The Gates Are Open: Control System Cyber-Physical Security for Facilities: Proceedings of a Federal Facilities Council Workshop—in Brief (2021)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Proceedings of a Federal Facilities Council Workshop IN BRIEF OCTOBER 2021 Wor The Gates Are Open: Control System Cyber-Physical Security for Facilities Proceedings of a Federal Facilities Council Workshop—in Brief The expanding connectivity of operational technologies (OT)1 increases the vulnerability of facilities to cyber attacks. Many of these technologies were not designed for a “smart” environment and are thus unsecure. Furthermore, these devices often continue to be overlooked when considering overall building security, which can lead to significant losses. On August 10, 2021, the National Academies of Sciences, Engineering, and Medicine’s Federal Facilities Coun- cil2 convened a virtual workshop to discuss OT security within facilities. Workshop panelists and participants explored existing vulnerabilities, new legislation and guidance, the convergence of cyber and physical security, and strategies to mitigate risk. OUT OF THE LOOKING GLASS: AN INTRODUCTION TO THE REALITY OF CONTROL SYSTEM CYBER VULNERABILITIES At the workshop, Lyn Gomes, DPR Construction, described two real-world problems in building control systems.³ In 2017, a casino’s enterprise network was breached through an Internet of Things (IoT) aquarium pump that was both poorly configured and poorly located on the network, resulting in stolen data. She explained that such deficiencies in network architecture and manufacturer cyber security are common in building systems. In 2016, Russia installed a backdoor to launch a cyber attack on a Ukrainian electrical grid, causing a blackout. Although the control system vulnerability that enabled this attack had already been identified and a patch made available the previous year, it was never installed. This points to another recurring problem in building security; not keeping security patches up to date. Gomes highlighted four conditions that contribute to the expansion of cyber vulnerabilities and the frequency of cyber attacks: (1) design engineers are not tasked with vetting the cyber security of the devices that they install, nor do they design network architecture; (2) information technology (IT) departments are not responsible for building con- trol systems, owing to a heavy workload in managing networks that store files, Internet access, and e-mail servers; (3) manufacturers do not consider cyber security to be an issue, nor do they have the appropriate expertise; and (4) high project costs are a deterrent to installing two different networks in a building, which is necessary to mitigate risk. She added that facilities engineers’ roles are changing—in the past, they focused on maintaining physical equipment and analyzing building data to ensure efficiency; with the advent of cyber security issues, they are also expected to main- tain software, inventory equipment, and analyze network traffic, without additional time or training. She emphasized that building control systems utilize specialized software and require collaboration among facilities, IT, manufacturers, designers, and contractors to solve problems. 1 OT includes, for example, sensors, valves, and non-information technology networks that support facilities at the edge of the Internet of Things. 2 The website for the Federal Facilities Council is http://nas.edu/ffc, accessed August 18, 2021. 3 Gomes explained that building control systems are often referred to as industrial control systems (ICT) or OT. 

