Skip to Main Content
 
 
The National Academies of Sciences, Engineering and Medicine
Federal Facilities Council
FFC Home
Past Events
Reports
About the FFC
News Alerts
Contact the FFC
DEPS Home

Cybersecurity Building Control Systems 

March 24, 2015
8 a.m. to noon
National Academies Keck Center
Room 100
500 Fifth Street, NW
Washington DC, 20001 

 

Sponsored by
The Federal Facilities Council

 

Agenda and Presentations
Videos of Workshop Presentations


Overview:
The nation's buildings are increasingly relying on building control systems with embedded communications technology and many enabled via the Internet. These systems provide critical services that allow a building to meet the functional and operational needs of building occupants, but they can also be easy targets for hackers and people with malicious intent. Attackers can exploit these systems to gain unauthorized access to facilities; be used as an entry point to the traditional informational technology (IT) systems and data; cause physical destruction of building equipment; and expose an organization to significant financial obligations to contain and eradicate malware or recover from a cyber-event. As Federal facilities include thousands of office buildings, laboratories, and warehouses, many are part of the nation's critical infrastructure. These facilities contain building and access control systems such as heating, ventilation, and air conditioning; electronic card readers; and closed-circuit camera systems that are increasingly being automated and connected to other information systems or networks and the Internet. As these systems are becoming more connected, so is their vulnerability to potential cyber-attacks.

  • Types of building and access control systems in federal facilities include:
  • Closed circuit camera systems include cameras, televisions or monitors, and recording equipment, and provide video surveillance capabilities;
  • Access control systems include card readers, control panels, access control servers, and infrastructure such as door actuators and communications lines, which restrict access to authorized persons only;
  • Fire annunciation and suppression systems include fire alarms, emergency communication equipment, and water-based or non-water-based suppression systems, designed to prevent, extinguish, or control a fire or other life safety event; heating, ventilation, and air conditioning systems include equipment for heating, cooling, moisture control, ventilation or air handling, and measurement and control, often managed through a building automation system;
  • Power and lighting control systems include lighting devices and their controls, advanced-metering controls, power distribution systems, and emergency power or lighting systems, which are also often managed through a building automation system; and
  • Elevator control systems include operating machinery, safety systems, and a control system or panel.

Purpose:
Focus of workshop is to generate awareness of cyber security vulnerabilities, current and forthcoming guidance and protection strategies relevant to federal facility stakeholders. It also serves as a foundation for a more in depth training workshop focusing on policies & industry best practices; mapping industrial controls systems (ICS) and building automation systems (BAS) to critical processes & apply risk management aligned to mission assurance processes; tools to discover, assess, continuously monitor networked or stand-alone embedded digital device systems; commercial response to safeguarding requirements for federal facility cyber-attack; acquisition, contracts, budgeting, sustainment planning, business case analysis.

 

About the Sponsor:
This forum is sponsored by the Federal Facilities Council (FFC), a cooperative association of federal agencies having interests and responsibilities related to all aspects of federal facility design, construction, operation, and management. The FFC’s mission is to identify and advance technologies, processes, and management practices that improve the performance of federal facilities over their life cycles, from planning to disposal. Established in 1953, the FFC operates under the National Research Council, the principal operating agency of the National Academies, congressionally chartered, private, non-profit corporations. Additional information is available at http://www.nationalacademies.org/ffc FFC reports are published by the National Academy Press and can be ordered on-line at http://www.nap.edu

 

The FFC sponsor agencies:
Architect of the Capitol
Department of Agriculture
Department of the Air Force
Air National Guard
Department of the Army
Army Corps of Engineers
Department of Commerce, Office of Real Estate
Department of Defense, Federal Facilities Directorate
Department of Energy
Department of Homeland Security
Department of Interior
Department of Navy, Naval Facilities Engineering Command
Department of State, Office of Overseas Buildings Operations
Department of Veterans Affairs
General Services Administration
Indian Health Service
National Aeronautics & Space Administration
National Institutes of Health
National Oceanic and Atmospheric Administration
Office of the Director of National Intelligence
Smithsonian Institution
U.S. Coast Guard

Renewable Energy for Federal Facilities: Prospects and Challenges
March 24, 2015
The Keck Center of The National Academies
500 Fifth St., N.W., Washington, D.C. 20001
Room 100


7:30 a.m. Coffee and Registration

8 a.m. Welcome and Forum Overview
Cameron Oskvig, Director – Federal Facilities Council

8:10 a.m. Keynote: John Conger
Acting Assistant Secretary of Defense, Energy, Installations and Environment, Office of the Secretary of Defense

8:20 a.m. Facility Control Systems Vulnerability, Alert and Advisories Overview
Luis Ayala, Senior Technical Expert - Facilities & Construction
Defense Intelligence Agency

