As part of a retro-commissioning effort at a U.S. Naval station, Burns & McDonnell assessed the current security posture of the building automation system (BAS) network, the SCADA system and the industrial control systems to determine whether they met the Navy’s cybersecurity requirements. When the assessment was completed, the team assembled a program of requirements for the station, listing the devices, systems and network components that needed to be updated as well as providing guidance for meeting Department of Defense (DOD) Risk Management Framework certification and accreditation requirements.
We led a team through the cybersecurity assessment of the network, DDC and HMI systems and providing cybersecurity guidance. Our retro-commissioning group performed an assessment of station buildings to determine the condition of mechanical and electrical equipment. They also conducted surveys to document the summer and winter settings of the equipment and establish baseline settings. Based on the assessment, the team determined whether or not the equipment could handle the implementation of an energy management program. The team also surveyed the DDC components and compared the documentation with the installed components.
The cybersecurity team assessed the SCADA, DDC and HMI systems. The final goal was to send the data from the station’s DDC network to a central data collection and analysis operations center. To do that, the DDC network had to be connected to PS-Net through the Navy’s Platform Enclave. The team identified workstations, servers, switches and hubs that would need to be replaced to meet DOD cybersecurity requirements.
Because the DOD was migrating certification and accreditation packages from the DOD Information Assurance Certification and Accreditation Process (DIACAP) to the new Risk Management Framework Certification and Accreditation process, the team provided guidance for completing the certification and accreditation process. The cybersecurity team worked with the Navy's organizations to determine the correct security controls and approved system and network gear. The team incorporated the cybersecurity guidance into the program of requirements so the contractor will be able to help with an Authority to Operate.
