1
Introduction
Federal facilities are increasingly complex and sophisticated systems of systems, with automated systems tied together through operational technology (OT)1 networks monitoring and controlling lighting and environmental control systems (CS), among many others. Federal agencies have built virtual fortresses around their information technology (IT) networks, including connected CS and OT networks, yet key vulnerabilities can allow bad actors to tunnel through the embedded layers of protection, interfere with facility operation and control, and gain direct passages into IT networks, bypassing their elaborate protections. As an August 2021 workshop convened by the National Academies of Sciences, Engineering, and Medicine’s Federal Facilities Council (FFC)2 concluded, there are gates in the virtual walls around IT networks and physical protections around facilities, and they are open (FFC 2021).
On July 9, 2024, the National Academies’ FFC convened a follow-up workshop to discuss the security of CS and OT networks and what has changed regarding their security since 2021. Workshop panelists explored the current threat environment; standards, policies, and guidance to protect OT and CS from malicious actors; and approaches that industry has taken to protect its OT and CS security.
In his introduction to the workshop, James Myska, senior program officer at the National Academies, explained the National Academies established the FFC in 1953 with members from both civilian and military agencies with diverse real-property portfolios, missions, and cultures. It operates under the auspices of the National Academies’ Board on Infrastructure and the Constructed Environment. The FFC is a cooperative association of more than 20 federal agencies directing activities to support federal facilities management throughout their life cycles—from planning, design, and construction through operations, capitalization, and disposition. The FFC, under the direction of its Oversight Committee, carries out its work through five standing committees that meet routinely throughout the year.
This Proceedings of a Federal Facilities Council Workshop was prepared by the rapporteurs as a factual summary of what occurred at the workshop. The statements made are those of the individual workshop participants and do not necessarily represent the views of all participants, the National Academies, or the FFC. The workshop documented herein was organized by the FFC. Because the National Academies does not appoint members of the FFC, this document is considered a product of the FFC rather than of the National Academies. Appendixes A and B contain the workshop agenda and biographical sketches for the workshop’s speakers, respectively. The speakers’ presentations (as PDF and audio files) have been archived online.3
___________________
1 Operational technology (OT) includes, for example, sensors, valves, and non–information technology networks that support facilities at the edge of the Internet of Things.
2 The website for the Federal Facilities Council is http://nas.edu/ffc, accessed July 24, 2024.
3 For additional information, see the workshop website, “The Gates Are Open: Operational Technology and Control System Security for Federal Facilities,” at https://www.nationalacademies.org/event/42663_07-2024_the-gates-are-open-operational-technology-and-control-system-security-for-federal-facilities.
