In today’s age of being able to perform and/or access any activity electronically from anywhere, cybersecurity has become a critical part of the Department of Defense’s (DoD’s) research and development. As DoD facilities incorporate more networked systems as part of a transition to smart buildings, threat and vulnerability to cyber-attacks has increased. In order to protect and defend the DoD’s information and information technology, the DoD has established a cybersecurity program.
According to the DoD Instruction 8500.01, the cybersecurity program supports the DoD’s vision of effective operations in cyberspace where:
Managing cybersecurity risk is a complex task that warrants the involvement of the entire organization. Cybersecurity risk management is a subset of the overall risk management process for all DoD acquisitions, which includes cost, performance, and schedule risk associated with the execution of all programs of record, and all other acquisitions of DoD. The risk assessment process extends to the logistics support of fielded equipment and the need to maintain the integrity of supply sources.
Control Systems (CS) range from building environmental controls to large scale systems such as the electrical power grid, and are often integrated with mainstream organizational information technology (IT) systems to promote connectivity, efficiency, and remote access capabilities. This level of interconnectivity poses security, operability and reliability threats. Within the DoD, there are an estimated 2.5 million unique CS systems that are used in over 300,000 buildings (each building may have 5-20 subsystems such as HVAC, lighting, fire, etc.) and over 250,000 linear structures (airfield lighting, pipeline, rail, etc.).
The DoD's Unified Facilities Criteria (UFC) 4-010-06, Cybersecurity of Facility-Related Control Systems, document provides criteria for the inclusion of cybersecurity in the design of control systems in order to address appropriate Risk Management Framework (RMF) security controls during design and subsequent construction.
ESTCP recently hosted a webinar on cybersecurity that included an overarching presentation on DoD’s cybersecurity program and two presentations from ESTCP’s ongoing cybersecurity related Energy and Water projects:
An archived version of the webinar and its associated presentation material is available on the SERDP and ESTCP website.