The frequency and sophistication of cyberattacks on critical energy infrastructure is steadily rising. Network perimeter protections are not enough to protect control signals and sensitive data. S&C understands effective security engineering requires a multidisciplinary application of risk management to ensure resiliency throughout the system lifecycle. Energy systems are multi-vendor system-of-systems that require close coordination with several stakeholders to ensure the security posture is properly designed, implemented, and maintained. S&C engineers cybersecurity into our products for resiliency and defense-in-depth.
S&C also offers a robust suite of Cybersecurity Services to lead the holistic network and system security integration. S&C provides great value to our customers by coupling cybersecurity services with our Power System Solutions and Engineering Services, but we also offer standalone cybersecurity consulting and services. This gives our customers without full cybersecurity staffing the support they need for compliance, and it ensures their systems and network environments stay secure.
With deep experience in U.S. Department of Defense (DoD) cybersecurity consulting and services, our team is able to offer a wide variety of cybersecurity and network services to our federal, commercial, and utility customers. The team holds DoD-approved cybersecurity certifications (e.g., CISSP, Security+CE, GICSP, GPEN). Learn more about S&C’s DoD cybersecurity experience…
S&C Cybersecurity Services stands ready to leverage our strong federal and DoD cyber experience to meet our utility and commercial customers’ needs. S&C provides tailored cybersecurity assessments to improve energy system security and to manage risk. S&C cybersecurity assessments draw on frameworks and standards, such as NERC-CIP, NIST IR 7628, and the NIST 800-53.
Specific assessment activities include, but are not limited to:
- Hardware and software inventory
- Threat assessment
- System and Network vulnerability assessment and scanning
- NERC CIP compliance
- NIST Cybersecurity or Risk Management frameworks compliance
- Documentation of findings and mitigation recommendations
- (Future) DoD Cybersecurity Maturity Model Certification (CMMC) audits support
Federal Risk Management Framework Assessment
Federal Risk Management Framework Assessment
Federal information systems, including energy infrastructure, must be designed, secured, and monitored in accordance with Risk Management Framework (RMF) and related policy and guidance. S&C understands the challenges Department of Defense (DoD) energy system and facility-related control system (FRCS) owners face in cybersecurity implementation and in obtaining Authorizations to Operate (ATOs).
S&C takes a problem-solving approach to RMF planning and execution by focusing on alleviating customer (system owner) pain points, keeping costs low, and ensuring a feasible, timely path to securing an ATO. S&C Cybersecurity Services will guide the system owner though RMF processes based on our deep, practical experience with RMF planning and execution for Army, Navy, Air Force, and Marine Corps microgrids.
The S&C team provides some of the greatest value in implementation of RMF security controls. Not only are we experienced in hardening S&C energy system components, but we also apply cybersecurity and risk management to any third-party suppliers’ devices in or connected to the energy system or network. Security control implementation includes organizational security policy and procedural planning. We provide full support to system owners at each RMF step, including:
- RMF Step 0: S&C sets the stage early on by identifying and engaging individuals who will fill key RMF roles and system registration in DoD repositories.
- RMF Step 1: S&C provides a recommended security categorization of the system, complete with a concept of operations (CONOPS) description, information types processed, and impact levels for confidentiality, integrity, and availability. We also develop accompanying artifacts, such as preliminary hardware/software lists and network boundary and data flow diagrams.
- RMF Step 2: S&C develops the system-security plan (SSP) based on the approved security categorization and tailors the security control baseline with applicable overlays, and inherited or not applicable controls.
- RMF Step 3: S&C provides full support of the system owner’s self-assessment with implementation of security requirements, including hands-on configuration and security policy and artifacts development.
- RMF Step 4: S&C participates fully in the third-party validation team’s site visit, providing hands-on support of the system validation. S&C’s Cybersecurity Services team will shepherd the RMF package forward in the control and package approval processes, including scan/fix/scan activities and artifact completion.
- RMF Steps 5 & 6: The S&C team continues full support of obtaining authorization through continuing package rework and in completing training and system handoff. S&C’s RMF approach doesn’t end with the ATO. The ongoing RMF maintenance and continuous system monitoring are essential to the security and resiliency of the microgrid, and they are programmed into the policies and procedures developed with and for the system owner. A full service offering for this support is offered under a (separate) contract.
Read More about S&C’s Federal and DoD RMF Experience
S&C and IPERC History
S&C’s acquisition of IPERC, the microgrid controls provider and cybersecurity lead for the 2015 Smart Power Infrastructure Demonstration for Energy, Reliability and Security (SPIDERS) and other DoD projects, brought the state-of-the-art GridMaster® Microgrid Control System and RMF expertise to the S&C team. Our team helped government customers obtain the first microgrid control system ATOs, first at the Marine Corps’ Camp Smith Hawaii for the Naval Facilities Engineering Command (NAVFAC), and then for the U.S. Army’s Fort Carson, Colorado, Department of Public Works.
S&C is well-versed in RMF-related standards and guidance for industrial control systems (e.g., microgrid control systems and energy management control systems), including DoD Service-specific processes and formats including but not limited to:
- Unified Facilities Criteria (UFC) 4-010-06, Cybersecurity of Facility-Related Control Systems, Change 1, January 18, 2017
- Unified Facilities Guidance Specification (UFGS) 25 05 11, Cybersecurity for Facility‐ related Control Systems, November 1, 2017
- DoD Instruction 8500.01, Cybersecurity, March 14, 2014
- DoD Instruction 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), Change 2, July 28, 2017
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-82, Guide to Industrial Control Systems (ICS) Security, Revision 2, May 2015
- NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800‐60, Information Security, Revision 1, Volumes I & II, Information Security,
- NIST SP 800‐171, Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, December 2016, Updated June 7, 2018
- NAVFAC Echelon II RMF Business Rules for Facility-Related Control Systems (FRCS), Version 1.0, October 4, 2019
- Air Force Civil Engineering Center (AFCEC)’s Guide for Cybersecurity Requirements for Vendors on FRCS, updated August 25, 2020
- Army Material Command (AMC) Cyber Security Division (CSD) Standard Operating Procedures (SOPs) for RMF
- DFARS Clause 252.204‐7012, Safeguarding Unclassified Controlled Technical Information
Secure Network Design and Configuration
Our team has deep expertise in full network and security design and configuration for federal, commercial, and utility customers. S&C’s team of experts can assess cybersecurity and network architectures for existing systems or for new construction, from the conceptual network design through final commissioning. S&C can serve as a consultant to customer operators and security personnel and/or perform hands-on configuration of the networked devices to ensure energy systems stay secure and compliant with applicable security requirements.
S&C’s security configuration services include implementation and documentation of a full security baseline, vulnerability and compliance scanning, mitigation of findings, and rescanning. Proper installation, hardening, and testing of the network and equipment are essential and must be performed by knowledgeable security analysts. We can provide this full secure network design and configuration service to meet our customers’ needs in the ever-changing cybersecurity landscape.