Developing an Engineering Standard of Care for Cyber Safety

By The Honorable Lucian Niemeyer, F.SAME and Daryl Haegley, GICSP, M.SAME

As systems for information technology and operational technology converge, there is growing urgency to secure the nation’s critical infrastructure from cyberattack, which will require improvements in both federal policies and day-to-day operations to strengthen response and recovery from incidents.
Long Range Discrimination Radar Complex during construction at Clear SFS, Alaska. Both engineers and facility managers will play a crucial role in reducing risks from cyberattacks to critical infrastructure during design and operations. USACE Alaska District photo

In May 2023, malicious Chinese code was discovered deep inside the networks of power grids, communications systems, and water supplies that feed U.S. military bases. First detected in telecommunications systems in Guam, the malware, “Volt Typhoon,” is considered a ticking time bomb. While most likely targeted to interrupt or slow American military deployments, the threat and consequences could be far more devastating—because that same infrastructure provides essential life-sustaining services for everyday public activities.

The ability to disrupt key infrastructure and sow chaos or disrupt and deny logistics in the event of a near-peer conflict is no longer a theory. Among the recent victims of cyber incidents are local water utilities, a major Gulf Coast port, an oil and gas pipeline, and the Texas power grid.

In 2013, Gen. Martin Dempsey, USA, then-Chairman of the Joint Chiefs of Staff, declared: “Our homeland is not the sanctuary it once was; cyber has reached a point where bits and bytes can be as destructive as bullets and bombs.” In 2018, the National Defense Strategy doubled down on this statement, asserting that “it is undeniable that the homeland is no longer a sanctuary. During conflict, attacks against our critical defense, government, and economic infrastructure must be anticipated.”

The 2022 National Defense Strategy further noted the growing cyber threat to military missions, with direction for increased encryption and zero trust architectures. Operational technologies and control systems managing critical infrastructure are top “cyber” threats according to the Director of National Intelligence’s 2023 Threat Assessment. Russia continues to target these assets, including industrial control systems, in order to demonstrate its ability to damage infrastructure during a crisis. Both China and North Korea can launch cyberattacks that cause localized, temporary disruptions to defense critical infrastructure within the United States. Iran was responsible for cyberattacks between April and July of 2020 against Israeli water facilities that caused unspecified short-term effects.

In March 2023, the National Cybersecurity Strategy galvanized actions within the federal government to protect the 16 sectors of critical infrastructure from potential cyberattacks by strengthening the guidelines for security practices to safeguard system networks, heightening visibility into and more rapid detection of cyber threats, and prioritizing cybersecurity investments with cybersecurity performance goals. The strategy also set forth a commitment to local communities for cybersecurity assistance to protect critical infrastructure as a priority for national security, public safety, and economic prosperity.

Converging Systems

The rapid incorporation of connected technologies provides many benefits. Automation can improve reliability and reduce human error. Operating systems remotely from a smartphone can lower costs while enhancing sustainability, security, and convenience. For building owners or mission decision-makers, access to increased bandwidth and high-speed data architectures can light up augmented reality, 3D collaboration technologies, and immersive modeling/simulation.

In order to maximize this performance, both information technology (IT) and operational technology (OT) are converging. The legacy security practice of installing firewalls, airgaps, or other virtual barriers is no longer a valid solution given modern threat capabilities. These practices can actually substantially increase the public safety risk when OT systems are not monitored or protected with the same degree of rigor as IT systems.

As we continue to advance boldly in the adoption of connected, converged technologies, the engineering profession must be aware of the potential threat to human health, safety, and property from the misuse or exploitation of smart cyber physical systems. Indeed, the federal government has undertaken a national initiative to implement cyber-informed engineering standards for all types of infrastructure. The effort will guide for engineers to incorporate specific specifications and design principles in any project that will integrate either smart building systems or support owner-installed technologies.

Mitigating Risk

Current federal engineering guidance calls for the development of a risk management framework in accordance with a framework developed by the National Institute for Standards & Technology for OT/control systems. Federal engineers also rely on Unified Facility Criteria (UFC) for Facility Related Control Systems describing requirements for incorporating design cybersecurity. Compliance is mandatory for all federal projects.

In 2021, SAME chartered a National IGE Project to specify what should be done to increase mission assurance and mitigate the impacts of cyberattacks to military facilities and infrastructure. The project is comprised of subject matter experts representing federal agencies, A/E/C companies, the nonprofit entity BuildingCyberSecurity.org, and cyber protection firms. For over two years, this team coalesced emerging industry best practices into written guidance that augments UFC-specific design and construction actions to enhance protections in IT/OT interfaces and cyber physical/human interfaces. In May 2023, the project team delivered a series of recommendations to improve federal policies for CS/OT security and strengthen current and future federal planning, design, or installation operations.

Require a Technologist of Record to be Identified at Initial Design Charrettes. Traditional engineering disciplines do not have the expertise to safely and securely design the increasingly complex automation and networks needed to monitor and protect from cyber threats. Additionally, mission owners are requesting that buildings support advanced communication, data transport systems, and related technologies that must be identified in technology packages at design charrettes and addressed during facility design. The Technologist of Record would be the cybersecurity or network engineer on a design team with primary standard of care responsibilities for safety and security of all technologies, communications, and data networks.

Design Requirement for Comprehensive Network Reference Drawing. Future federal construction projects must require preparation of a drawing containing all facility-related controls interconnectivity, protocols, authorization boundaries, and physical, data link, and network layer topology. The drawing should be developed by a cybersecurity technologist and included as a reference sheet in 600 or 700 series drawings.

