GSA puts cyber focus on control systems

By Jason Miller
Executive Editor
Federal News Radio

The General Services Administration will mandate better cybersecurity for control systems in buildings owned by the Public Building Service.

More than 1,500 facilities across the country will have to take specific steps to better protect an assortment of systems connected to the Internet or require connectivity that manage the buildings critical functions from air conditioning to power supply.

A draft memo obtained by Federal News Radio lays out the nine steps GSA is requiring.


“This is intended to be a high level policy statement that ‘stops the bleeding’ regarding installing building system networks that do not meet GSA IT/security requirements,” the draft policy states. “This issuance establishes PBS policy to meet federal and GSA information security policies and standards for the integration of network based building systems to achieve a consistent agency-wide approach. This policy clarifies the roles and responsibilities of the various PBS Offices and simplifies the integration of information technology into PBS-owned building information or control systems.”

The policy has an effective date of Oct. 1.

GSA could not provide comment on the memo before press time, but a spokeswoman clarified that the document does apply to PBS-owned properties that utilize the GSA wide area network as a means to transfer building information from the building control systems, such as lighting, heating and air conditioning, advance meters and others similar functions.

The memo comes as the government is paying more attention to possible attacks against critical infrastructure. At the Defense Department, Gen. Keith Alexander, head of the Cyber Command, told the House Armed Services Committee last week that his biggest concern is destructive attacks that break the system it strikes.

The Homeland Security Department is in the final days of the Cyber Storm III exercise testing network resilience. DHS also recently issued a draft cyber incident response strategy. The draft plan focuses on a significant cyber incident-defined as a highly disruptive event where the levels of consequences are occurring or imminent, or an observed or imminent degradation of critical functions with a moderate to significant level of consequences, possibly coupled with indicators of higher levels of consequences impending.

And DHS, DoD and other agencies have been paying close attention to the Stuxnet virus affecting Iran, India and other countries. The virus focuses on a vulnerability in a system platform from Siemens. It runs in a Windows environment that is used in several industries around the world, including pharmaceutical companies, water purification companies and chemical manufacturing facilities.

“We are seeing all security systems are now defined as part of the IT inventory and need to comply with the Federal Information Security Management Act,” said Rob Zivney, vice president for business development at Hirsch Electronics, which implements physical control systems with a focus on cybersecurity. “You have to test them like any other IT system. We did one thing, and we are not alone in this, which is to embrace industry standards, such as operating systems like Windows. That makes it easier to meet the FISMA requirements. Our system works on standard Dell and HP computers as well.”

Zivney said GSA’s memo comes at an ideal time as the maturation of building control systems and secure identity management cards, and the understanding of the risks to critical infrastructure make it necessary for agencies to address these issues.

In the draft memo, GSA requires:

  • All building technologies that connect to the Internet or require network connectivity must use the GSA network.
  • The PBS CIO to be the approving authority to determine the acceptable level of risk for PBS systems and control systems.
  • All business information systems to communicate using open standards such as BACnet or oBIX.
  • Contractors to submit proposed equipment and connectivity requirements to be approved by the PBS CIO’s building and energy systems group. This includes hardware, software and the cabling.
  • Project managers to specify fully-open, non-proprietary, connected IT building information or control systems in new construction, modernizations, repairs and alterations, and service or repair work that includes installation of building information or control systems.
  • Government furnished equipment must be used for all network connectivity and functionality including workstations, servers, routers and switches. The PBS CIO will coordinate and provide the required hardware in accordance with project requirements and schedules.
  • Regional Smart Buildings points of contact and the PBS CIO’s building and energy systems group to participate in the requirements development and design phases of projects involving building information or control systems to assure that smart buildings and IT requirements are included.
  • All GSA employees and contractors with logical access to building information or control systems on the GSA network have a background investigation in accordance with Homeland Security Presidential Directive – 12.
  • The PBS CIO Smart Building Implementation Guide to be used in implementing this policy.

“This policy applies to all activities in PBS-owned space, including building management, information technology, design and construction, project management and contracting activities associated with planning, designing, acquiring, installing, operating or upgrading building information or control systems,” the policy states.

One government official, who requested anonymity because the policy still was in draft, said the memo is unclear in several areas, especially around the requirement to use GSA’s network.

“The issue is if you put a system into building A and it’s connected into the agency’s infrastructure, you are bound to do a certification and accreditation based on rules of FISMA, which GSA historically hasn’t gotten into this jungle,” the official said. “Now they say they are and I’m not sure why. The implication is GSA is saying agencies are not meeting FISMA requirements.”

The official also said a split between the people who work on technology and the people who work on physical security remains an issue that this policy could exasperate.

“There is no direct line to physical security or law enforcement community and that is why it’s so hard to get physical folks engaged in this,” the official said.

A former government official, who also requested anonymity because they didn’t get permission to speak about this from their company, said having the PBS CIO act as the approving authority for certification and accreditation of control systems is questionable and could violate FISMA.

The former official also asked whether this policy open GSA up to criticism because they are requiring all of these systems to run on one main network especially in light of the Stuxnet attacks.

Zivney said, however, that companies like Hirsch have been making IP-based control systems for some time now.

And through HSPD-12, he said, agencies are migrating to these systems as well.

In fact, the Office of Management and Budget required agencies in the 2011 budget passback to spend operations and maintenance and development, modernization and enhancement funding on new physical control systems that use the security identity cards.

“A lot of this is being driven by government standards because of the government smartcard,” Zivney said. “A lot of manufacturers who have been providing systems for that are in the best position to provide systems that fit on the network. It means every device has to be trusted so that way you can’t just put rogue device out there.”

He said Hirsch and other vendors build encryption between servers and controls, encrypt databases with personnel information and make sure all control panels are secured.

Zivney said one of the few questions he has about the policy is why didn’t it mention the Open, Systems Integration and Performance Standards (OSIPS) standard developed by the Security Industry Association.

He said OSIPS is certified by ANSI and has security built into the standard.

(Copyright 2010 by All Rights Reserved.)