1 / 25

How Cyber Security Affects Facility Design Teams

Learn how UFC 4-010-06 affects building controls, vulnerabilities, and resilience, with examples and application guidelines for security protocols and responsibilities.

armstrong
Download Presentation

How Cyber Security Affects Facility Design Teams

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How Cyber Security Affects Facility Design Teams Speaker: George Fragulis, Program Manager, Pond Moderator: Doug DeFazio, Director of Corporate Strategy & Risk Management, KOMAN Holdings

  2. WHY WAS UFC 4-010-06 CREATED? The current state of building controls leaves buildings vulnerable to attack Air gap not feasible; too many operating efficiencies are lost

  3. EXAMPLES

  4. WITH RESILIENCY COMES RISK We need technology to make our buildings more robust Technology allows our buildings to tell us what they need That connectivity comes with risks

  5. COMMON VULNERABILITIES Connectivity OT open protocols Documentation What systems do you have? What protocols do you use? Data flows Virtual machines on servers

  6. UFC 4-010-06 APPLICATION All active and new projects must comply Methods of security are based on NIST documents

  7. UFC 4-010-06 APPLICATION (cont’d) Determine control system impact rating Determination of security controls

  8. UFC 4-010-06 APPLICATION (cont’d) Security Officer determines the impact rating of the control system DoD Impact levels are determined based on the mission of the relevant Service Do not proceed with out the impact rating

  9. UFC 4-010-06 APPLICATION (cont’d) Compile a list of all the controls

  10. UFC 4-010-06 APPLICATION (cont’d) With the list of controls, compile a list of the correlation identifiers

  11. UFC 4-010-06 APPLICATION (cont’d) Identifies who is responsible for implementing security protocols As part of the operations As part of the design As part of the set up Or it is not practical to secure

  12. UFC 4-010-06 APPLICATION (cont’d) Responsible parties implement the security requirements

  13. PROJECT EXAMPLE

  14. PROJECT DESCRIPTION Small SCIF facility ~3,000 sf

  15. CONTROL SYSTEM LIST AND REQUIREMENTS DDC HVAC Controls Visibility/Controllability within the network No remote access Intrusion Detection System (IDS) Reporting within the network No Remote Access Fire Alarm/Mass Notification System Reporting within the network through wireless communication

  16. DETERMINE IMPACT RATING The System Owner (SO) with concurrence with the Authorizing Official determines Impact levels Largely based on the Mission This facility is a ‘Mission Support’ facility (Versus: Mission Essential, Mission Critical) Impact Rating (C-I-A) Confidentiality = L Integrity = L Availability = L UFC 4-010-06 Directs us to Appendix G and H

  17. DETERMINE SECURITY CONTROLS Appendix G G-2.3 Security Controls which are “Automatically Met” IDS and Fire Alarm systems previously approved on the installation will have met security requirements at the 5 levels of the network architecture Therefore, designer should focus on the DDC controls Appendix H Use table H-1 for L-L-L See table H-2 and H-3 for recommend CCIs to be tailored out

  18. TABLE H-1

  19. TABLE H-1 (cont’d)

  20. IDENTIFICATION OF CONTROL CORRELATION IDENTIFIERS (CCI) Create a CCI list

  21. DETERMINE RESPONSIBILITY Based on table H-1, the responsibility will be Designer Non-Designer Enclave Not Practical

  22. TABLE H-1

  23. INCORPORATE CYBER SECURITY REQUIREMENTS Incorporate requirements in project specifications

  24. QUESTIONS?

  25. THANK YOU George Fragulis, PE, PMP, CEM, BEMP, LEED AP BD+C T: (404) 748-4846 E: fragulisg@pondco.com

More Related