The New Baseline AFCEC Security Controls & The New 25 05 11: How Do They Work Together?

This article provides a brief examination of the recent enhancements to the Civil Engineer Control Systems (CECS) Baseline Security Controls, as outlined in the Department of the Air Force memorandum dated 29 February 2024 (Civil Engineer Control Systems (CECS) Baseline Security Controls, 29FEB2024). These new guidelines, superseding the September 2018 baseline, reflect the CECS Enterprise's significant maturation and address the evolving landscape of cybersecurity threats based on these groupings:

·?????? Security Controls for No IT Control Systems LOW Impact

·?????? Security Controls for Stand Alone Control Systems LOW Impact

·?????? Security Controls for Stand Alone Control Systems MODERATE Impact

·?????? Security Controls for Stand Alone Control Systems HIGH Impact

·?????? Security Controls for COINv2 Interconnected Control Systems LOW Impact

·?????? Security Controls for COINv2 Interconnected Control Systems MODERATE Impact

The updated CECS Controls List introduces a sophisticated approach to security controls, carefully tailoring requirements based on system configuration and interconnection type. This expansion has resulted in a more comprehensive set of baseline controls, with systems now requiring between 34 and 195 controls, depending on their classification. This revision of the CECS Baseline Controls List provides enhanced hardening guidance to AIR FORCE-managed control systems while efficiently leveraging inherited controls and streamlining administrative controls. Despite the increased depth of controls, the (Civil Engineer Control Systems (CECS) Baseline Security Controls, 29FEB2024) memorandum emphasizes that after a transition period, the revised control set is expected to maintain a similar workload for accreditations at the base level. This update appears to offer improved security guidance for AIR FORCE Organizations, making better use of existing protections and simplifying management.

In this article, I will provide a High-Level Summary of how these new security standards may work with UFC 4-010-06 Cybersecurity of Facility-Related Control Systems (FRCS) and the latest UFGS 25 05 11 (August 2024). We will look at what these changes mean for different control systems and some considerations to implement them effectively to improve the overall cybersecurity of Air Force Civil Engineering Control Systems.

High-Level Summary

The UFGS-25 05 11 August 2024 release, along with its companion UFC released last year, primarily focuses on LOW and MODERATE impact systems. One item to remember, as noted above, this new CECS Controls List does include provisions for HIGH impact Control Systems. Fortunately, the new UFGS 25 05 11 provides beginning guidance for several security controls applicable to HIGH Impact systems. A Cybersecurity Designer and the Government Project Manager should remember that additional measures will be necessary to fully meet the stringent requirements of HIGH Impact systems outlined in the AFCEC Security Controls list should this need arise for a project. As stated in UFC 4-010-06, Section 1-3, APPLICABILITY, “HIGH Impact system will typically require additional customized requirements to achieve appropriate levels of cybersecurity,” and assistance should be sought for support by the Contracting Officer's Representative, (COR) or, for government-designed projects, by the Project Lead from:

Air Force (and Space Force): Air Force Civil Engineering Center (AFCEC)

Operations Directorate, Tyndall Air Force Base.? Support can be obtained

via the reach-back center at [email protected].

Generally speaking, and the inclusion of Stand Alone Control Systems HIGH Impact notwithstanding, here are some takeaways regarding the Security Control Families which I have cross-referenced between the two documents. I have also provided six (6) tables below at the end which give a breakdown of the mappings between where these can be found in the UFGS against the newly updated CECS Baseline Controls List for each of the generic CECS control systems.

Audit Events (AU-2) are thoroughly detailed in section 3.5 of the UFGS-25 05 11 which are a part of the CECS List, offering a framework for comprehensive system activity monitoring, Identification and Authentication (IA) receives extensive treatment in section 3.4 of the UFGS-25 05 11, covering organizational users (IA-2), device authentication (IA-3), and authenticator management (IA-5) and is included as part of the CECS list. The newest NIST SP 800-82r3 release (Guide to Operational Technology (OT) Security, September 2023) states explicitly why IA-3 was added to LOW impact systems and then “select(ed)” for MODERATE and HIGH SYSTEMS:

“Given the variety of OT devices and physical locations of OT devices, organizations may consider whether OT devices that may be vulnerable to tampering or spoofing require unique identification and authentication and for what types of connections.”

and will ensure a robust approach to identity management and access control.

Configuration Management (CM) is given substantial attention in the UFGS-25 05 11 along with the CECS list, with a focus on least functionality (CM-7) in section 3.6 and system component inventory (CM-8) in section 1.10.4. ?This focus ensures that systems are properly configured and maintained, reducing potential vulnerabilities. Here, contractor-provided, final documentation is key, and the Cybersecurity Designer is crucial in tailoring the UFGS 25 05 11 to meet the client’s needs for this Cybersecurity Control System Documentation and Inventory Report as they work through the 25 05 11 for the design.

