Cybersecurity

in Federal
Facilities
A Converged Approach to Securing Operational Technology

by Jesse Wiegand

schneider-electric.us
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 2

Introduction

U.S. federal agencies need a holistic approach to cybersecurity that

Executive Summary safeguards their missions and all the supporting data and systems. When
discussing cybersecurity with federal agencies, IT systems are often focal
Today, it is equally important for federal points of conversations as they are the systems traditionally targeted for
agencies to secure operational technology cyberattacks and security threats. IT systems acquire, transmit, manipulate,
(OT) that runs facilities, installations, and store highly confidential information, classified data, and intellectual
equipment, systems, infrastructure, and property critical to an agency’s mission. So, it’s not unusual for an agency’s
other physical assets as it is to secure focus to be on protecting its IT data centers, networks, software, connectivity,
information technology (IT). This is and computing devices.
challenging not only because of the federal
However, OT systems in today’s environments are equally important to an
mandates around security, but also because
agency, as they too enable mission readiness. OT typically includes all
IT and OT environments must integrate
systems, technology, and processes that monitor, run, support, and maintain
and work together, especially around
federal facilities, installations, equipment, systems, infrastructure, and other
security. This white paper provides insights
physical assets. OT also includes all systems inside of those physical assets
into specific challenges federal agencies
that run everything from air traffic control and postal mail handling equipment
face, as well as comprehensive steps for
to electric power grids and energy storage systems.
achieving a comprehensive, converged OT/
IT approach to cybersecurity. This paper Because OT systems have evolved into connected solutions that are integrated
also includes recommendations on how to with IT environments, they are at risk for cyberattacks and security threats as
overcome funding limitations and what to much as IT environments are. To achieve a well-developed security posture,
look for when searching for an experienced agencies must not only secure their IT systems, they must also secure their OT
cybersecurity partner. systems as well.
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 3

Cybersecurity in federal agencies

The threat of criminal cyber activity – from nation state attackers, cybercrime organizations, political or social hacktivists, terrorists,
hackers for hire, or even teenagers who hack “just because” – is always present. With cybercrimes increasing in frequency and
sophistication around the globe, no one can escape the potential of an attack, including federal agencies.

To protect critical missions of its agencies, the U.S. government has issued a wide array of cyber security regulations and mandates
through the U.S. Commerce Department’s National Institute of Standards and Technology (NIST). Every federal agency must comply
with the NIST directives below for their IT and OT systems:
• The Federal Information Security Management Act (FISMA) of 2002 was updated in 2014 to the Federal Information Security
Modernization Act. The intent of this government-wide mandate is to protect federal agency information. It requires all agencies
to develop, document, and implement programs that provide security for the information and systems that support the
operations and assets of each agency.
• As part of FISMA, NIST created the Risk Management Framework (RMF), which is a set of operational requirements and
procedural standards for compliance of any system that generates, uses, transmits, or stores data. RMF compliance includes
seven steps:

1 2 3 4 5 6 7
Preparing the Categorizing Selecting Implementing Assessing Authorizing Monitoring
organization systems based security security security system performance
for security on risk impact controls controls controls operations on an ongoing
management basis

• NIST also developed a Special Publication (SP) 800 series that offers guidelines and recommendations for security. Here are a
few of the SP 800 publications that apply to IT and OT security:
• SP 800-37: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for
Security and Privacy
• SP 800-53: Security and Privacy Controls for Information Systems and Organizations
• SP 800-82: Guide to Industrial Control Systems (ICS) Security
• In addition, NIST created the Cybersecurity Framework (CSF), which includes standards, guidelines, and best practices for
managing cybersecurity-related risk through five core functions. These functions include identify, protect, detect, respond, and
recover. Each of these functions has subcategories that include initiatives such as asset and risk management, maintenance,
monitoring, mitigation, and recovery planning. Note that publication SP 800-27, Revision 2 provides insights into how to align the
steps of the CSF with those in the RMF to create a more robust methodology for an agency’s cybersecurity footprint.
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 4

ATO authorization is the ultimate goal

If an agency successfully meets all cybersecurity requirements described above, it can achieve an “authority to operate” or ATO
authorization.

