By Susan Bauer

“You’re the last line of defense. Your network has been compromised. Can you fight back the hack?” So goes the story line of the Training Game used as part of a new set of tools to sharpen cybersecurity skills of those in charge of operational technologies at federal facilities.

Certain devices that control various functions in a building or at larger facilities like a hydroelectric dam, energy utility, or a large manufacturing plant, for example, can be tempting targets for cybercriminals. Now, a new set of software tools, developed at Pacific Northwest National Laboratory (PNNL), can help evaluate cybersecurity maturity at buildings and facilities, and flag potential risks.

The Facility Cybersecurity toolkit is designed for federal facilities to help implement the presidential executive order on cybersecurity, but it is also available for commercial facilities without charge.

The order “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” calls on federal agencies and critical infrastructure owners and operators to manage their cyber risk though adoption of a framework developed by the National Institute of Standards and Technology.

The U.S. Department of Energy's Federal Energy Management Program (FEMP) asked PNNL to create easy-to-use tools for federal facilities to assess their cybersecurity posture. These facilities include federal office buildings, installations such as military bases, and other facilities with at-risk industrial control systems and facility-related control systems.

“A lot of equipment in these facilities is managed by what’s called operational technology, or OT,” said Sri Nikhil Gupta Gourisetti, principal investigator and energy cybersecurity researcher. “The ubiquitous devices were not originally intended to be networked and often have less robust cybersecurity protections than information technology equipment.”

Building on 20 years of experience protecting our nation’s strategic investments against cyberattacks, the Facility Cybersecurity toolkit development team evaluated real-world OT attacks to develop the software toolkit. It begins with a self-assessment. Other tools help identify gaps and potential consequences and evaluate and measure progress as a facility is hardened against cyberattacks.

Playing to win the cybersecurity game

The Training Game helps building managers and others sharpen their cybersecurity skills. Facility operation teams choose one of the cyberattack scenarios within the game and decide what measures should be implemented in a facility to contain a theoretical breach. The game helps users become more familiar with key cybersecurity measures while working in a resource constrained environment, just like they would in the real-world. At the end of a game, a report card is generated to show the results of the choices made.

“We designed the game and the other tools to help operations teams make risk-informed decisions about how they can mitigate identified gaps,” said Julia Rotondo, who manages facility cybersecurity workat PNNL.

The PNNL team worked with the FEMP and National Institute of Building Sciences to make the training game scenarios eligible for continuing education units—a first-in-kind achievement within the FEMP’s accredited training program.

Once users are familiar with key cybersecurity considerations identified by the tool, they can use any of the features to better understand their facility’s cybersecurity posture. The core Facility Cybersecurity Framework assessment provides a cybersecurity maturity indicator level to help identify where areas of improvement are needed.

Another tool, called the Qualitative Risk Assessment, helps facilities keep track of OT assets, like sensors on air chillers or HVAC systems, and develops a risk registry that assigns qualitative scores for vulnerability, risk, and impact, which helps prioritize and communicate what must be fixed.

Developers stress that the Facility Cybersecurity toolkit itself is cybersecure and private—no facility data will be collected. Users simply download reports to their own systems.

One important feature of the Facility Cybersecurity toolkit is that it aligns an earlier risk-management framework, familiar to many federal facility managers, to the National Institute of Standards and Technology cybersecurity framework required now.

“We created a crosswalk to make it a simple hybrid for users to input the older yet valuable framework information and get the results in the new framework,” said Gupta Gourisetti. “Our focus was creating highly secure tools that were also easy for facility cybersecurity managers to use to follow general guidelines and communicate potential vulnerabilities to facility stakeholders, such as management and contractors.”

While the Facility Cybersecurity toolkit is a self-service tool, the PNNL team has validated it with assessments at federal facilities in 2019 and 2020.