Gomes provided four case studies to further illuminate manufacturers’ roles in security vulnerabilities. In Case #1, after the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) identified a vulnerability in a lighting control system, the manufacturer chose to “obsolete”4 the product line instead of issuing a patch that would allow buildings with that control system to address the problem. This created a challenge because re- placing the compromised lighting control system would involve a large capital expense, one that not all businesses or facility owners could readily afford, perpetuating a vulnerability. In Case #2, an Internet-accessible HVAC control valve had no authentication for the device and no encryption in the communication, yet the manufacturer did not under- stand the magnitude of or accept responsibility for the issue. Had the device been hacked, Gomes continued, both the OT network and the enterprise IT networks could have become vulnerable. Furthermore, building temperature control could have been lost, equipment could have been physically damaged, and firmware within the devices could have been overwritten. In Case #3, a lighting control system connected to Wi-Fi over the building network was available and visible on the Web, making it much more vulnerable to attack. In Case #4, even though a manufacturer offered encrypted communication and hardware-based device authentication for its lighting control system that uses wireless communications, the control system still resided on a building network with many other unencrypted elements, so the cyber security problem endured. The security of a system can be negated when that system shares a network with unsecured elements. In closing, Gomes suggested the following mitigation actions: 1. Always focus on both cyber and physical security; 2. Know what resides on a network, install patches to address vulnerabilities, and try to avoid putting any- thing on the Internet; 3. Create an offline recovery kit so that, even if a hacker encrypts a computer that stores building control sys- tems, he/she will not be able to damage the offline backup; 4. Create an offline sandbox to confirm that security patches will not “brick”5 a system; 5. Follow the National Institute of Standards and Technology’s (NIST’s) Guide to Industrial Control Systems (ICS) Security;6 6. Collaborate with IT to refine network architecture (e.g., encryption devices are not a substitute for fire- walls); and 7. Heed actionable advice from experts on cyber security in buildings. A workshop participant asked if any manufacturers have implemented product security policies. Gomes replied that although manufacturers have made improvements over the past 5 years, as of 2020, many still took 16–18 months to issue patches. She advised purchasing quality products from well-established vendors with a strong track record of cyber security and product support. She also suggested consulting with IT departments and cyber experts before contracting with a vendor. In response to a participant’s comment about the value of collaboration during building creation or renovation, Gomes noted that it is essential for facilities management and IT professionals to coor- dinate with one another and with the capital planning team. Collaboration is not without challenges, as facilities man- agement staff are focused on the lifetime of a building (e.g., 20–50 years) and a capital planning team is focused on the lifetime of projects (e.g., 1–10 years), and each discipline uses different terminology to describe the same concepts. HOLDING VENDORS ACCOUNTABLE FOR INTERNET OF THINGS SECURITY THROUGH NEW FEDERAL LEGISLATION Bob Hunter, AlphaGuardian Networks, explained that IT data systems rely on critical IoT systems7 to provide their power and cooling, but these IoT systems use outdated communications protocols (20+ years old) that are vulner- able to backdoor attacks, resulting in stolen IT data. Echoing Gomes’s observation, Hunter emphasized that many IoT vendors either fail to view their systems as vulnerable or reject accountability for the cyber security of their systems. In 2018, CISA suggested that all legacy unencrypted protocols (e.g., Simple Network Management Protocol [SNMP] v1 and v2) be disabled, but approximately 90 percent of all devices that support SNMP still have v1 and v2 active. He added that even SNMP v3 does not provide adequate security. Another legacy protocol, Modbus, lacks both security 4 When a product is obsoleted, parts and software updates are no longer available. 5 “Bricking” means to render a system non-functional. 6 NIST, 2015, Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82, https://nvlpubs.nist.gov/ nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf. 7 Hunter noted that IoT systems are often referred to as ICS or OT. 2 

