AFCEC industrial control system team ranks cyber security as primary mission

  • Published
  • By Susan Lawson
  • AFCEC Public Affairs
The Air Force Civil Engineer Center is helping Air Force civil engineers secure industrial control systems, or ICS -- the critical systems responsible for monitoring, controlling and managing the vast facility and utility infrastructure that supports the Air Force mission.

AFCEC's civil engineer maintenance inspection and repair team ICS risk assessment, or CEMIRT ICS RA, team at Tyndall recently traveled to Patrick Air Force Base and Cape Canaveral Air Force Station in Florida to assess their systems for cyber security compliance.

Like information technology systems that manage data, ICS use similar technology to impact and control elements of the physical world, such as heating, ventilation and air conditioning controls in large facilities.

ICS have different performance and reliability requirements than the IT world, but use operating systems, hardware and applications that are similar. However, unlike IT, security protection of ICS must be implemented in a way that maintains system integrity during normal operation and allows the infrastructure to operate while dealing with a possible cybersecurity incident. Turning off an ICS is rarely an option.

The CEMIRT ICS branch helps merge civil engineering and IT expertise.

"We are the starting point for it all," said Chris Jordan, government lead for CE ICS risk assessments."We assist base information assurance managers by collecting data and documenting the ICS they have. The service is unique and has such an important impact on the Air Force mission that it belongs in any future configuration of AFCEC."

The RA team assists mission system owners and information assurance managers by evaluating the cyber security controls responsible for securing systems from common cyber risks. The goal is to work with installations to implement the controls, show that they are in place and help CE squadrons gain the certification for an authorization, or authority to operate, for their systems, Jordan said.

During their recent visit, the ICS RA team assessed several types of ICS at Patrick and Cape Canaveral for compliance with federal law and Department of Defense and Air Force policies for cyber security certification and accreditation. Through compliance, these systems become resilient and hardened against common risks which are very similar to those found on IT systems and on internet-enabled devices.

"The AFCEC team is good to work with," said Robert Murphy, information assurance manager of civil engineer operations emergency requirements at Patrick. "They come in, they plow through, they get it done. Now I just wait for the paperwork to come back so I can do my job."

Once an assessment is complete, the CEMIRT ICS branch creates a plan of action and milestones for base civil engineers to follow that addresses the findings of the ICS RA. Not all risks to every ICS can be fixed and still allow systems to run, so the goal of the plan is to mitigate the cyber risks to an acceptable level while still maintaining reliable system operation, said Tim Nauman, branch chief for the CEMIRT ICS team.

To learn more about the CEMIRT ICS team, contact the AFCEC Reach Back Center at afcec.rbc@us.af.mil or 850-283-6995.