ATO is essentially an authorization process which includes a review of the security controls in place by an agency sponsor, such
as the agency’s Chief Information Officer (CIO). If the proper security is in place, an ATO is issued and an agency can turn on or
activate the secured technology that has been authorized.

When it comes to receiving an ATO authorization for an OT system, the review process will also include any related and connected IT
systems as well. Any OT cybersecurity initiative must also include measures that ensure the proper IT security is in place.

The path is challenging

To meet federal mandates and achieve an ATO, federal agencies must have cybersecurity strategies that reduce security threat risks
without compromising their ability to carry out their core missions and business functions effectively. This balance – providing security
while allowing operations to continue – can be challenging.

Not only are there funding challenges when it comes to security budgets, but federal agencies, like other large organizations around
the world, have limited, skilled security staff. These factors can compromise the agencies’ ability to fully fulfill and sustain complex
NIST requirements on their OT and IT systems.

In May of 2018, the Office of Management and Budget (OMB), an office within the Executive Office of the President of the United
States, published the Federal Cybersecurity Risk Determination Report and Action Plan. The goal of this report was to provide a
high-level assessment of cybersecurity risks in federal agencies to identify weaknesses in their networks, infrastructures, and where
stronger defenses are needed.

The assessment found that 74% of the participating agencies had cybersecurity programs that were either “at risk” or “at high risk.”
The report defined “at risk” programs as ones that had essential cybersecurity policies, processes, and tools in place, yet there were
still significant security gaps. “High risk” meant that some of the most fundamental cybersecurity elements were not in place, or if
they were, they weren’t properly deployed. The high-risk agencies typically were identified as unable to manage cyber risks properly.

The report attributed the high number of “at risk” agencies to factors such as the lack of:

• An understanding of and resources to combat the current threat environment.

• Standardized cybersecurity processes and IT capabilities needed to gain visibility into threats and to combat them.

• Network visibility and the ability to detect data exfiltration.

Another measure of cybersecurity readiness is the Federal Information Technology Acquisition Reform Act (FITARA) 8.0 scorecard,
which was released in June 2019. In addition to grades on IT modernization, the participating agencies were given a cybersecurity
score to indicate how well each agency meets FISMA compliance. A majority of agencies (78%) received a C, D, or F grade, with only
one agency receiving an A and four additional agencies getting Bs. (Note: while cybersecurity grades were compiled in the previous
versions of the FITARA scorecard they were not included in the final scores for agencies until the 8.0 version.)
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 5

Cyber attackers know where the vulnerabilities are

Hackers and cybercriminals are well aware of the vulnerabilities in government agencies. For instance, according to the Black
Report: Decoding the Minds of Hackers, 62% of the hackers surveyed reported that they could breach the perimeter of the federal
government in 10 hours or less, with 9% noting that they could do it in less than one hour. Twenty-eight percent reported it would take
them only an hour to identify critical data after initiating the breach, and 32% said it would only take one hour to exfiltrate the data.

Recent attacks that have been reported to the Center for Strategic and International Studies (CSIS) show the breadth and
sophistication of today’s threats – and reveal that no agency is safe from cybercriminals.

For instance, within the last year or so, there were attacks on the U.S. Departments of Justice, Treasury, and State. The U.S. Cyber
Command, and the U.S. Navy, both part of the U.S. Department of Defense, were targeted as well. The U.S. Securities and Exchange
Commission and the Centers for Medicare and Medicaid Services (agencies within the U.S. Department of Health and Human
Services) were also attacked.

In addition, CSIS reported incidents where email accounts of U.S. senators and their staffs were compromised, as well as incidents
of theft of intellectual property from unnamed government agencies. The CSIS incident list also includes attacks on vendors that
offer mission-critical services to federal agencies, such as aerospace companies, utility companies, and other critical infrastructure
vendors including energy, nuclear, water, aviation, and manufacturing facilities.
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 6

Securing OT systems

When considering the information above, it’s clear that federal agencies need to adopt a better, more effective approach to securing IT
and OT systems. The most effective approach is a converged one that includes information and operational technology environments,
not only because they connect to each other, but also because they are equally important to securely supporting and carrying out
agency missions.

