The U.S. Navy is engaged in an active and constant cybersecurity defense against an array of technologically-savvy and well-funded adversaries, to include hacktivists, cyber mercenaries, and nation states. In light of these challenges, Naval Facilities Engineering Command’s (NAVFAC) cybersecurity mission is to safeguard the Navy ashore platforms, which include Industrial Control Systems (ICSs) that are critical to the Navy’s mission.
NAVFAC fulfills this mission within a rapidly evolving cyber threat environment, wherein cyber interconnectedness has extended the reach of cyber threats beyond traditional information technology networks to systems that affect nearly every aspect of the Navy’s mission. This interconnectedness significantly increases the potential impact of a cyber-event and can lead to the incapacitation or destruction of critical infrastructure, which would have a debilitating impact on national security, the nation’s economy, and public health and safety. As such, NAVFAC’s ability to develop and execute a cybersecurity strategy to effectively and securely operate and maintain critical infrastructure is a Navy mission imperative.
In recognition of this threat to critical infrastructure, a series of cybersecurity policies and mandates have been released, including Department of Defense (DoD) Instruction 8500, which details the DoD Cybersecurity Program. Under the guidance of these mandates, and initiatives, such as Task Force Cyber Awakening and CYBERSAFE, NAVFAC plans to overcome current challenges and achieve its goal of securing NAVFAC IT and operational technology (OT) systems against cybersecurity threats.
NAVFAC operates and manages various advanced meter infrastructure and Building and Utility Control Systems, which include supervisory control and data acquisition systems, distributed control systems, and other control configurations that monitor and/or operate critical infrastructure elements such as electricity, water and waste water, oil and natural gas, and air. These are mission critical systems that ensure installation infrastructure services are delivered when and where required to execute and accomplish the Navy’s mission. However, these systems, which are highly dependent on information systems for their command and control, are vulnerable to cyberattacks due to legacy technology and processes, diverse systems architectures, and inconsistent cybersecurity governance including:
• lack of adequate security training to system operators and managers;
• inadequate cybersecurity measures, controls, and policies and procedures;
• remote and direct access to ICS by vendor maintenance personnel and systems; and
• limited staff to fulfill the implementation and sustainment of cyber security architecture.
There is also a cultural challenge to the creation of cyber hygiene, wherein cybersecurity needs to be seen as everyone’s responsibility, not just that of IT. This is especially important due to the fact that the mistake of a single individual leaves everyone, including the mission itself, vulnerable to risk. As such, adherence to cybersecurity directives and policies requires an “all hands on deck” approach.
To address these concerns, NAVFAC’s Command Information Officer (CIO) has developed an enterprise cybersecurity strategy with the following objectives:
- Foster a culture of cybersecurity awareness and cyber-savvy professionals across the enterprise.
- Implement industry best practices for designing, implementing, and maintaining ICS and support infrastructure.
- Develop a consistent and iterative approach to identifying, assessing, and managing cybersecurity risk to maintain availability, integrity, and confidentiality of all systems.
In order to meet these objectives, NAVFAC will design and facilitate continuous cybersecurity training programs for all personnel, implement cybersecurity best practices, policies, processes and procedures across all its assets, and perform an overarching cybersecurity assessment of all control systems.
The cybersecurity evaluation will support the identification of vulnerabilities and mitigation of risk by following an eight-step cybersecurity assessment lifecycle. This process will begin by analyzing the mission relative to support infrastructure and systems. It will then identify and inventory systems and determine their cyber and physical connectivity. Next, it will determine which missions are operationally dependent on a properly functioning system; this information will be used to inform an assessment of cybersecurity risks for all systems. Finally, a risk mitigation plan will be identified and the defined courses of action executed. To maintain a steady state of cybersecurity, this process will be continually monitored and reassessed.
Likewise, an iterative Risk Management Framework will be used to implement appropriate security controls against identified vulnerabilities. First, systems will be categorized by degree of mission criticality, which will identify the security control to be implemented for each system. These controls will then be assessed, after which the system will be authorized and the controls continuously monitored.
These measures demonstrate NAVFAC’s proactive approach for defending IT and OT critical infrastructure systems from potential attack. This not only ensures achievement of NAVFAC’s cybersecurity mission, but also supports NAVFAC’s broader mission of building and maintaining sustainable facilities, delivering utilities and services, and providing Navy expeditionary combat force capabilities.
Brandon T. Jones is the acting Command Information Officer for the Naval Facilities Engineering Command (NAVFAC) Headquarters in Washington, D.C. NAVFAC is the Shore and Expeditionary Systems command that plans, builds and maintains facilities for the Department of the Navy.