Critical infrastructure on military installations are prime targets for adversary attacks. Threats to installation energy/water control systems have been exacerbated by the trend to interconnect management and monitoring capabilities through networking technologies. A cyber-based attack on one of these systems could have potentially devastating consequences—extending from negative impacts on mission effectiveness to safety of personnel. Indeed, the Department of Defense (DoD) relies on the proper operations of installation critical infrastructure to achieve mission objectives.
To combat threats to military installation, the DoD has defined a strategy through Mission Assurance (MA) to provide increased visibility and identify trends affecting Mission-Essential Functions (MEFs) across Services and installations. MA is an integrative framework and a process to protect or ensure the continued function and resilience of military capabilities and assets, to include military installation critical infrastructure (e.g., installation energy/water control systems). MA execution has historically been accomplished in an uncoordinated fashion that often resulted in duplicative programs and left critical risks unmitigated. Service components, however, are implementing comprehensive MA programs and pioneering initiatives to address the threats to MEFs to include enforcement of cyber hygiene for military installation critical infrastructure. Such efforts require tools that augment MA efforts particularly with respect to installation cybersecurity.
The primary objective of this ESTCP effort is to demonstrate and validate the use of the Baseline Automated Security Enumeration and Configuration (BASEC) tool to help strengthen DoD posture against cyber-based attacks targeting military installation critical infrastructure. BASEC provides a scalable, enterprise solution intended to integrate specifically with MA efforts and the automation of cyber hygiene assessments. The current method of evaluating installation energy/water control systems cybersecurity relies on manual evaluations and requires assessment teams, follow-on analysis, and specialized skillsets. Unfortunately, such evaluations only show a snap shot in time of the security posture and the costs for sustaining an effective Service-wide program in this manner are expensive and unrealistic. The BASEC solution automates the analysis of device-level configuration settings for installation energy/water control systems and identifies vulnerabilities in configurations. The automated process reduces the time and cost associated with traditional manual assessments and readily integrates with MA processes. The enterprise solution also includes capabilities that allow analysis of trend data across the entire Service-level infrastructure, as well as “drill down” features for individual systems. The trend data will help provide leadership awareness and oversite for top security issues encountered, such as percentage of systems with critical security issues, percentage of systems with insecure configuration settings, and average strength of credentials used by a device.
Demonstration and validation of BASEC for enhancing installation energy/water cybersecurity posture includes identifying baseline control system configurations, evaluating BASEC as an enterprise cybersecurity capability, demonstrating scalability to cover all DoD installation energy/water control systems, and ability to deploy BASEC for MA functions and cyber hygiene assessment teams. The ESTCP effort provides critical support in validating BASEC as a viable tool supporting installation energy/water cybersecurity requirements. As a result, the BASEC capability brings a means to enhance DoD mission effectiveness, support risk analysis, and identify gaps in energy and installation cybersecurity that is vital to supporting warfighter efforts.