The security that works for traditional IT networks, data centers, and connected devices does not necessarily work for OT
environments. For IT systems, cyber risks exist around how data and information are used, stored, and transmitted. The primary IT
risks of concern to agencies are compromised data confidentiality, data integrity, and potential interruptions of business operations
due to network outages.

While some of the risks for OT systems are similar, there are other risks as well. OT environments are highly interconnected and use
mutually dependent technology systems that operate and control physical environments and assets. So unlike IT environments, for
instance, human safety is a concern for some OT systems. There are also risks associated with regulatory compliance, environmental
and natural disasters, and the downtime of equipment that may be core to the execution of an agency’s mission.

Let’s take a deeper look at what OT is, how it differs from IT, and what a converged approach might look like.

A quick overview of operational technology

The federal government often identifies OT as operational systems, a term that includes specialized systems and devices such as
telecommunications systems, industrial or process control systems, testing and calibration devices, weapons systems, command and
control systems, and environmental control systems.

In the broadest definition, OT keeps all the systems in federal office buildings, military bases, manufacturing plants, power supplies,
electric grids, and other facilities up and running (see Table 1). OT systems within these assets are critical to a federal agency’s
mission, as they perform all the critical functions an agency performs, whether it is mail sorting, air traffic control, or energy resilience.
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 7

Table 1: An overview of operational technology

What Is Operational Technology (OT)?

DEFINITION For the purposes of this paper, an OT environment could include any of the industrial control
systems defined by the NIST Special Publication 800-82 (SP-800-82), “Guide to Industrial Control
Systems (ICS) Security.”

MAJOR OT Supervisory Control and Data Acquisition (SCADA) systems

CATEGORIES Controls dispersed assets using centralized data acquisition and supervisory control; uses
hardware and software to monitor and collect data from industrial plants and equipment.

Distributed Control Systems (DCS)

Controls production systems within a local area such as a factory using supervisory and regulatory
control. Also controls the devices and instruments that the data is collected from in those systems.

Programmable Logic Controllers (PLC)

Provide discrete control for specific applications and generally for regulatory control.

OTHER TYPES • Advanced Metering Infrastructure (AMI) • Intrusion Detection Systems

OF CONTROL • Building Automation Systems (BAS) • Physical Access Control Systems
SYSTEMS
• Building Management Control Systems • Public Safety/Land Mobile Radios
(BMCS) • Renewable Energy Geothermal Systems
• Closed-Circuit Television (CCTV) • Renewable Energy Photovoltaic (PV)
Surveillance Systems Systems
• Carbon Dioxide (CO2) Monitoring • Shade Control Systems
• Digital Signage Systems • Smoke and Purge Systems
• Digital Video Management Systems • Vertical Transport Systems (Elevators and
• Electronic Security Systems Escalators)
• Emergency Management Systems (EMS) • Laboratory Instrument Control Systems
• Fire Sprinkler Systems • Laboratory Information Management
• Interior Lighting Control Systems Systems (LIMS)
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 8

How OT differs from IT

As noted earlier, IT systems typically acquire, transmit, manipulate, and store confidential information, classified data, and intellectual
property through data centers, networks, software, connectivity, and computing devices that all must be secured. Because OT
systems have become more sophisticated and connected, they now also use IT networks to acquire, transmit, and store highly
valuable operational data as well.

But they also have unique purposes, capabilities, and functionality as seen in Table 2.

Table 2: How operational technology differs from information technology

Operational Technology Information Technology

PURPOSE Control and monitor physical process equipment Data transactions that provide information;
including machines and buildings supports people

OWNERSHIP Engineers, technicians, operators, and managers CIO and IT

ARCHITECTURE Event-driven, real-time embedded hardware and Enterprise-wide infrastructure and software
custom software applications

CONNECTIVITY Control networks, hard-wired twisted pair and Corporate network, IP-based network
internet protocol (IP)-based networks

INTERFACES Graphical user interfaces and electromechanical, Graphical user interface, web browser, terminal,
sensors, actuators, coded displays, hand-help and keyboard
devices