and encryption, thus increasing the opportunity for middleman attacks.8 He stressed that BACnet Secure Connect is the only protocol to date able to meet the rigorous demands of emerging encryption standards. Providing evidence that protocol weaknesses can be exploited to attack mission-critical IoT, Hunter described how the Russian government took advantage of the vulnerable SolarWinds SNMP to gain access to critical U.S. gov- ernment and contractor assets. The hackers installed malware into the system’s update process so that they could put backdoors into the uninterruptable power supply and directly into the servers themselves to steal data. In this case, be- cause all of the devices supported SNMP, all were vulnerable. He underscored that an attack on any IoT system (none of which currently have the capability to detect malware) that uses the same protocols as the IT system can provide full and ongoing access to data. Hunter presented new federal legislation for security that applies both to federal agencies and to vendors. The Internet of Things Cybersecurity Improvement Act of 20209 states that NIST will set practical standards for IoT systems that support IT systems. All IoT devices connected to IT systems owned or controlled by a federal agency are expected to conform to NIST’s standards by September 4, 2021. Another federal initiative, Executive Order 14028, “Improv- ing the Nation’s Cybersecurity,”10 extends security even further by focusing on IoT in data centers and cloud systems. NIST’s standards, which apply to any new equipment purchased, are meant to ensure confidentiality, integrity, and availability. Hunter explained that, first, each device is expected to “provide an encrypted authentication [as a] means to ensure that any connection is made by an authorized source [and] provide encryption of all data sent to and from the device.” Second, each device is expected to be able to “instantly identify a data value that may have been modified or altered for quick response to potential issues [as well as] determine the origin of each data packet and to reject any data packet of unknown origin.” Last, each device would be able to “instantly determine if the device is non-responsive [and] gather data as quickly and reliably as possible.” In closing, Hunter remarked that these two pieces of legislation empower federal agencies and contractors to require cybersecure IoT/OT systems; if any vendor devices use SNMP or Modbus, the supplier will be expected to offer a security device or a system to secure the device and its communica- tions. A workshop participant wondered how many unique cloud systems are used by large enterprises and wheth- er knowledge of those architectures is trackable. Hunter responded that the larger the organization, the fewer people who understand the cloud footprint. However, with Executive Order 14028, organizations will have to locate all of their data, because these data and the systems that support them will have to be secured. Another participant asked how federal facility managers can ensure compliance with the new legislation. Hunter suggested reading the legislation and referencing it alongside NIST’s standards. He advocated for working with vendors to discuss how to enhance security; vendors are prohibited from selling any products to government organizations that do not adhere to the law, and the process of obsoleting products and creating new versions will no longer be acceptable. LEGACY BUILDING UPGRADES AND CYBER SECURITY Steven Jones, The S4 Group, Inc., highlighted the diverse interests that influence building planning and security: build- ing owners care about capital and operational expenses, as well as occupancy levels; occupants care about indoor air quality, safety, health, sanitation, comfort, and productivity; manufacturers seek recurring income; and operators desire simplicity. The challenge is uniting these four groups to create a common set of goals and requirements for a building—a “smart” building supports the business mission of its occupants. He added that as the use of a building changes, the infrastructure may need to evolve for different capabilities, so it is important to select products carefully. Jones explained that legacy buildings represent 40 percent of the built environment.11 Many of these build- ings have early-generation building automation systems (BAS) and direct digital control systems that have not been maintained for several years and lack a cyber security plan. He pointed out that even if systems are obsoleted by manufacturers, they may remain operational in buildings 25 years later. When legacy systems were initially installed, he continued, they were secure, owing to physical protection and network isolation. Now, unsecure remote connections 8 A “middleman attack” is where an attacker intervenes between a user and a device. If a protocol is unauthenticated and unencrypted, an unauthorized party can see all requests and responses to and from a device. The attacker can then issue its own requests (including control commands), and the device simply assumes that it is the authorized party and will execute any request received. 9 See https://www.congress.gov/bill/116th-congress/house-bill/1668/text, accessed August 18, 2021. 10 See https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity, accessed August 26, 2021. 11 In this context, “legacy building” means a building that was instrumented with an early-generation direct digital controller (DDC) or building automation system prior to the adoption of the BACnet open protocol. 3 

