Industrial Control Systems Cybersecurity TCX
Capability Overview
Mr. Daniel Shepard
Chief, Industrial Control Systems
Cybersecurity TCX
USACE Engineering & Support Center,
Huntsville
US Army Corps of Engineers
BUILDING STRONG®
Cyber Attack Incidences
§
§
§
§
§
§
Target Dec 2013
Michael’s April 2014
Home Depot Sept 2015
Sony Pictures Nov 2014
Blue Cross March 2015
OPM March 2015
ICS Cyber incidents from FY 2011 to FY 2014 have
increased by 74%. At the same time, government
entities and industry alike are under pressure to do more
with less, and that includes securing their ICS.
2
BUILDING STRONG®
Cyber Attackers Target Building
Management Systems
“Cyber Attackers Target Building Management
Systems” in Wall Street Journal 5 April 2013
3
BUILDING STRONG®
USACE Industrial Control
System (ICS) Cybersecurity TCX
§  Program Description: Leverages ICS Cybersecurity technical expertise
throughout USACE and, on a reimbursable basis, to ensure that USACE
delivers secure facilities to its military missions clients
§  Responsibilities:
•  Provide ICS Cybersecurity technical
services for MILCON, SRM and O&M
projects
•  Assist HQ USACE with development of
policy and guidance as it pertains to ICS/
PIT Cybersecurity
•  Expand ICS Cybersecurity community
knowledge
•  Influence Army and Office of Sec Def
ICS Cybersecurity Policy
Critical Infrastructure
Cyber Security Center of
Expertise (CICS-CX)
4
BUILDING STRONG®
USACE ICS Cybersecurity TCX
§  USACE ICS Cybersecurity (CS) TCX Updates:
►
ICS Inventory Methodology •  Pilot (Proof of Concept) Approved by HQ USACE (Contract Awarded)
•  Provides standardized approach for Army ICS inventories
•  IMCOM USAG Redstone Arsenal identified for Pilot
►
USACE ICS Cybersecurity Advisory Council (ICSAC)
•  Chartered July 2105
•  Composition of USACE Civil Works, Military Missions, and Corporate
Information Leadership
•  Ensure HQ USACE separate offices and activities are integrated and
focused in a complementary manner to align initiatives and policy
regarding matters of Industrial Control Systems Cybersecurity.
5
BUILDING STRONG®
USACE ICS Cybersecurity TCX
§  USACE ICS Cybersecurity (CS) TCX Updates:
§  USACE Engineering and Construction Bulletin ►
ECB 2015-12 Industrial Control Systems (ICS) Cybersecurity
Technical Center of Expertise (TCX) – released 4 Aug 2015
•  Provides information to the Engineering and Construction (E&C)
community concerning the establishment of the ICS Cybersecurity
TCX.
►
ECB 2015-14 Integrating Cybersecurity Requirements – released
14 Aug 2015
•
•
•
•
Implementation for ALL Cybersecurity ICS/PIT
Applicable to all USACE ICS – UMCS, ESS, BAS and SCADA
MILCON, SRM, O&M
Incorporate ICS into all 3 phases: Planning, Design & Construction/
Installation
6
BUILDING STRONG®
USACE ICS Cybersecurity TCX
§  USACE ICS Cybersecurity (CS) TCX Updates:
§  Unified Facility Criteria (UFC)
►
UFC 4-010-06: Cybersecurity for Facility-Related Control Systems
•  Facility-Related Control systems only
•  Relatively narrow focus – design, not life cycle
w
w
Guidance to designers on including cybersecurity requirements in design
Information the designer needs to provide to others
•  General guidance is applicable to all
•  Estimated completion 5/31/2016
§  Unified Facilities Guide Specifications (UFGS)
►
Cybersecurity UFGS
•  HQ USACE sponsored, representatives from the Tri-Services to
attend.
•  Kickoff meeting scheduled 12/15-16/2015, Tom Bevill Center on the
campus of the University of Alabama in Huntsville
7
BUILDING STRONG®
Critical Infrastructure Cyber
Security Center of Expertise
(CICS-CX)
§  USACE ICS Cybersecurity (CS) TCX Updates:
►
Critical Infrastructure Cyber Security Center of Expertise
(CICS-CX)
•  Developing Risk Management Framework Guidance for Civil Works
ICS.
•  Developing Minimum Physical Security Standards for Civil Works ICS
•  Coordinating with the Critical Infrastructure Protection and Resilience
(CIPR) program to build upon the CRM-D risk assessment process by
developing a cybersecurity component.
•  Manages and oversees the USACE National SCADA Test Lab (Civil
Works)
8
BUILDING STRONG®
Summary
§  Cyber threats to the infrastructure we deliver to our stake holders are real and
increasing.
§  USACE must ensure that facility related platform information technology (e.g.
CS) it delivers complies with cybersecurity requirements and provide the proper
information to inventory, assess, and obtain initial authority to operate.
§  Collaboration with stakeholders early in the planning and design processes is
needed to identify cybersecurity requirements and determine stakeholder roles &
responsibilities to avoid delivering a non-cyber compliant facility.
§  Having a complete Control Systems inventory is a necessity for implementing
Risk Management Framework.
§  Implementation of Cybersecurity “Best Business Practices” for Control Systems
is critical.
9
BUILDING STRONG®
Contact Information
Mr. Daniel Shepard
Mr. Phillip Copeland
(Military Missions)
US Army Corps of Engineers
(Civil Works)
US Army Corps of Engineers
Chief, Industrial Control Systems
Cybersecurity TCX
USACE Engineering & Support Center,
Huntsville
256-895-1153
daniel.a.shepard@usace.army.mil or
CEHNC-ICSCybersecuri@usace.army.mil
Directorate of Civil Works
National Information Assurance Manager
Director, Critical Infrastructure Cyber
Security (CICSCX)
501-340-1777
phillip.l.copeland@usace.army.mil
10
BUILDING STRONG®