Building Automation System Enumeration and Configuration (BASEC)
Billy Rios | Whitescope
Energy control systems provide an innovative and cost-effective means to improve efficiency, expand functionality, enhance safety, and increase reliability. The trend, however, to interconnect management and monitoring capabilities through networking technologies has introduced myriad cyber vulnerabilities. For Department of Defense (DoD) installations, the risks are exacerbated due to nonstandard configurations associated with varying implementations across different bases. Indeed, multiple vendor platforms and disparate unpatched systems deployed over varying infrastructures have created an environment with no standard cyber security management practices or protection mechanisms in place to prevent attacks.
Currently, the DoD lacks the capability to efficiently evaluate system configurations of automated building energy control systems. Obtaining authority to operate by satisfying the requirements established in the Department of Defense Instruction (DoDI) 8500.01, Cybersecurity, and DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT) is both time consuming and expensive. Additionally, because the process is manual, evaluation results are not always consistent. The primary challenges facing the DoD for evaluating automated building energy control systems include:
- An extensive onsite assessment can cost upwards of $30k
- Testing and reporting takes weeks
- Evaluations are manual and do not readily scale to multiple sites
- Extensive training of skill-sets is required to correctly evaluate systems
- The evaluation is a one-time snapshot of the current security posture
The DoD requires a solution that efficiently evaluates system configurations for vulnerabilities and enforces secure configurations across multiple vendors and military installations. To be cost effective, the solution must integrate with existing network security practices and provide the flexibility to support military missions across DoD facilities.
The Whitescope Building Automation System Enumeration and Configuration (BASEC) tool protects organizations by providing a scalable means to identify, baseline, and certify the cyber security configuration for building automation systems. The innovative tool provides a secure means to examine device configurations, audit system settings, define security policies, and obtain reporting from anywhere in the world. BASEC reporting helps identify specific weaknesses associated with individual configuration files (e.g., weak passwords, missing security patches, insecure services, insecure default configurations and weak/insecure protocols in use). In addition to individual device configuration settings, BASEC allows analysis of trend data across the entire building and energy infrastructure.
BASEC provides a new technology that can scale cyber security baseline criteria to millions of devices using customizable rule sets mapped to RMF criteria. For ESTCP, Whitescope will demonstrate the ability to perform secure evaluations of system configurations against RMF requirements, track RMF compliance, readily deploy the capability, and accomplish auditing in seconds.
The current method of evaluating a DoD BAS requires assessment teams, follow-on analysis, and specialized skill-sets. Unfortunately, such evaluations only show a snap shot in time of the security posture. Indeed, any adjustment at all to settings requires another evaluation to ensure compliance. The costs for sustaining an effective program in this manner are expensive and unrealistic.
BASEC provides a solution to evaluate the configuration and cyber security standards for military installation buildings and energy systems. BASEC can be implemented at any point during the building energy system lifecycle, providing a means to evaluate and implement a consistent, scalable process for legacy and new system requirements across multiple integrators and acquisition sources. The DoD will realize cost benefits by requiring third party vendors to conform to configuration standards enforced by BASEC prior to the deployment of new/upgraded systems. By requiring third party vendors to establish a secure configuration prior to deployment, the DoD saves on costs associated with the reconfiguration of devices to meet security objectives.
An extensive onsite assessment can cost upwards of $30k, and testing and reporting may take weeks. Current evaluations are performed manually and do not readily scale to multiple sites. Security evaluations require extensive training of skillsets to correctly evaluate systems, and the evaluation results in a one-time snapshot to the current security posture. BASEC provides a holistic, enterprise solution that affords higher fidelity and enables enforceable standards for securing the entire DoD building and energy infrastructure. The BASEC solution will reduce the time and cost of gaining ATO for legacy and new facility energy control systems and has the potential to save the DoD tens of millions compared against the current state of manual team assessments.