The Gates Are Open: Control System Cyber-Physical Security for Facilities Proceedings of a Federal Facilities Council Workshop—in Brief (2021) / Chapter Skim
Currently Skimming:
The Gates Are Open: Control System Cyber-Physical Security for Facilities: Proceedings of a Federal Facilities Council Workshop - in Brief
The Gates Are Open: Control System Cyber-Physical Security for Facilities: Proceedings of a Federal Facilities Council Workshop - in Brief
Pages 1-10
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 1... ...
She added that facilities engineers' roles are changing -- in the past, they focused on maintaining physical equipment and analyzing building data to ensure efficiency; with the advent of cyber security issues, they are also expected to maintain software, inventory equipment, and analyze network traffic, without additional time or training. She emphasized that building control systems utilize specialized software and require collaboration among facilities, IT, manufacturers, designers, and contractors to solve problems.
|
From page 2... ...
A workshop participant asked if any manufacturers have implemented product security policies. Gomes replied that although manufacturers have made improvements over the past 5 years, as of 2020, many still took 16–18 months to issue patches.
|
From page 3... ...
Jones explained that legacy buildings represent 40 percent of the built environment.11 Many of these buildings have early-generation building automation systems (BAS) and direct digital control systems that have not been maintained for several years and lack a cyber security plan.
|
From page 4... ...
To best prevent a cyber attack, Jones proposed the following actions: start the migration process in legacy buildings now; conduct a cyber security audit of OT systems similar to that performed for IT systems; maintain physical access security; remove barriers between IT and OT by emphasizing their common organizational mission; eliminate all non-secure remote access methods; and replace unsecure remote access technology with secure remote access technology (e.g., TOSIBOX12)
|
From page 5... ...
He added that it is important to consider how to build relationships with suppliers and to provide advance notice of the need for a contract with a cyber security plan. Potential requirements for each supplier contract include the following: specific cyber security controls, orientation and coaching on each control delivered to 13 LoRaWAN is a low-power, wide-area networking protocol.
|
From page 6... ...
ZERO-TRUST SECURE REMOTE ACCESS FOR CRITICAL INFRASTRUCTURE AND LEVERAGING VIRTUALIZATION TO MINIMIZE THE OPERATIONAL TECHNOLOGY THREAT SURFACE Ron Victor, a technology entrepreneur, shared that there have been at least 1,300 known severe critical infrastructure cyber incidents since 2005, resulting in 1,500 deaths and more than $70 billion in direct damages.17 Although the public is aware of many significant attacks (e.g., SolarWinds, Colonial Pipeline, JBL Foods, Bay Area Water) , there have been countless other unreported incidents.
|
From page 7... ...
CONVERGENCE: INTEGRATING CYBER RISK INTO FACILITY SECURITY STANDARDS Sue Armstrong, CISA, described the evolution of the federal security landscape over the past few decades, as the nation recognized the need to focus on its planning and security posture as well as capacity building for security investments in the built environment. She said that it is crucial for government and industry to work together to make the U.S.
|
From page 8... ...
The findings from the first government-integrated physical-cyber security assessment of a newly renovated federal building led to the creation of the ISC's Cyber Undesirable Events 2010 and later the Chemical Facility Anti-Terrorism Standard Risk-Based Performance Standard-8,22 which focuses specifically on cyber security and controls. Armstrong also directed participants to the ISC's Design-Basis Threat Report, which Armstrong characterized as the most comprehensive federal facility security standard created to date and has been incorporated into a larger standards and guidance document, the Risk Management Process: An Interagency Security Committee Standard.22 Armstrong mentioned that the ISC utilizes a voluntary compliance system, in which agencies and individual facilities evaluate themselves against 25 security benchmarks.
|
From page 9... ...
For example, she advised locking down unsecure ports in the communication path, as well as applying software patches to control systems. Armstrong and Gomes observed that security control operations centers have to be monitored continuously to ensure that publicly posted passwords are removed and default manufacturer passwords are changed.
|
From page 10... ...
This Proceedings of a Federal Facilities Council Workshop -- in Brief was prepared by Linda Casola as a factual summary of what occurred at the meeting. The statements made are those of the individual workshop participants and do not necessarily represent the views of all participants or the National Academies.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.