The service's industrial controls get smarter during its quest for "net zero" buildings, which brings cybersecurity into play.
It took the infamous Stuxnet malware, which attacked Iran’s nuclear facilities, to demonstrate the importance of cybersecurity in industrial systems.
“Stuxnet demonstrated that chillers are computers,” said Benga Erinle, president of Ultra Electronics 3eTI, during a session on critical infrastructure protection at the GovSec conference in Washington.
Erinle and Christopher Clark, a chemical engineer for the Naval Surface Warfare Center, spoke on the Navy’s implementation of a secure enterprise industrial control system, which is a computer-controlled system that monitors and controls industrial processes such as heating, ventilation, air conditioning, building access and energy consumption.
Stuxnet, a worm discovered in June 2010 and believed to have been created by the United States and Israel, was the first discovered malware that spies on and subverts industrial systems. Stuxnet demonstrated that while industrial control legacy systems might not be directly connected to the Internet, they could be infected by USB hubs, cellphones and other devices connecting to the private network. Stuxnet was delivered via a key drive and disrupted uranium processing at the facility.
When it comes to legacy industrial systems, “you can’t install Symantec or McAfee on them,” said Erinle.
Securing the Navy’s energy grid is a key part of the department’s goal to lower its fossil fuel consumption, Clark said. One of the Navy’s mandates is to generate 50 percent of its shore energy from alternative sources and have 50 percent of its installations “net zero” by 2020, he said. A “net zero” building is one that annually has zero net energy consumption and carbon emissions.
However, as the old saw goes, you can’t manage what you can’t measure. The first step: ensure there are smart sensors and meters in facilities to determine where energy is being spent, Clark said. Once meters are in place, identify where upgrades would be the most effective and easiest to implement – the “low hanging fruit”; create a balanced power system by adjusting energy distribution to lower costs while meeting critical mission requirements; and develop methods of reusing energy, all within a secure environment, he added.
“We have to start with knowing where the problem children are,” Clark said. “It really gets down to data. You are only as good as the metrics coming in.” With the energy review, the Navy found, for example, one facility running its HVAC from 6:00 a.m. to 2:00 a.m. every day, Erinle said.
Naval buildings were built over many years, from the 19th century to recent times. One of the mandates of the program is to centrally manage these buildings within a common system.
The system “has to have central monitoring, visibility and be scalable,” to achieve energy cost reductions, Erinle said. It also needs to be affordable and accredited. Direct digital controls systems need to be integrated with supervisory control and data acquisition (SCADA) systems, physical surveillance, video analysis and intruder alert systems and access control.
Because the Defense Department “could not afford to run ‘dark fiber’ to every building it is leveraging secure wireless” for its enterprise industrial control system, Erinle said.
As a result of its efforts, the Navy is now on schedule to reduce its energy consumption by 35 percent.
But it wasn’t easy. There were many “knife fights,” Erinle said. Buildings and bases are scattered. The initiative required operators to submit asset inventories, some did not want to do because of the time, energy and cost involved. Determining who had ownership of the building and was therefore responsible for the task was another hurdle. Additionally, tenants of a secure building might not want outsiders doing assessments if they believed the assessors to not have the appropriate security clearance, said Clark.