PERFORMANCE • Real-time • Non-real-time

REQUIREMENTS • Response is time-critical • Response must be consistent
• Modest throughput is acceptable • High throughput is demanded
• High delay and/or jitter is not acceptable • High delay and jitter may be acceptable
• Response to human and emergency interaction • Less critical emergency interaction
is critical • Tightly restricted access control can be
• Access to industrial control systems (ICS) implemented to the degree necessary for
should be strictly controlled, but should not security
hamper or interfere with human-machine
interaction

AVAILABILITY • Responses such as rebooting may not be • Responses such as rebooting are acceptable
(RELIABILITY) acceptable because of process availability • Availability deficiencies can often be tolerated,
REQUIREMENTS requirements depending on the system’s operational
• Availability requirements may necessitate requirements
redundant systems
• Outages must be planned and scheduled days
or weeks in advance
• High availability requires exhaustive pre-
deployment testing
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 9

Operational Technology Information Technology

RISK • Control physical world • Manage data

MANAGEMENT • Human safety is paramount, followed by • Data confidentiality and integrity is paramount
REQUIREMENTS protection of the process • Fault tolerance is less important; momentary
• Fault tolerance is essential, even momentary downtime is not a major risk
downtime may not be acceptable • Major risk impact is delay of business
• Major risk impacts are regulatory non- operations
compliance, environmental impacts, loss of life,
equipment, or production

SYSTEM • Differing and possibly proprietary operating • Systems are designed for use with typical
OPERATION systems, often without security capabilities operating systems
built in • Upgrades are straightforward with the
• Software changes must be carefully made, availability of automated deployment tools
usually by software vendors, because of the
specialized control algorithms and perhaps
modified hardware and software involved

RESOURCE • Systems are designed to support the intended • Systems are specified with enough resources
CONSTRAINTS industrial process and may not have enough to support the addition of third-party
memory and computing resources to support applications such as security solutions
the addition of security capabilities

COMMUNICATIONS • Many proprietary and standard communication • Standard communications protocols

protocols • Primarily wired networks with some localized
• Several types of communications media are wireless capabilities
used including dedicated wire and wireless • Typical IT networking practices
(radio and satellite)
• Networks are complex and sometimes require
the expertise of control engineers

CHANGE • Software changes must be thoroughly tested • Software changes are applied in a timely
MANAGEMENT and deployed incrementally throughout a fashion in the presence of good security policy
system to ensure integrity of the control and procedures. The procedures are often
system is maintained. ICS outages often must automated.
be planned and scheduled days/weeks in
advance. ICS may use OSs that are no longer
supported.

MANAGED • Service support is usually via a single vendor • Allow for diversified support styles
SUPPORT

COMPONENT • Lifetime on the order of 10 to 15 years • Lifetime on the order of 3 to 5 years

LIFETIME

COMPONENTS • Components can be isolated, remote, and • Components are usually local and easy to
LOCATION require extensive physical effort to gain access access
to them

Source: Adapted from Security for Building Occupants and Assets, Whole Building Design Guide, and NIST Special Publication 800-82
Revision 2, Guide to Industrial Control Systems (ICS) Security
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 10

The unique challenges of OT security

Because the risks are different, the approach to securing OT must be different also. OT security must not only protect physical
mission-critical buildings, facilities, and equipment, but also the industrial control systems (ICSs) and other technology that runs
them. This includes everything from energy meters, lighting controls, and building automation systems, to potable and waste water
management systems, and microgrid controls — the essentials that enable an agency’s vital everyday operational tasks.

In protecting these assets, there are a few unique security challenges for OT systems that agencies must keep in mind and address to
achieve an ATO authorization.

