The US Air Force has released an RFI for the EVALUATION OF CYBER/IoT VULNERABILITIES OF DOD CRITICAL INFRASTRUCTURE (ExCITe). The US Air force is on a fact-finding mission to evaluate how they can better protect their OT/ICS/IoT systems.
“The RFI seeks to obtain technical concepts, approaches, and merits of the ideas of work pertaining to the automatic identification, mapping, and security analysis of various base control systems. For the scope of this RFI, base control systems consist of industrial control systems/supervisory control and data acquisition (ICS/SCADA), building automation, life safety, utility monitoring, and airfield control systems. Further, it seeks to obtain information about pricing, delivery, and other market information or capabilities for possible use in a future Broad Agency Announcement (BAA).”
The RFI states that the Air Force “seeks to establish a real-time situational awareness platform capable of determining a base’s overall cyber threat surface in terms of control systems technology. A key factor in determining the overall cyber threat surface is an accurate inventory of control systems devices connected through both internet protocol (IP), serial, and other connections. Base control systems of interest include, but are not limited to, supervisory control and data acquisition (SCADA) systems, building automation, life safety, utility monitoring, and airfield control systems.”
The US Air Force has done its homework and has specified the data acquisition capabilities required in response, including passive data capture, continuous monitoring and active scanning for specific systems and DPI for ICS protocols such as BACNet, LonWorks, Modbus, ZigBee. Standard fair for most vendors in the space.
The RFI continues to lay out the analytics and data integration capabilities, including:
- Ad hoc reporting, dashboarding, alerts (visualization and interaction)
- Storage, indexing, processing (analysis and algorithms)
- Determination of a base’s overall risk / threat posture
- Generation of alerts for events of interest
- Existing Application Program Interfaces (APIs) to support enterprise integration
Additional consideration for:
Comparing device configuration and software component versions with NIST and other vulnerability databases
Out of the box connectivity with data historians, vertical databases and management systems
And a familiarity with USAF Civil Engineering functions will go a long way.
Full RFI link here