and smart phone usage have revealed significant gaps in security. The systems were not designed for these functions or to be on an enterprise network, thus opening a backdoor to the BAS and to the data on the IT networks. Therefore, he said that it is imperative to migrate legacy building systems to current technology. Because portfolio owners may not be able to afford to upgrade all of their properties at once, replacing the BAS can be a phased approach of integrating current-generation technology with existing legacy systems. At each step of this incremental process, he continued, cyber security vulnerabilities are addressed and removed. Each manu- facturer’s protocols are unique, but the architectural levels are similar—a typical legacy BAS installation has a global controller that orchestrates everything in the building and publishes its information to a PC that provides the user interface, and the legacy field devices are linked on a serial interface. He explained that “gateway integration” offers a transparent and secure transition strategy to renew building infrastructure, using a device (the gateway) to connect two different types of networks or protocols (e.g., BACnet and non-BACnet). Through this gateway, users interact with legacy systems as if they were BACnet systems. He emphasized that nothing changes in the legacy system; the gateway preserves data integrity and network security and ensures that only valid BACnet transactions are allowed to access the non-BACnet legacy network. Jones summarized this migration strategy as follows: (1) manage new and existing equipment from one BACnet interface; (2) co-exist with the new head end or migrate schedules, trends, global variables, and custom logic to the BACnet global controller; and (3) create a plan for strategic replacement of legacy equipment with BACnet con- trollers over a period of years. The first step of integration is to prepare the site: confirm that the legacy field bus meets specifications and that all legacy devices are working properly prior to beginning the integration (i.e., devices may need to be repaired, replaced, or recommissioned). Jones stated that it is imperative to ensure that the legacy systems can stand up to the additional load of the BACnet transactions. After introducing the gateway, the BACnet Client can be introduced. This step is followed by the integration of the BACnet Client, when the gateway treats the legacy systems like open BACnet devices. At each step, Jones continued, it is critical to ensure that all new technology introduced fol- lows cyber security best practices and that there is a maintenance and support plan both for the new technology that is being integrated into the legacy building and for the legacy devices for the duration of their serviceable lives. The head end is phased out during the final step of integration, when the legacy supervisory controller and operator workstation (the most vulnerable targets for cyber attack) are removed. Jones advocated for the use of BACnet because it is an open ASHRAE and international standard used by most BAS manufacturers, embraces the building IoT concept, promotes competition and interoperability, encourages vendor innovation, and is continually evolving to meet building automation needs. BACnet can be applied for HVAC, lighting, and access systems; security and closed-circuit television; life safety; renewable energy sources; windows and shading; parking facilities; irrigation; smoke control doors and dampers; mass notification; elevators; and emergency power. BACnet Secure Connect, a more recent initiative, is a transport method for BACnet services that embraces accepted IT security practices. It is being adopted by most manufacturers, and it utilizes strong security and encryption methods. He reiterated that introducing BACnet technology only starts the migration process toward smart and secure buildings; ultimately, the legacy systems need to be replaced. To best prevent a cyber attack, Jones proposed the following actions: start the migration process in legacy buildings now; conduct a cyber security audit of OT systems similar to that performed for IT systems; maintain physical access security; remove barriers between IT and OT by emphasizing their common organizational mission; eliminate all non-secure remote access methods; and replace unsecure remote access technology with secure remote access technology (e.g., TOSIBOX12). A participant inquired about the potential risks of 5G wireless connection. Jones replied that although wire- less networks increase building access, they also increase the risk of cyber attacks. Some organizations are beginning to define standards for wireless network security, but more work is needed before wireless networks can be trusted fully. Another participant asked if remote access systems that provide environmental controls for multiple buildings pose additional systemic risks. Jones noted that several manufacturers offer an umbrella system through secure BACnet interfaces. He advised caution when choosing vendors and encouraged asking difficult questions about how they will protect assets while delivering service. BUILDING SYSTEMS: OVERLOOKED AND UNDERSECURED Joel Rakow, Fortium Partners, asserted at the workshop that although chief information officers (CIOs) may want to help to secure building systems, they may be unable to provide the necessary leadership to solve the problems that 12 The website for TOSIBOX is https://www.tosibox.com/, accessed August 26, 2021. 4 