• OT systems are often comprised of completely different hardware and software than IT systems, so the tools, processes, and
policies that govern and manage IT security do not necessarily apply to industrial controls. As a result, OT systems require their
own unique security measures, and oftentimes, the primary IT security teams in federal agencies may not have the knowledge
and expertise required to implement the right OT security protocols and integrate them with the IT systems.
• Another consideration in protecting OT systems is the rapid evolution of technology and sophistication of OT systems. As an
example, improving energy resiliency and efficiency is now a pressing mandate for federal agencies. There are many innovative
technological advances in connectivity, the cloud, analytics, and specialized OT specific application that support and improve
mission readiness, energy efficiency, and resilience. However, these same advancements – as well as others for ICSs – present
new and highly vulnerable risks, especially because the security tools and processes to protect them may lag in development.
• And lastly, another cybersecurity risk arises from the fact that OT and ICS are typically comprised of a complex environment
of interdependent sub-systems from an array of third-party vendors. Some of the vendors may have ensured their systems
are highly secure, but there may be others that do not meet federal security standards, and therefore, their systems may have
cybersecurity vulnerabilities.

OT security on a typical government campus includes highly innovative, intelligent building and plant management systems enhanced
and driven by Internet of Things (IoT) technology and other advances. Critical electrical infrastructures, power distribution systems,
and telecommunication systems are now driven by advanced connectivity and analytical insights. The software running these systems
supports industry-standard and open IP to facilitate the secure communication and exchange of data and analytics connecting OT
and IT networks.

The security teams at federal agencies must go beyond typical efforts to ensure IT data centers, servers, and networks are safe from
cyber threats and put equally secure measures in place for any of the OT systems that are connected to them. For example, there are
even risks inherent in the sensors these systems use, and all the way through to the software application level.
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 11

A converged approach to cybersecurity

The primary driver behind any security program is the reduction of risk. Federal agencies need to develop a holistic defense-
in-depth approach that:

• Meets all federal guidelines, including RMF and CSF.

• Uses a cyber risk management lifecycle approach with highly effective standardized tools and processes that are
customized to individual agency needs and requirements.
• Integrates IT and OT security in a converged, cohesive approach.
• Allows agencies and their personnel to be fully functional in achieving the goals of their mission without compromise.

Figure 1: A converged secure OT/IT environment; the red dotted line includes what must be included in an OT security plan to achieve ATO.

Source: Adapted from: Unified Facilities Criteria: Cybersecurity of Facility-Related Control Systems
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 12

A seven-step approach to achieving ATO

A typical approach to an OT security plan includes the following steps, which is modeled after and includes many of the parameters
of RMF and CSF, as diagramed in Figure 2.

1. Categorize your IT and OT assets 5. Monitor all solutions holistically

Using the basic tenets of any security program – During this phase of operations, every cybersecurity
confidentiality, integrity, and availability – this step requires solution is monitored continuously to detect, respond, and
the determination of the impact of cyber risk on an remediate threats.
agency’s OT and IT systems. For instance, physical and
software assets are identified and categorized on a low- 6. Maintain on an ongoing basis
to-high metric system based on the potential impact that Here, system upgrades, patches, awareness, and incident
the loss of confidentiality, integrity, or availability has on response are key to a system’s security and an agency’s
agency’s operations, assets, or people. overall cybersecurity protection. It’s important to know
that all systems – and cybersecurity skills – are up-to-date
2. Assess environments for risk and tested regularly to minimize security incidents and
The next step determines the risks that might be inherent maximize peace of mind.
in an agency’s current systems. It includes an evaluation
of both IT and OT systems to detect any inherent gaps 7. Train the team
that could lead to cyber security vulnerabilities, such as Training existing staff on security best practices is critical
ineffective or outdated controls, processes, or practices. to building a security culture that leads to quick threat
response and business continuity.
3. Design a comprehensive security approach
Based on the findings from the categorization and
assessment, the next step is to design, develop, and Figure 2: Seven steps that can help agencies achieve an ATO
maintain a “defense-in-depth” security platform that
includes:
in Cate
• A central authentication, authorization, and auditing
ainta go
system M riz
• Protection against malware through advance Permit

e
functions like data loss prevention, device control, and
n

whitelisting
Trai

Assess
ple

• Scheduled backups and encryptions of files and

Pr
Respond

Protect
Peo

ocess

folders
• Network and system performance monitoring

In addition, a set of cybersecurity policies are developed

Te
as a governance program that includes the ability to limit ch n o logy
Mo

or contain the impact of potential cybersecurity events and

ni

outlines safeguards for delivery of critical services. De t e ct

to

ig

s
De
r

4. Implement security controls Imp

le ment
In this step, all appropriate security tools and best
practices are put into action, integrated with any necessary
IT systems, and readied for an ATO authorization. Upon
approval, the system is put into operation.
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 13

When these seven steps are in place, then an agency’s security posture allows for the capabilities listed in Figure 3 (and as seen on
the inner ring of Figure 2).

