Unified Facility Criteria: Making Control System Design More Secure

Stay Informed

Industrial controls systems are facing an enemy that’s only becoming more hazardous – cyberattacks. Last year, one report found that 34 percent of industrial control systems around the globe were breached more than twice in one year. To better protect and secure federal agencies’ networks, new federal guidelines were published that standardize government cybersecurity efforts. The Unified Facility Criteria UFC 4-010-06, released by the Department of Defense (DoD) in September 2016, lists requirements for incorporating cybersecurity into control system design. It is the first complete list of standards and processes for cybersecurity design guidance specifically written for all DoD control systems.

Use the information here to learn how principles listed in the UFC can secure your control system and prevent breaches.

How the UFC Impacts Control Systems

Federal guidelines such as the UFC provide a list of standards for DoD entities and contractors to follow. A control system is designed to check, record, regulate, supervise, authenticate, and restrict access to an asset, resource or system. Some examples of control systems include a thermostat, smartphone, computer server, pressure valve processor, SCADA communication and video management system.

The UFC was written to support the current DoD Risk Management Framework (RMF) process. It is one key milestone within the DoD’s broader cybersecurity efforts currently underway. The UFC transcends Army, Marine and Navy control system standards and provides a single list of standards for all divisions to follow. While not mandatory, full compliance with and the institution of these controls is expected by the end of 2017.

This technical design guidance was written specifically for the engineers and architects that develop and operate the DoD’s vast network of controls systems. The UFC exists to protect the DoD security controls from exploitation. This is where the RMF comes into play. The RMF provides a framework of security to prevent information leakage to anyone without the proper certification. Controls systems must be secured because hackers who get into a networked lighting control system, for example, can make a jump from that network to any other network that the owner is connected to, such as the data network.

Steps to Securing Your System

Although they were written for the DoD, the processes outlined in the UFC are applicable to any organization looking to update and secure their control system. At its core, the UFC lists and categorizes the required logical and physical actions needed to secure a system based on the classification of a system and the impact a breach of that system would have on the organization or country.

Here are three steps to evaluate your control system for compliance with the UFC:

Determine the Classification of Your Control System 

Major players, including the Authorizing Official (AO) and the System Owner (SO), determine the Confidentially, Integrity and Availability (CIA) impact levels as low, moderate or high. This defines how critical the control system is and how many security resources are recommended to secure it. Once the impact levels are identified and labeled, you need to utilize a published list of controls from NIST 800-82.

Control Correlation Identifiers (CCIs) take a certain, identified DoD control and break down each action required to secure that control. The UFC identifies the CCIs for low and moderate impacts and then designates who is responsible for that CCI. This helps security designers prioritize their efforts.

Control systems: Examples include building control, utility control, electronic security and weapons guidance.

Identify Controls by Application 

A control system, while similar, is not the same when applying the RMF as a typical Information Technology (IT) data network; they require a different approach and design for security. Don’t  assume that your IT design will cover all of the control system needs. Each system should be specifically recognized and its risks identified and assessed. Only then can a control be applied to mitigate or eliminate that risk.

The new UFC recognizes that many of the security controls needed for a control system can be similar to a typical standard IT data solution. This design is called the Platform Enclave (PE). The PE groups standard IT systems and separates that from the controls system architecture. Both can be very similar, but separating them provides security designers with a clearer vision of what exactly they need to secure.

Traditional IT data network controls: Examples include an IP network, computer hardware for servers and workstations, operating systems, and external connectivity to separate networks.

Non-traditional data network controls: Examples include training simulators, research and development, SCADA or other supervisory controlling language, and programmable logic controllers.

Assign a System Owner

It’s important to assign a system owner (SO) within your organization to guarantee that security and user operational needs are documented, tested and implemented. He or she will determine the category of the system through the impact levels of the CIA. The SO’s responsibility is also to study the mission itself and the impact the system control will have on it. The CCI usually goes beyond the responsibility of the designer and falls to the SO for accountability.

A Protected Network Starts Here

No matter where your current control system stands, it is important to consider all possible scenarios and the level of impact a breach would have. The UFC’s guidelines regarding the logical and physical actions needed to secure a system based on classification are key to understanding the steps your organization can take. By working with the RMF and identifying CCIs, designers will standardize their methodologies and approaches, making your control system that much more secure.

Need more information? Contact WESCO today.