FM Issue: Cybersecurity Evolution
By Michael Chipley Ph.D., GICSP, PMP, LEED AP
From the April 2014 issue of Today’s Facility Manager
The recent data hack into the retailer Target’s systems has brought increased attention to the network connectivity of facilities operations and maintenance vendors, an organization’s business IT systems, and the facility/building control systems. Traditional IT systems have had standards and guidelines such as the Payment Card Industry (PCI) and Health Insurance Portability and Accountability Act (HIPPA) to ensure they are cybersecure, and CIOs and IT staff have available to them a number of tools and training to manage these systems.
But facility/building controls systems, such as building automation, energy management, physical security access control, and fire alarms are just beginning to be considered as potential hacking points into an organization. These control systems are often referred to as operational technologies (OT) and use a combination of traditional IT protocols such as TCP and UDP, but OT also use protocols unique to controls systems (e.g., Modbus, BACnet, LonTalk, DNP 3) to communicate with the sensors, devices, and actuators. IT is about data; OT is about controlling machines, and OT is increasingly becoming more IP based.
Developments such as the Internet of Everything, smart grid, smart cities, smart buildings, and smart cars are redefining the boundary between IT and OT. As IT and OT systems converge, so do the risk and vulnerabilities of hacking and using OT systems as a point of entry and then pivoting up the network to take control of other systems. These attacks could take control of the OT system and shut down or alter critical functions such as HVAC, fire and life safety, or elevators—or be used to hop over to the IT system.
The National Institute of Standards and Technology (NIST) has been a primary source of IT cyberstandards and guides. The NIST SP 800-37 and NIST SP 800-53 publications, the SANS Top Twenty controls, and ISO standards have been used by both government and industry as IT best practices for many years.
On the OT side, the ISA 99 and NIST SP 800-82 provide the standards and guides for Industrial Control Systems (ICS). ICS/OT have traditionally not received the same level of cyberscrutiny as IT systems. However, malware such as Stuxnet, Duqu, and Flame are now specifically designed to infect the OT components and devices at the firmware or project file level, and then inject false commands to spoof the operators human machine interface (HMI) console, establish a command and control channel to exfiltrate data (technical specifications, floor plans, drawings, etc.), create Botnets, or physically destroy the equipment and other IT systems. Traditional hacking tools such as Metaspolit now have add-on packages with OT exploits (e.g., Gleg SCADA + Pack, Digital Bond). Tools such as Shodan now expose any IP device and provide a wealth of information about the device, system, and organization.
The U.S. Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team (ICS-CERT) maintains the list of vulnerabilities and alerts for control systems, and publishes the Cyber Security Evaluation Tool (CSET). This tool is free to any organization and contains standards, guides, references, networking diagram tools, and compliance evaluations to help generate system security plans and other key documents.
Convening To Combat Threats
To meet the challenges of how to cybersecure facility/building control systems, an informal gathering of stakeholders from facilities, IT, physical security, and other areas held a workshop at the National Institute of Building Sciences annual conference in January 2014, “Cybersecurity of Buildings Workshop: OT and IT Convergence—A New Paradigm.” In this workshop, attendees received an overview of the current state of practices, standards, and guidelines; viewed live demonstrations of controls systems being exploited and compromised; and learned about how to identify, contain, and eradicate the threat.
While most organizations may not consider their facilities as primary targets, across the nation every sector of critical infrastructure relies on buildings to conduct daily operations. Released on February 12, 2013, the Executive Order, Improving Critical Infrastructure Cybersecurity, along with the Presidential Policy Directive, Critical Infrastructure Security and Resiliency, required NIST, GSA, and DoD to develop a Cybersecurity Framework, update the National Infrastructure Protection Plan, and assess the federal acquisition and procurement process.
NIST completed the Cybersecurity Framework in January 2014; GSA and DoD submitted recommended changes to the federal acquisition process in February 2014, and federal agencies are beginning to implement the Framework and change contracting procurement language.
For private sector organizations the Framework is voluntary. However, as a standard of care, an organization that does not have a plan in place to identify and protect its IT and OT assets may find itself with extended liability. The Framework has five core functions: identify, protect, defend, respond, and recover. A sector or organization can use the Framework to create their top level cybersecurity plan, augmented with industry specific standards and guides.
NIST SP 800-82 A Fit For Facilities
For facilities, the best standard to use is the NIST SP 800-82, which is currently being revised to incorporate new security controls and supplemental guidance. Both the Cybersecurity Framework and the draft NIST 800-82 Rev. 2 are planned to be in the CSET 6.1, with a target release date of summer 2014.
A fundamental concept of NIST SP 800-82 Rev 2 is that of “Inbound Protection and Outbound Detection.” All control systems should be on a separate network with multiple levels of DMZs (neutral zones) and sub-networks. Control systems behave in very predictable ways with the data frequency, packet size, and other attributes being fairly constant and amenable to white listing. New OT firewalls able to perform deep packet inspection and OT passive monitoring tools able to identify anomalous traffic provide the inbound protection; the use of continuous monitoring provides the outbound detection capability.
Control systems generally do not send megabit or gigabit files to remote servers that are not in the organization’s known network or connected vendors. Exfiltration of data and covert command and control channels to unrecognized IP addresses are key signs of compromise. NIST SP 800-82 also has new controls for acquisition, life cycle software development, and penetration testing.
Another effort being led by the DHS Interagency Security Committee is the development of a white paper, “Securing Government Assets through Combined Traditional Security and Information Technology.” This document outlines the Risk Management Framework process applied to physical security systems such as closed circuit video equipment (CCVE) or video systems, intrusion detection systems (IDS), and electronic physical access control systems (PACS).
Key to the recommendations is to bring together physical security specialists, facility engineers and managers, IT staff, system integrators, and property owners to conduct assessments and develop system security plans. Another key change is to the procurement process—to initiate the converged systems baseline risk assessment in the planning and design phases, conduct factory acceptance testing (FAT) in the construction phase, and conduct full site acceptance testing (to include penetration testing) for system turnover.
GSA has begun to implement many of these changes, starting with the HSPD-12 requirements and conducting FIPS 200/FICAM Testing and managing the Approved Products List (APL). GSA intends to expand this effort to incorporate as many OT systems as funding allows.
Finally, a new cybersecurity resource page has been added to the Whole Building Design Guide. This page is primarily for the buildings community but also features information and links to other control systems, workshops, and training. All facility owners and managers, engineering staff, and security staff are encouraged to understand the basic principles of NIST SP 800-82, know how to use the DHS CSET tool, understand how the Shodan, Kali Linux, SamuraiSTFU, and other tools work for penetration testing, and prepare to adopt new acquisition and procurement processes.
Whereas the IT community has had almost two decades to learn and implement cybersecurity, member of the OT community will have an accelerated learning curve and will need to work closely with senior management, IT, and other stakeholders to secure assets properly. While the government has established basic standards guides, and best practices, it takes a joint approach to protect both the government and private sector OT systems.
Chipley is president of the PMC Group, LLC located in Centreville, VA. He is a consultant to multiple federal agencies that include the Department of Defense, Department of Homeland Security, and Smithsonian Institution. He is a liaison to the NIST SP 800-82 Writers Team, supporting the development of the DHS CSET tool, and organizer of the National Institute of Building Sciences cybersecurity workshops.