FIGURE 1 Gateways to Ethernet networks. SOURCE: Joel Rakow, presentation to the workshop. occur in this space. He emphasized that CIOs are focused on evolving IT technologies and have the expertise to secure IT systems; however, OT security remains a challenge. He illustrated the complexity of communication that exists be- low the surface of smart buildings, such as serial data streams, analog-to-digital converters, sensors, radio communica- tion, and LoRaWAN,13 as well as derivative devices and protocols. Seasoned engineers are only now becoming aware of the cyber security problem in engineered building systems and industrial control systems (ICS), and he noted that the technicians responsible for non-engineered building systems14 may not have the training to address network architec- ture issues. Rakow underscored that many breaches begin outside and beyond Ethernet networks—engineered building systems, ICS, and non-engineered building systems provide gateways to Ethernet networks (see Figure 1). Because OT devices do not conform to the interoperability standards with which IT is familiar, IT often does not want these devices on the network. He added that many of these devices are actually on the edge of the OT network, with an interface to the outside. Furthermore, vendors that supply such devices usually do not offer a service to ensure that proper firm- ware will be downloaded. According to Rakow, a 2018 Harvard Business Review article said that 60 percent of all successful breaches on U.S. corporations make their entry through building systems.15 And the 2019 Microsoft IoT Signals report categorized the three most common points of entry for attacks as voice-over-IP telephones, video surveillance systems, and busi- ness machines,16 all of which are non-engineered building systems with analog-to-digital converters. Yet, he said, these points of entry are almost never discussed in analyses of cyber attacks. If a hacker successfully reaches the device before the signal gets to the converter, the anomaly detection performed by IT systems will fail. Rakow reiterated that even though most breaches are at the point of entry instead of the point of attack or exploit, mainstream media focuses on the latter. Rakow explained that NIST identified ~50 considerations and ~50 manual configurations to harden or se- cure IoT devices. Thus, without standards, contracts play an important role in securing supplier-installed systems. He advocated for device users to specify the appropriate measures that will help suppliers prepare to harden and/or secure what they sell and install. He added that it is important to consider how to build relationships with suppliers and to provide advance notice of the need for a contract with a cyber security plan. Potential requirements for each supplier contract include the following: specific cyber security controls, orientation and coaching on each control delivered to 13 LoRaWAN is a low-power, wide-area networking protocol. 14 Non-engineered building systems include things like video surveillance systems, business machines, and voice-over-IP phones. 15 Z. Rogers and T.Y. Choy, 2018, Purchasing managers have a lead role to play in cyber defense, Harvard Business Review, July 10, https://hbr.org/2018/07/purchasing-managers-have-a-lead-role-to-play-in-cyber-defense. 16 See https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/, accessed August 27, 2021. 5 

technicians, meetings with senior management, and mutual agreement on contract language. Optional contract terms could include guidance on solutions (e.g., software-defined or perimeter-defined networks, encrypted wireless mesh networks), periodic cyber security meetings, a software platform for tracking OT devices and systems, and fixed-fee pricing. A participant wondered about the value of the government’s common response to threats, which is to remove equipment produced by Chinese companies. Rakow commented that while this is a useful step, it is only the first step of many. In response to a participant’s question about ways to protect old devices that become IoT, Rakow suggested that all devices can be hardened but noted the difference between securing, which takes place in the context of a risk profile, and hardening, which makes something more difficult to penetrate but without an exact context. ZERO-TRUST SECURE REMOTE ACCESS FOR CRITICAL INFRASTRUCTURE AND LEVERAGING VIRTUALIZATION TO MINIMIZE THE OPERATIONAL TECHNOLOGY THREAT SURFACE Ron Victor, a technology entrepreneur, shared that there have been at least 1,300 known severe critical infrastructure cyber incidents since 2005, resulting in 1,500 deaths and more than $70 billion in direct damages.17 Although the pub- lic is aware of many significant attacks (e.g., SolarWinds, Colonial Pipeline, JBL Foods, Bay Area Water), there have been countless other unreported incidents. He remarked that critical infrastructure has similar cyber security vulnerabilities to those in enterprise IT. But while enterprise IT security divisions are well-established in many companies (e.g., to pro- tect servers and personal computers), he noted that it is often unclear who is responsible for the protection of building automation, lighting, elevator control, and access control systems. Victor explained that when third parties are permitted to access assets remotely, several questions in the fol- lowing four categories should arise: 1. Identity and authentication—Who is this person? Is it possible to verify that he is who he claims? Are his credentials secure? 