Include in Specifications a CS Tested Product List (TPL). Smart building capabilities are built around networks of connected smart sensors and system control devices. Individual devices, if designed, manufactured, or configured improperly, could be vulnerable to cyberattack. Mitigating this risk starts with ensuring smart building devices are designed and built with security in mind. Adopting a CS TPL consistent with the global standard, IEC/ISA 62443, can provide contractors with a pre-approved list of products that have been pre-tested to meet the minimum standard requirements.

Adoption of an Industry-Derived Checklist for Preliminary Review of Cyber Risk in Facilities. The IGE team developed a comprehensive, easy-to-use checklist of 16 questions that a manager of a mission-critical federal asset or facility can use to characterize cyber capabilities, gaps, and vulnerabilities in collaboration with the IT operators. Combining the framework developed by the National Institute of Standards & Technology with the IEC/ISA 62443 standard, the checklist covers a range of relevant factors—from governance, roles, risk assessment, and service provider management, to system/network access control (remote and local), physical and logical network architecture drawing, jump kits, and change management.

Incorporate a Division 1 Specification for Cybersecurity Commissioning. Integrating cybersecurity and commissioning activities throughout the project lifecycle is required to ensure cyber resilience and reduce mission risk across CS/OT-dependent systems. A commissioning requirement also will contribute to a federal authority to operate that is not existent in the current UFC. Requirements for cybersecurity performance for each engineering discipline must be established. These include design specifications; instructions for review, approval, and construction contractor’s configuration instructions; and clear performance of a cyber commissioning at the end of construction (passwords, authentication, encryption) and remote access requirements. Federal design agents need to mandate the use of open-source IP communication protocols to enable commercial off-the-shelf monitoring and detection solutions to rapidly detect, defend, and counter cyberattacks.

Incorporating Cybersecurity Capabilities in Federal Requirements for Digital Twins. Digital twins deliver a holistic and usable view of design, construction, and building operations that provide owners and operators with a single source of system performance that reduces the total cost of ownership, achieves greater operational efficiency, and realizes the value of building information modeling. A digital twin not only provides the exact inventory of systems operating in a facility—the first requirement for sound cybersecurity—but it can also baseline performance characteristics at the initial commissioning to flag performance anomalies as an indicator of a cyber incident.

While incorporating connected technologies in the built environment provides many benefits, it also creates vulnerabilities that need to be addressed through more proactive cyber planning during design and ongoing operations. DOD photo by Airman 1st Class Allison Martin, 36th Wing Public Affairs

These recommendations from the IGE project align with the $25 million the Defense Department has invested since 2017 in developing a More Situational Awareness In Control Systems (MOSAICS) security framework. MOSAICS adopts an extensible, adaptive, UFC-aligned, commercial-off-the-shelf-based approach to automate CS/OT detect, analyze, visualize, decide, mitigate, recover, and share functions.

MOSAICS also maintains a vendor-agnostic, non-proprietary open-source framework that allows vendors to integrate continuous cyber resiliency enhancements and counter advancing adversarial threats. Contract language for all defense CS/OT actions should require meeting the MOSAICS framework.

Maintaining Security

Importantly, a standard of care for cybersecurity and safety must be maintained over time by facility operators and managers.

Recognizing this shared responsibility, SAME has hosted multiple tabletop seminars and exercises between government and industry that present an operational recovery from a cyber-physical system attack to a domestic mission-critical asset. At one of these engagements, which focused on a cyberattack to the cooling system of a critical national defense asset, the project team gained a number of key insights—with the findings illuminating the stark reality of the differences between a cyber incident that targets data or software and a cyberattack on the CS/OT of a system or facility.

  • Facility teams must be trained to consider and recognize a cyberattack immediately.
  • CS/OT cyberattacks must be treated as an immediate threat to human safety; buildings should be evacuated immediately.
  • Facility engineers must collaborate with IT, and maintain inventories of smart building systems and back-up software.
  • IT teams must recognize and protect the CS/OT on networks.
  • Facility engineers must provide clear guidance to manufacturers and maintainers on the configuration of digital components in building systems during construction and life cycle operations.
  • Facility engineers must be trained on cyber response processes, as affected facilities may not be safe for weeks or months.
  • Facility engineers must invest in protection and risk mitigation to CS/OT systems.
Mission Resilience

To deter or defeat adversaries in the cyber domain, each of us will play a role to ensure that all systems are resilient in cyber-contested environments. Foremost, personnel need to identify and understand the CS/OT on which the missions depend. Knowing what the most critical systems are and how they are connected allows us to develop processes that will improve our cyber posture, provide a transparent view of cyber risk, and enable the rapid deployment and update of capabilities. Then, using the practices currently in policy and offered through SAME’s IGE project, we must ensure building systems are designed, installed, and operated with a standard of care consistent with human safety and property protection.
When operators and mission leaders recognize the dependencies and vulnerabilities of these systems, resiliency in cyber contested environments will be mandatory, not optional.

The Honorable Lucian Niemeyer, F.SAME, is CEO, BuildingCybersecurity.org; lucian@buildingcybersecurity.org.

Daryl Haegley, GICSP, M.SAME, is Technical Director, Control Systems Cyber Resiliency, Air and Space Forces; daryl.haegley@us.af.mil.

More News from TME