Risk Assessment (RA) is addressed through vulnerability scanning requirements (RA-5) in section 3.11 of the UFGS-25 05 11, promoting regular system evaluation and security enhancement yet these areas may need to be paired down in their tailoring to meet both the client’s needs for the Stand Alone Control System type and the cost of integration of the system to include an appropriate level of Cybersecurity for the design as performed by the contractor/integrator.

Contingency Planning (CP) is partially covered in section 3.10 of the UFGS-25 05 11, addressing device power and behavior on loss of power as well as in the CECS List. System and Communications Protection (SC) is touched upon in both, with SC-41 (Port and I/O Device Access) covered in section 3.6.1 of the UFGS-25 05 11, providing a good starting point. Something that a Lead Engineer might consider in his or her design which might impact the Cybersecurity Designer’s part would be combining hard-wired signals with digital technologies might reduce the potential damage from a cyber-attack by enabling operators to monitor and control critical functions without relying on the SCADA system. Determining if any key functional controls of the system are dependent on digital technologies will be paramount for good cyber design of the MODERATE, or in rare cases, the HIGH impact system. What is important to remember is that the Cybersecurity Designer asks these questions and assumes nothing even though it’s a system that is supposed to be “Stand Alone.”

Incident Response (IR), Maintenance (MA), Media Protection (MP), Security Planning (PL), Program Management (PM), and Security Assessment and Authorization (CA) have limited explicit coverage in the UFGS-25 05 11 and these should be reviewed against the CECS Baseline List during the Cybersecurity Design Process. Cybersecurity Designers should be aware that some critical control families may require additional consideration and be prepared to have these discussions with the client. Often, though, and as stated in UFC 4-010-06, “There is a point for every system where the application of an additional cybersecurity requirement will result in an overall increase in risk.? This is an especially important consideration for more critical (higher impact) systems where the control system must operate properly to support the mission,” (UFC 4-010-06 2023, Chapter 4, Section 4-8.2 Consideration of Overall System Risk).

Given the critical nature of AIR FORCE Control Systems, just like all Department of Defense Control Systems, Cybersecurity Designers should view the two documents, the new 25 05 11 and the newly released CECS Baseline Security Controls List, as a starting point. These should be supplemented with additional, more stringent controls and policies appropriate for the client’s risk tolerance and operational environments. That is the whole point of having an Operational Technology Cybersecurity Designer who is experienced and qualified to design cybersecurity for these types of systems. However, as outlined in the CECS Baseline Security Controls, care must be taken so as not to unduly increase the burden of costs. Enhanced incident response protocols, more rigorous maintenance procedures, stricter media protection policies, comprehensive security planning, robust program management, and thorough security assessment may be warranted depending on client needs, type of control system, and mission criticality but these things do cost additional resources in time, money and trained personnel.

In many cases, the Cybersecurity Designer will need to ask the question of the client and the Lead Engineer: “What are the consequences that could result from a failure or unexpected operation of this OT system’s critical functions?” to determine what the CECS Tailored control families may or may not need to be included. Again, depending upon the client’s needs, the control system, and how it is engineered and integrated into the final design will be most of the determining factors. In summary, the UFGS-25 05 11's strong focus on technical implementation for LOW impact control systems provides an excellent starting point for a contractor charged with integrating any CECS control system.

Conclusion

The new CECS Security Controls, coupled with the updated UFGS 25 05 11, offer a comprehensive and nuanced approach to securing facility-related control systems for Air Force Civil Engineer Control System Design for Cybersecurity. This enhanced guidance reflects the dynamic cybersecurity landscape and the increasing complexity of threats which has been recognized by the AIR FORCE.

Effective implementation of these controls hinges on early and sustained collaboration between government clients, the Lead Engineers designing the systems, and the Cybersecurity Designer of Record (DoR). It is imperative that all parties actively engage from the project's inception, participating in key milestones such as the Design Charrette, 35% Design Review, and 65% Design Review. This proactive team approach enables the thoughtful application of security controls and allows for necessary supplementation where gaps are identified while (hopefully!) keeping costs controlled for the project. This approach facilitates the integration of cybersecurity considerations at every stage, resulting in more secure and resilient control systems tailored to the specific requirements of each project and overall mission impact level.

The synergy between government expertise and OT Cybersecurity professionals' insights is essential for navigating the complex security landscape. This collaborative model not only enhances the immediate security of control systems but also establishes a foundation for ongoing adaptation to emerging threats, ensuring robust protection across all impact levels of AIR FORCE infrastructure.

Comparison Tables