• Permit: Network and physical controls to competently and securely manage access to OT systems and information.
• Protect: Specific controls to bolster an overall security plan for ongoing protection.
• Detect: Active processes that monitor the operating environments of OT systems to detect and communicate threats.
• Respond: Capabilities and systems to support rapid response to cyber incidents to contain and mitigate attacks.

Figure 3: The types of tools and processes to put in place to enable converged cybersecurity

Permit Protect Detect Respond

• Authentication, • Endpoint Protection • Security Information • Backup / Disaster

Authorization, Anti-virus, Anti-malware & Event Management Recovery
Accounting • DLP, HIPS, Whitelisting (SIEM) • Forensics
• Multi-Factor • Central Device Control • Network Performance • Incident Response
Authentication • CPU/PID Protection Monitoring
• Network Segmentation • Patch Management • Anomaly Detection
• Secure Remote Access • Intrusion Detection (IPDS)
• Physical Security • SOC / NOC
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 14

Funding cybersecurity
OT cybersecurity initiatives may require multiple sources of public or private financing, depending on asset ownership, contract
vehicles used, and available appropriated resources. A trusted vendor can help federal agencies identify the best financing options as
well as available federal, state, and local incentives.

When appropriate funds are combined with alternative programs, they can significantly reduce the financial burden for agencies.
These programs not only provide the necessary funding for cybersecurity, but have the added benefit of inherently building the
cornerstones of an energy resilience program. For instance, several energy management initiatives could result in building a
microgrid, which could save a single military base anywhere from $8 to $20 million over the microgrid’s 20-year life span. 1

Here are some of the alternative funding sources related to energy resilience that could help fund cybersecurity efforts:

Energy Savings Performance Contracts Power Purchase and Energy Sales Agreements
Energy Savings Performance Contracts (ESPC) provide Power Purchase Agreements (PPAs) help the government
financing for energy and operational efficiency upgrades as fund on-site renewable and distributed energy projects
well as operation and maintenance (O&M) projects, where without any up-front capital costs. As part of the Federal
the programs are paid for by the cost savings generated. An Energy Management Program (FEMP), PPA developers can
energy services company (ESCO), who would fund an ESPC own, install, and operate renewable and distributed energy
project and guarantee a certain amount of savings over the systems on federal property to sell generated power to federal
project life, can help an agency develop energy resilience and agencies. Energy Sales Agreements (ESAs) are measures used
cybersecurity strategies. With an ESPC, the ESCO provides in ESPCs to provide similar PPA-like power generation and
financing, implements measures, assumes performance risk, purchase arrangements. In addition, third-party owners of ESA
and continues O&M in an ongoing partnership to ensure assets within ESPCs are also able to sell available renewable
savings. energy certificates (RECs) to offset installation costs.

Utility Energy Service Contracts Energy-as-a-Service

Utility Energy Service Contracts (UESCs) can be used for Finally, military departments like the United States Air Force
energy efficiency and renewable energy projects. With these are exploring an innovative emerging concept for alternative
contracts, utility companies provide energy management funding called Energy-as- a-Service (EaaS). According to
services such as project assessment, design, financing, Navigant Research, EaaS is a vendor-based energy business
installation, and performance assurance. Oftentimes these model that can provide turnkey energy. In this model, third-
contracts can be implemented without any capital investment or party vendors or utility services companies can deploy
use of appropriated funds. technical, financing, or procurement solutions. Through EaaS,
federal agencies could contract with an EaaS provider for
Enhanced Use Leases energy or utility procurement, on-site generation, efficiency
The government encourages the use of underused property improvements, utility infrastructure ownership, and energy and
through Enhanced Use Leasing (EUL) programs. According to utility O&M services. An EaaS can result in a comprehensive
the U.S. