GSA puts cyber focus on control systems

Thursday - 9/30/2010, 7:12am EDT

WFED's Jason Miller

Click below to hear the report

Download mp3

By Jason Miller
Executive Editor
Federal News Radio

The General Services Administration will mandate better cybersecurity for control systems in buildings owned by the Public Building Service.

More than 1,500 facilities across the country will have to take specific steps to better protect an assortment of systems connected to the Internet or require connectivity that manage the buildings critical functions from air conditioning to power supply.

A draft memo obtained by Federal News Radio lays out the nine steps GSA is requiring.

"This is intended to be a high level policy statement that 'stops the bleeding' regarding installing building system networks that do not meet GSA IT/security requirements," the draft policy states. "This issuance establishes PBS policy to meet federal and GSA information security policies and standards for the integration of network based building systems to achieve a consistent agency-wide approach. This policy clarifies the roles and responsibilities of the various PBS Offices and simplifies the integration of information technology into PBS-owned building information or control systems."

The policy has an effective date of Oct. 1.

GSA could not provide comment on the memo before press time, but a spokeswoman clarified that the document does apply to PBS-owned properties that utilize the GSA wide area network as a means to transfer building information from the building control systems, such as lighting, heating and air conditioning, advance meters and others similar functions.

The memo comes as the government is paying more attention to possible attacks against critical infrastructure. At the Defense Department, Gen. Keith Alexander, head of the Cyber Command, told the House Armed Services Committee last week that his biggest concern is destructive attacks that break the system it strikes.

The Homeland Security Department is in the final days of the Cyber Storm III exercise testing network resilience. DHS also recently issued a draft cyber incident response strategy. The draft plan focuses on a significant cyber incident-defined as a highly disruptive event where the levels of consequences are occurring or imminent, or an observed or imminent degradation of critical functions with a moderate to significant level of consequences, possibly coupled with indicators of higher levels of consequences impending.

And DHS, DoD and other agencies have been paying close attention to the Stuxnet virus affecting Iran, India and other countries. The virus focuses on a vulnerability in a system platform from Siemens. It runs in a Windows environment that is used in several industries around the world, including pharmaceutical companies, water purification companies and chemical manufacturing facilities.

"We are seeing all security systems are now defined as part of the IT inventory and need to comply with the Federal Information Security Management Act," said Rob Zivney, vice president for business development at Hirsch Electronics, which implements physical control systems with a focus on cybersecurity. "You have to test them like any other IT system. We did one thing, and we are not alone in this, which is to embrace industry standards, such as operating systems like Windows. That makes it easier to meet the FISMA requirements. Our system works on standard Dell and HP computers as well."

Zivney said GSA's memo comes at an ideal time as the maturation of building control systems and secure identity management cards, and the understanding of the risks to critical infrastructure make it necessary for agencies to address these issues.

In the draft memo, GSA requires:

  • All building technologies that connect to the Internet or require network connectivity must use the GSA network.

  • The PBS CIO to be the approving authority to determine the acceptable level of risk for PBS systems and control systems.

  • All business information systems to communicate using open standards such as BACnet or oBIX.

  • Contractors to submit proposed equipment and connectivity requirements to be approved by the PBS CIO's building and energy systems group. This includes hardware, software and the cabling.

  • Project managers to specify fully-open, non-proprietary, connected IT building information or control systems in new construction, modernizations, repairs and alterations, and service or repair work that includes installation of building information or control systems.

  • Government furnished equipment must be used for all network connectivity and functionality including workstations, servers, routers and switches. The PBS CIO will coordinate and provide the required hardware in accordance with project requirements and schedules.

  • Regional Smart Buildings points of contact and the PBS CIO's building and energy systems group to participate in the requirements development and design phases of projects involving building information or control systems to assure that smart buildings and IT requirements are included.