2. Trust and authorization—Is she authorized to connect? Who authorized her to connect? What is she con- necting to? Was she supposed to connect to what she is connecting to? 3. Devices and applications—Is his laptop secure? What applications did he run? Was he authorized to run those applications? Are those applications patched? 4. Audit and compliance—Which network is she using? When did she log in and log out? What changes did she make? Is an audit log available? He reiterated that although such “problems” may be “solved” in the IT space, that is not the case in the OT space. And these problems are magnified with more frequent remote work, cloud adoption by critical industrial infrastructure, and digital transformation. New federal mandates (e.g., the Internet of Things Cybersecurity Improvement Act of 2020) create a sense of urgency to address these issues. Victor suggested secure remote access as a service for critical industrial infrastructure. This service could be used by workers to remotely access critical systems without ever actually touching them. This is achieved through virtualization in the cloud: the applications that a technician needs to access would reside in a cloud, and the technician’s untrusted device would not touch the mission-critical network (i.e., a zero-trust model). Legacy control servers that do not need to reside at the edge can also be migrated to and centralized in a cloud. Additionally, he suggested a secure edge compute infrastructure for data acquisition for cloud adoption by critical industrial infra- structure. This is achieved through virtualization at the edge: a universal (and fully patched) secure edge substrate is necessary for protocol software and encryption engines as well as for legacy control servers that need to be deployed at the edge. Victor’s proposed solution is essentially an artificial intelligence-driven operations cloud as a managed service: a single uniform secure operations cloud platform for ingress and egress for people and data from all facilities in a portfolio. He emphasized that the work flow does not change; the work is simply accessed securely via the cloud. Hav- ing a centralized cloud also makes it possible to conduct a full audit, if necessary—every login and action is recorded. This proposed architecture includes the use of public cloud infrastructure (e.g., Amazon Web Services, Azure, Google Cloud Platform, VMware); centralized in the cloud are the inventory databases, access control and firewall, compliance framework, trust inference, access proxies, application zone, overlay routing, and authentication and single sign-on. 17 J. Weiss, 2021 Information sharing on control system cyber incidents isn’t working—the Chinese transformer case, Control, February 3, https://www.controlglobal.com/blogs/unfettered/information-sharing-on-control-system-cyber-incidents-isnt- working-the-chinese-transformer-case/. 6 

FIGURE 2 Secure edge compute infrastructure. SOURCE: Ron Victor, presentation to the workshop. When remote vendors, third-party vendor clouds, enterprise clouds, or data lakes access the operations cloud, the threats from untrusted devices are eliminated. He explained that this allows a building to take full control of and secure a legacy infrastructure. For the edge, commercial off-the-shelf hardware may be used. This layer of the architecture includes the software-defined networking element, the firewall and segmentation (e.g., the HVAC data stream does not touch the lighting data stream), and third-party containers; everything below the edge is protected and is not visible through the cloud, and control occurs through an orchestration layer (see Figure 2). Last, he discussed the concept of a cloud enclave, which could be useful for an organization that requires uniform methods for remote access and for data acquisition across the many different geographies of its building locations. In response to a workshop participant’s inquiry about building control systems that cannot tolerate the brief delay involved in cloud migration, Victor noted that fire and safety always have to reside at the edge and thus cannot be migrated to a cloud. He remarked that those systems could be hardened, but if that is not possible, he advised either dropping an edge box so that they are not visible or migrating them to a container on a secure edge substrate. CONVERGENCE: INTEGRATING CYBER RISK INTO FACILITY SECURITY STANDARDS Sue Armstrong, CISA, described the evolution of the federal security landscape over the past few decades, as the nation recognized the need to focus on its planning and security posture as well as capacity building for security investments in the built environment. She said that it is crucial for government and industry to work together to make the U.S. economy resilient to daily cyber intrusions from both individual criminals and nation states. Armstrong explained that the 1993 bombing at the World Trade Center and the 1995 bombing in Oklahoma City illuminated the urgency for the United States to adapt to a dynamic physical and cyber threat environment. The Interagency Security Committee (ISC)18 was established shortly thereafter to concentrate on government-wide security for federal facilities. Before 1995, physical security standards for non-military federally owned or leased facilities were non-existent. After congressional hearings in 1996 about the emerging opportunities of the Internet, she continued, it became even clearer that the United States could no longer rely on physical isolation as a security measure. The 1997 Marsh Commission report19 advocated for a framework for public and private entities to work together to secure infra- structures essential to national and economic security. The events of 9/11 catalyzed the Homeland Security Act of 2002, 18 For a list of the ISC’s best practices and standards, see https://www.cisa.gov/isc-policies-standards-best-practices, accessed August 18, 2021. 19 Critical Foundations: Protecting America’s Infrastructures, Report of the President’s Commission on Critical Infrastructure Pro- tection, October 1997, available from https://sgp.fas.org/library/pccip.pdf, accessed September 9, 2021. 7 

establishing the Department of Homeland Security as well as its infrastructure protection function to evaluate critical infrastructure vulnerabilities and create a national plan. Also in 2002, the Federal Information Security Management Act required “each federal agency to develop, document, and implement an agency-wide program to provide information security for the information systems and technology that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.” In 2006, the National Infrastructure Pro- tection Plan was issued,20 and in 2013, Presidential Policy Directive 21, “Critical Infrastructure Security and Resilience,” and Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” were issued together, which Armstrong identified as a signal for convergence. Armstrong defined convergence as a “collaborative effort to enhance security through integrating operational physical security, and information assurance and technology processes, to protect federal government assets.” The ISC’s Mission-Centric Planning Model for Convergence addresses defense-in-depth, risk management, organizational alignment, cultural adaptation, performance management, and supply chain management. She explained that cyber incidents cause real-world impacts, including financial costs, physical damage, information loss, damage to reputa- tion, and issues related to indemnity—the philosophy of convergence provides an integrated approach to address these multi-layered infrastructure security issues. The findings from the first government-integrated physical-cyber security assessment of a newly renovated federal building led to the creation of the ISC’s Cyber Undesirable Events 2010 and later the Chemical Facility Anti-Terrorism Standard Risk-Based Performance Standard-8,22 which focuses specifically on cyber security and controls. Armstrong also directed participants to the ISC’s Design-Basis Threat Report, which Arm- strong characterized as the most comprehensive federal facility security standard created to date and has been incorpo- rated into a larger standards and guidance document, the Risk Management Process: An Interagency Security Committee Standard.22 Armstrong mentioned that the ISC utilizes a voluntary compliance system, in which agencies and individual facilities evaluate themselves against 25 security benchmarks. She suggested that this could evolve to become a report- ing model. A participant asked about the history of the ISC, and Armstrong commented that it has grown to include 64 agencies. The organization hopes to export its risk management guidance to more state and local entities. Another participant questioned whether recent cyber events with physical consequences have changed the government’s ap- proach. Armstrong replied that leadership is considering how to strengthen voluntary partnership under the Critical Infrastructure Advisory Council and the National Infrastructure Protection Plan as well as whether the ISC model could be applied. PANEL DISCUSSION The workshop speakers formed a panel in order to engage in a plenary discussion with workshop participants. A participant asked if the ISC includes representation from facilities, and Armstrong confirmed that people responsible for securing facilities across the interagency are members of the ISC and that facilities personnel whose primary role is not security are also welcome to contribute. She added that CISA more broadly is always open to sug- gestions on strategies to increase partnership.23 Another participant wondered if CISA has performed or sponsored studies on hacking norms across countries and, if so, whether any regional or cultural variations have been observed. Armstrong directed participants to CISA Central,24 where vulnerability notifications are posted on a routine basis. A par- ticipant asked if CISA has created networks in other countries as a means to address hacking at its source. Armstrong said that CISA exchanges protocols, vulnerability information, and mitigation strategies with key allies (e.g., United Kingdom, Australia, New Zealand) but would like to increase those activities. In response to a participant’s question about which standards should be promoted to ensure a system-wide approach to physical and cyber security, Hunter, Armstrong, and Jones suggested starting with CISA’s and NIST’s guidance. Pointing out that NIST did not create a standard for IoT, Rakow said that it is too early to pursue standards. Hunter clarified that although there are no NIST standards for non-Ethernet-based IoT, NIST has published standards for Ethernet-based IoT. Under the NIST standards for the Internet of Things Cybersecurity Improvement Act of 2020, he continued, all organizations that supply products to the government will have to publish known vulnerabilities and make patches available, which will compel government and private industry to work together. 20 This plan was updated in 2009 and 2013, and continues to be updated at present. 21 See https://www.cisa.gov/rbps-8-cyber, accessed August 26, 2021. 22 ISC, 2021, Risk Management Process: An Interagency Security Committee Standard, https://www.cisa.gov/publication/risk- management-process. 23 Armstrong referred participants to the following website for contact information: www.cisa.gov/isc. 24 The website for CISA Central is https://www.cisa.gov/central, accessed August 26, 2021. 8 

A participant inquired about the first step(s) to address threats to building systems. Hunter advised (1) con- ducting an inventory, (2) enlisting vendors to provide the latest software updates and identify any known vulnerabili- ties, and (3) seeking expert input on gaps found during the inventory. Armstrong added that it is important to under- stand the supply chain and vendor protocols. Victor championed the value of experts who know the right questions to ask. Rakow said to apply NIST guidance when possible; in other cases, he suggested creating mature processes for non-Ethernet-based systems along the computerized maintenance management system (CMMS) model, identifying capable leadership who understand both the architecture and how to make business decisions, and contracting with vendors to secure the devices they install. Gomes added that before any of these steps are taken, one should create secure and readily accessible offline backups of systems. Once a system architecture is created, she said that any devices in unsecure areas should be locked down. For example, she advised locking down unsecure ports in the communi- cation path, as well as applying software patches to control systems. Armstrong and Gomes observed that security control operations centers have to be monitored continuously to ensure that publicly posted passwords are removed and default manufacturer passwords are changed. Rakow advocated for the use of a password safe—a practical, secure method to record passwords—to mitigate the problem of people posting written lists of passwords in the open. He added that nearly all vendors offer a way to authenticate a digital user without a password (e.g., NimbusID, a non- physical biometric). Jones encouraged people to treat the inventory process like a cyber security audit: assess the risk that each product brings to the organization and then create action plans. He also suggested identifying senior-level advocates who can help to increase collaboration between IT and OT. Gomes explained that now that the cyber threat to control systems is widely known and accepted, senior-level managers are more eager to become involved. She said that it is important to highlight the shared interests of IT and facilities as well as the value of a team approach to solving difficult problems, which is especially important after a building is turned over to its tenant. 9 

DISCLAIMER: The workshop documented herein was organized by the Federal Facilities Council. Because members of that council are not appointed by the National Academies of Sciences, Engineering, and Medicine, this document is considered a product of the FFC rather than of the National Academies. This Proceedings of a Federal Facilities Council Workshop—in Brief was prepared by Linda Casola as a factual summary of what occurred at the meeting. The statements made are those of the individual workshop participants and do not necessarily represent the views of all participants or the National Academies. STAFF: Cameron Oskvig, Director, Board on Infrastructure and the Constructed Environment; James Myska, Program Officer; Peyton Gibson, Associate Program Officer; and Joseph Palmer, Senior Program Assistant. SPONSORS: This workshop was supported by the Federal Facilities Council. The FFC is a cooperative association of fed- eral agencies with the mission of identifying and advancing technologies, processes, and management practices that improve the management, operations, and evaluation of federal facilities throughout their life cycle. It was established in 1953 and is sponsored by over 24 federal agencies.