evaluating installation energy/water control systems cybersecurity relies on manual evaluations and requires assessment teams, follow-on analysis, and specialized skillsets. Unfortunately, such evaluations only show a snapshot in time of the security posture, and the costs for sustaining an effective Service-wide program in this manner are expensive and unrealistic. The automated process of BASEC reduces the time and cost associated with traditional manual assessments and readily integrates with mission assurance processes. The enterprise solution also includes capabilities that allow analysis of trend data across the entire Service-level infrastructure, as well as “drill down” features for individual systems. The trend data will help provide leadership with awareness and oversight for top security issues encountered.

The BASEC solution automates the analysis of device-level configuration settings for installation energy/water control systems, identifies vulnerabilities in configurations and provides an effective means for maintaining asset inventory at the Service level. In this demonstration, 180 controllers were used to study the conditions of 150 building systems. Of the 180 systems evaluated, 34 were found to be in compliance and had no configuration concerns. The remaining 146, or 81% of systems evaluated, had one to four identified security concerns rated at a HIGH Critical level. These concerns could include a lack of password protection on accounts of varying access level or the use of outdated software versions with known vulnerabilities. The recommendation to the installation was to consider disabling accounts that weren't needed, setting passwords for accounts that would continue use, and update all software to the newest version.

In regards to cost savings, BASEC evaluated 180 configuration files in less than 45 minutes. A similar manual effort to perform this analysis is estimated to take weeks and potentially longer based on previous assessments (e.g., NDAA 1650). As such, the cost savings in labor hours is readily apparent with efficiencies exceeding 90%.

Demonstration and validation of BASEC for enhancing installation energy/water cybersecurity posture includes identifying baseline control system configurations, evaluating BASEC as an enterprise cybersecurity capability, demonstrating scalability to cover all DoD installation energy/water control systems, and ability to deploy BASEC for mission assurance functions and cyber hygiene assessment teams. The ESTCP effort provides critical support in validating BASEC as a viable tool supporting installation energy/water cybersecurity requirements. As a result, the BASEC capability brings a means to enhance DoD mission effectiveness, support risk analysis, and identify gaps in energy and installation cybersecurity that are vital to supporting warfighter efforts.