David Retland, Acquisition, Technology and Facilities
Office of the Director of National Intelligence (ODNI)

9:05 a.m. Exploiting controls systems demonstration using Shodan, DB Exploit, Google Hacking, Diggity, Kali Linux
Michael Chipley, PhD GISCP PMP LEED AP
President PMC Group

9:35 a.m. BREAK

9:50 a.m. NIST SP 800-82 Industrial Control Systems Security Guide R2
Keith Stouffer, Engineering Lab
National Institute of Standards and Technology (NIST)

10:35 a.m. DHS ICS-CERT and DHS Cyber Security Evaluation Tool (CSET) demonstration
Barry Hansen, Scientist Engineer
Idaho National Laboratory

11:20 a.m. GSA / DoD control systems Cyber Policy and Strategy
Josh Mordin, Information Systems Security Manager
General Services Administration

Sandy Shadchehr, Building Technology Services
General Services Administration IT

Daryl Haegley, Program Manager,
DoD AT&L ASD(E&E) BEI

11:50 a.m. Final Q&A
Wrap - up and adjourn

Speaker Biographies

John Conger
Performing the Duties of Assistant Secretary of Defense for Energy, Installations and Environment
Mr. John Conger is performing the Duties of Assistant Secretary of Defense for Energy, Installations and Environment. He was appointed on December 20th, 2014 after the Office of the Assistant Secretary of Defense for Operational Energy merged with the Office of the Deputy Under Secretary of Defense for Installations and Environment. Previously, he was the Acting Deputy Under Secretary of Defense for Installations and Environment from September 14, 2012 to December 19, 2014. He also served as the Assistant Deputy Under Secretary for Installations and Environment from June 22, 2009-September 13, 2012.

In this position, he provides budgetary, policy and management oversight over the DoD’s $850 billion real property portfolio, which encompasses more than 500 installations, 500,000 buildings and structures, and 28 million acres. He conducts oversight of the Department’s implementation of the planning and program activities related to Operational Energy. He manages the Department’s Base Realignment and Closure activities for domestic installations and facility consolidation and realignment efforts overseas; develops policy to improve facility energy efficiency, increase renewable energy use on U.S. installations and operations, and promote energy security; and manages environmental compliance, conservation and clean-up programs. Mr. Conger is the Department’s designated Senior Real Property Officer.

Prior to his appointment in DoD, Mr. Conger served on the staff of Representative Chet Edwards, Chairman of the House Appropriations Subcommittee on Military Construction and Veterans Affairs, where he served as Legislative Director and principal advisor on defense, veterans, and foreign policy issues. In addition to his work supporting Rep. Edwards' military construction initiatives, his efforts focused on Army force structure and policy, military quality of life, military retiree benefits, veterans health care funding, and nuclear nonproliferation. He also served as staff for the House Army Caucus, which Edwards co-chaired. For his work in support of military service members, retirees, and their families, Mr. Conger received the Military Order of the Purple Heart Special Recognition Award, the Military Coalition Freedom Award, and the Military Officers Association of America Col. Paul W. Arcari Meritorious Service Award.
In his previous tenure on Capitol Hill, he served as Professional Staff for the House International Relations Committee and as defense staff for Representatives Jane Harman and Sam Gejdenson. Previously, Mr. Conger was employed in the private sector as an aerospace engineer and defense analyst supporting the Office of the Secretary of Defense.

He holds a B.S. and an M.S. in Aerospace Engineering from the Massachusetts Institute of Technology and an M.A. in Science, Technology and Public Policy from the George Washington University.


Luis Ayala, Senior Technical Expert - Facilities & Construction
Defense Intelligence Agency
Luis Ayala is a Senior Technical Expert for Facilities & Construction at the Defense Intelligence Agency. He is a Registered Architect with over 36 years’ experience in design and construction. He is currently attending the National Intelligence University where he will be receiving a Master of Science and Technology Intelligence degree in July. The title of his Master's Thesis is "Cyber-Secure Facilities for the U.S. Intelligence Community."


David Retland, Acquisition, Technology and Facilities
Office of the Director of National Intelligence (ODNI)
Mr. David L Retland Sr is a Senior Program Manager within the Office of Director of National Intelligence (ODNI). The mission of the ODNI is to lead Intelligence Integration and forge an Intelligence Community that delivers the most insightful intelligence possible. Throughout his distinguished thirty two year career, David has worked at The White House, Defense Intelligence Agency (DIA), Smithsonian and Department of the Air Force. He is also a Senior Executive Fellow (SEF) graduate of Harvard's, Kennedy School of Government (KSG).


