Through the ESTCP effort, the project team demonstrated Building Automation System Enumeration and Configuration (BASEC)'s capabilities for identifying vulnerable and misconfigured building energy systems associated with DoD building and energy infrastructure.
The objectives for the ESTCP effort were as follows:
To protect against cyber-based attacks, it is critical that the DoD identify misconfigured and exposed devices that monitor and control building energy systems. The BASEC capability provides a solution that establishes and enforces cyber security standards for military installation building and energy systems.
BASEC provides a scalable means to identify, baseline, and certify the cyber security configuration for building automation systems. The heart of BASEC is a secure, cloud-based analysis engine that examines and compares submitted configuration and deployment files against established RMF criteria. QED Secure Solutions has developed algorithms that enumerate configuration parameters and compares them against established acceptance criteria.
BASEC was designed for ease of use and deployment. For implementation, there are no architecture changes required for the building automation systems. Configuration files are uploaded to the BASEC analysis engine and evaluation is accomplished via BASEC processing. As a result, the system-level configuration can be analyzed without risk to impacting system operations.
BASEC demonstrated the ability to meet the technical and performance objectives for the ESTCP onsite demonstration. For the evaluated buildings, BASEC successfully identified 100% of system device configurations, weak configurations, and changes to configurations. BASEC also produced valid reports based on findings and demonstrated a functional web-based interface management.
The following performance metrics demonstrate the effectiveness of deploying BASEC:
BASEC was able to transform a manual process of evaluating system configurations that traditionally takes weeks to less than a minute. BASEC also demonstrated effective coverage of the four major building automation vendors that were observed at the six military installations.
Findings from the BASEC ESTCP demonstration indicate potential substantial savings to the DoD, while enhancing capabilities. BASEC savings realization include: