Among the range of state-of-the-art capabilities wielded by the U.S. Army Corps of Engineers (USACE), few have progressed as far and as fast as those associated with cyber defense.
According to Dan Shepard, who has served as chief of the Control Systems Cybersecurity Technical Center of Expertise (TCX) at the USACE Engineering and Support Center, Huntsville, since January 2015, much of the recent activity has focused on the ability of USACE to deliver completely digital secure facilities to its customers.
That effort has included the development of clear guidelines to be used in future USACE construction projects.
We have been trying to stay in the midst of change with regard to cybersecurity. And during this time, we have been able to participate in a number of collaborative efforts with DHS [Department of Homeland Security], FBI, and a number of other federal agencies. We have also worked in conjunction with other state authorities, local authorities, and tribal governments …
“In lockstep with that vision, we have proactively and heavily moved forward to completion of the Unified Facilities Criteria for cybersecurity of control systems, which is basically going to be the roadmap for architecture engineering firms and construction contractors to build cybersecurity requirements into their design, and into the construction process,” Shepard explained, noting that the final coordination meeting for that tri-services document took place in late spring 2016 with a planned release of early summer.
“In line with that, we also kicked off the ‘Unified Facility Guide Specifications’ document, which is a more granular breakout of that Unified Facilities Criteria,” he added. “That guide spec [document] gets down to the particulars of a specific platform that would go in a facility. We kicked that project off last quarter of this year, and we expect to have at least a final coordination draft by the third or fourth quarter of FY 17.”
Summarizing the importance of those projects, Shepard acknowledged that previous USACE design efforts “didn’t have anything to go by to integrate cybersecurity requirements, other than high-level DOD [Department of Defense] policy. It was really hard to decipher, from an A-E [architect-engineer] firm or construction contractor, what really was their responsibility, and how they should integrate those requirements into the design. That’s what this facility criteria is going to do. It’s … unified criteria, so this will be applicable to all branches within the tri-services. It’s their guidebook on how to incorporate cybersecurity into facility control system designs. And that is one major component to ensure that we’re delivering secure and usable facilities.”
Along with those efforts, Shepard said that the TCX also recently identified a “design gap” involving a historical lack of accounting for cybersecurity costs.
“Cybersecurity measures for control systems residing inside a facility had never been accounted for,” he said. “We ran all the cabling, and we plugged them in, but we never accounted for the cost.”
He continued, “If you don’t account for it on the front end, and get a finite line item in the budget, it’s really hard to go back and do a scope modification to get additional funding on the back end. You’ve got to find other avenues, and those avenues may not be there.”
“The Army understands that it has cybersecurity challenges and deficiencies within its inventory of facility control systems. Currently it has begun the process of defining its inventory of critical control systems to recognize those legacy and non-compliant systems for cyber improvements.”
Subsequent coordination activities across multiple service organizations will result in TCX involvement in the Parametric Design Review process, at the front end, for Army-related military construction (MILCON) projects beginning in FY 18, pending the process’s outcome.
“We’re looking at these parametric designs, and looking at the platforms that are associated in these parametric design documents, and saying, ‘Here is the cost, per platform, and you need to budget that,’” Shepard said.
Recent related TCX contributions include development of an inventory methodology for control systems to assist or supplement related assessments at garrison units. The simplified inventory approach will help identify and prioritize key cybersecurity targets in terms of what is non-secure and what needs to be updated as legacy systems are worked forward to new designs.
Shepard said that one of the cyber challenges currently facing the Army involves the inventory of control systems within their portfolio.
“The Army understands that it has cybersecurity challenges and deficiencies within its inventory of facility control systems,” he said. “Currently it has begun the process of defining its inventory of critical control systems to recognize those legacy and non-compliant systems for cyber improvements.”
Shepard said that the biggest challenge facing cybersecurity today is that “it’s always evolving.”