MCB Camp Lejeune – ICS Accreditation

Background

Marine Corps Base (MCB) Camp Lejeune currently has multiple Industrial Control Systems (ICSs) that require accreditation including: Building Control Systems like EMCS, high voltage electrical SCADA systems, and water/wastewater SCADA systems. For the last few decades, these systems were primarily standalone systems using proprietary control protocols that were not accredited and could not securely connect to traditional/shared information technology (IT) networks. Today, these ICSs are required to be connected to IT networks; however, caution must be exercised since these systems typically use insecure Internet Protocol (IP) devices that greatly increase the likelihood of cyberattacks.

To date, the Marine Corps has accredited ICSs with little success. Past challenges have included:

·Finding and retaining IT and OT ICS experts capable of accrediting ICSs.

·Procuring devices that are Federal Information Processing Standard 140-2 (FIPS 140-2) validated – not just FIPS 140-2 compliant.

·Finding a balance between IT/OT confidentiality, integrity, and availability priorities. IT prioritizes confidentiality and integrity over availability. OT prioritizes availability and integrity over confidentiality. Designing a system that addresses all three is challenging.

In October of 2017, MCB Camp Lejeune hired RPI Group, Inc. (RPI) to support their ICS Accreditation efforts after using the same standalone system for the last few decades. The mission is to connect the ICS with the IT network while maintaining secure control to minimize the likelihood of cyberattacks.

Project Description

RPI Group, in support of Marine Corps Base (MCB) Camp Lejeune, has designed a “Type” accreditation package for the ICSs that will operate securely on any network, ensure the system securely and cryptographically isolates the subsystems, and accredit all ICS/operational technology systems.  This proposed system architecture is based on two design requirements: it must provide a single management tool providing redundancy to each physical server and it must use an encrypted virtual private network to ensure and cryptographically isolate ICS/OT devices and subsystems.

RPI Group has built an ICS/OT network based on shared virtualized environment with specific ICS/OT system firewalls (hubs), and FIPS 140-2 validated IPSec tunnels (spokes) to connect the ICS/OT devices to the IT network. This Hub-and-Spoke network along with the associated firewalls and end-point connection devices will require ongoing vulnerability scanning, patching and maintenance to be performed by RPI personnel.

Camp Lejeune has spent the summer of 2018 working with the MCEN A&A team to  complete a “Type” accreditation for these ICS/OT systems that can be used across the MCEN.    The work will include finalizing controls, completing the System Security Plan, the Incident Response Plan, and the Contingency Plan, and lastly, the building/piloting of an off-network test platform.

RPI Group Capabilities

RPI Group Cybersecurity personnel have over 75 years of combined experience supporting the Warfighter and Operational Environments. This includes both DoD and commercial network security and risk assessments/audits, NIST RMF support, secure network architecture and design, and secure wireless solutions.   RPI Group provides SME support in the engineering of innovative and cost-effective solutions for securing ICS/OT systems and in developing policies and procedures to establish organization compliance with governing directives.  RPI Group has many years of experience directly supporting the Marine Corps and the Marine Corps Enterprise Network (USMC/MCEN) Authorizing Official (AO) and Certification Authority (CA) in RMF package review, policy writing, risk mitigations, and conducting risk assessments.

RPI Group delivers quality services with experienced technical cybersecurity professionals in support of complex enterprise IT programs. Our experts are leaders in the cybersecurity field and are continually called on to engineer unique solutions to complex problems and to conduct IT security assessments and audits with high levels of national and corporate security implications. We bring vast enterprise technology experience to bear on all efforts, continually exceeding all assigned program goals and deliverables. Being experts in all four areas of the A&A process (supporting AO, CA, advising customers, and providing Validation services) gives RPI Group a unique perspective into the A&A process and is a great benefit to our customers.