Michael Chipley, PhD GISCP PMP LEED AP
President PMC Group
Michael Chipley is a consultant providing subject matter expert support to the Department of Defense Energy, Installations & Environment Business Enterprise Integration office. He is the liaison to the NIST SP 800-82 Writer’s Group, DHS ICS-CERT CSET Development Team, DoD CIO eMASS Development Team, and coordinates the OSD implementation guidance for the Risk Management Framework for Industrial Control Systems.


Keith Stouffer, Engineering Lab
National Institute of Standards and Technology (NIST)
Keith Stouffer has been with the Engineering Lab at NIST for 25 years focusing on Industrial Control Systems (ICS) cybersecurity since 2000. Keith is the lead author of NIST Special Publication 800-82, Guide to Industrial Control Systems Security, which provides guidance on how to secure ICS while addressing their unique performance, reliability and safety requirements. Keith has also provided input to the ISA/IEC 62443 and NERC CIP cybersecurity standards. During his career, he has received Gold and Bronze medals from the Department of Commerce and the Gov30 Security Award.


Barry Hansen, Scientist Engineer
Idaho National Laboratory
Barry Hansen is the team lead for the DHS ICS-CERT CSET application. He has 15 year’s experience in application development and 5 years with the CSET team. His responsibilities include identifying common cybersecurity tasks across all critical infrastructure sectors, federal agencies, and other government offices and implementing automation for those tasks to enhance the efficiency of organizations cybersecurity efforts and spending.


Josh Mordin, Information Systems Security Manager, Technical Operations
General Services Administration IT
Josh Mordin is currently manager of Technical Operations in GSA IT supporting PB-ITS. Previously in GSA, Josh was Security Manager for PBS systems within GSA, managed the national information security program for the Public Building Service in GSA including building systems technologies. Josh has experience with over 17 years in IT operations, security and help desk in the DoD, health care, finance and civilian government space. He has developed IT security strategies and industry best practices for both private and public organizations. He has worked closely with business unit managers and executives to consistently align IT security strategy with strategic business needs. Josh graduated from Marist College in Poughkeepsie, NY with a degree in History and has IT certifications from SANS and ITIL.


Sandy Shadchehr, Building Technology Services
General Services Administration IT
Sandy Shadchehr is a program manager in the Building Technology Services group at GSA IT, supporting the Smart Buildings programs. She has led the strategic effort to develop the IT requirements, policies and processes for the integration of building controls systems across GSA. Sandy has been managing projects for the past 13 years and began her career at University of Maryland supporting a DoD project coordinating the creation of e-learning modules for less commonly taught languages. Subsequently, at the Foreign Service Institute, Sandy worked as an instructional designer, creating language e-learning language courses for foreign services officers and diplomats. Thereafter, as the Operations Manager at Blackboard, she coordinated company-wide operational readiness and Go- to- Market product launch activities for product releases. Sandy received her bachelor’s and master’s degrees from The Ohio State University. She is currently trying to teach her one-year old daughter how to crawl down the stairs backwards.


Daryl Haegley, Program Manager,
DoD AT&L ASD(E&E) BEI

Mr. Daryl Haegley is assigned to the Office of the Assistant Secretary of Defense for Energy, Installations, & Environment, leading DoD policy development and Technical Working Groups to cyber secure Platform Information Technology (I-PIT) / Industrial Control Systems (ICS), such as electronic (smart) meters and other embedded electronic control systems.

References:

  1. GAO-15-6 Federal Facility Cybersecurity - DHS and GSA Should Address Cyber Risk to Building and Access Control Systems Report to Congressional Requesters December 2014 = http://gao.gov/products/GAO-15-6
  2. Presidential Policy Directive 21 Implementation: An Interagency Security Committee White Paper January 2015 = http://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil
  3. Whole Building Design Guide Cybersecurity Resource page =http://www.wbdg.org/resources/cybersecurity.php
  4. National Institute of Building Sciences Cybersecuring Building Control Systems Workshops = http://www.nibs.org/events/event_details.asp?id=499576
  5. NIST SP 800-82 R2 Industrial Control Systems Security Guide= http://csrc.nist.gov/publications/drafts/800-82r2/sp800_82_r2_second_draft.pdf
  6. DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) = https://ics-cert.us-cert.gov/
  7. DHS Cyber Security Evaluation Tool (CSET) =https://ics-cert.us-cert.gov/Assessments
  8. National Defense Industrial Association (NDIA) Cyber Division =http://www.ndia.org/Divisions/Divisions/Cyber/Pages/default.aspx
  9. Facility Security Plan - An Interagency Security Committee Guide DRAFT January 2015 1st Edition = [not yet available]
  10. Securing Government Assets through Combined Traditional Security and Information Technology - An Interagency Security Committee White Paper January 2015 = [not yet available]