Case Studies

INNOVATION DRIVES CYBERSECURITY OF DOD BUILDING MANAGEMENT SYSTEMS

TechFlow’s seamless cybersecurity solution protects the U.S. Army’s energy assets from disruption.

Fast Facts

  • 2020 saw a dramatic increase in cybersecurity incidents, more than doubling those experienced in 2019 – growing from nearly 220 million cyberattacks in 2019 to more than 445 million cyberattacks in 2020.
  • The U.S. Army utilizes Building Management Systems (BMS) for its various research and development facilities, all of which have traditionally required on-site reading and adjustment and would not allow for remote access or monitoring.
  • TechFlow’s experience and expertise allowed it to quickly develop and implement a military-grade, cybersecure Authority to Operate (ATO) that would cover all systems, allowing meter reading, monitoring, and real time adjustment to be conducted remotely for multiple buildings.  

The Problem

In recent years, ever-increasing cyberattacks have attempted to disrupt U.S. research, development and operations by attacking the energy grid and the infrastructure at military bases. Protecting Building Management Systems (BMSs) may not be the first thing that comes to mind when you think of cybersecurity, but for the Department of Defense (DoD), protecting the energy systems that power its research, development, and mission operations is a top priority. Without power, critical work essential to the Nation’s security grinds to a halt.

A specific case illustrates the broader issue. One of the U.S. Army’s research labs implemented several different BMSs at different times. These different systems handled everything: powering lab equipment, lighting the building, controlling HVAC systems, and supporting security operations. Though provided by well-established manufacturers, the software for each BMS was not considered military-grade cybersecure, meaning that these systems could not be operated remotely and required local on-premise access.

Without the proper authorization, called an “Authority to Operate” (ATO), the U.S. Army could not use the BMS unless authorized personnel were physically in the building. As a result, modern features such as remote meter-reading, active monitor usage, or real-time adjustment of parameters were rendered useless. Instead, reading and adjusting building settings required a physical trip to each of the hundreds of separate buildings – wasting valuable time and resources.

After reviewing the current systems and needs, TechFlow offered the U.S. Army an innovative yet simple solution.

The Solution

TechFlow’s experience and expertise allowed it to quickly develop and implement a military-grade, cybersecure ATO that would cover all systems. Instead of designing access to each unique BMS for the hundreds of separate buildings, TechFlow’s team offered a simpler solution.  TechFlow identified and adapted a cybersecure enclave that could be placed ‘on top’ of each individual BMS – essentially to act as an emulator for instructions and menus. The solution is now known as the “energy – Secure Control Platform Enclave” (e-SCPE).

To securely access a BMS, users can now communicate directly to and from e-SCPE. In doing so, TechFlow ensured that the communication is cybersecure and protected. The e-SCPE emulates each screen needed from the underlying BMS, enabling users to read and modify parameters within a secure context on the enterprise military network. TechFlow’s elegant and simple application of this cybersecure technology created a seamless, secure means to cyber protect myriad BMSs and keep the U.S. Army Always Ahead.

When the U.S. Army submitted TechFlow’s forward-thinking solution to its Risk Management Framework (RMF) team, it requested an Authority to Test the solution for six months at the U.S. Army’s research lab.  Once reviewed, the RMF team actually granted an ATO for three years (quite a step up from a test authorization), citing the solution’s impressive level of cybersecurity and inherent protections. This remarkable endorsement of TechFlow’s innovative approach highlights the importance and value this solution provided the Army. The e-SCPE provides greater visibility and more secure access to BMS, driving more efficient and resilient use of energy to support mission requirements.

Since going live with e-SCPE two years ago, TechFlow has continued to work with other services and the U.S. Army research labs to fully deploy the initiative and to address this key vulnerability throughout the DoD.

Impacts

  • The U.S. Army Corp of Engineers estimates that, by leveraging an e-SCPE, the DoD can secure a BMS at half the cost and one-third the time it would take to accredit any single commercial BMS system through the RMF process.
  • With each implementation, the U.S. Army will gain the ability to compare across facilities, campuses, labs, and buildings. The ability to see across a facility will drive further energy efficiencies and strengthen energy resilience.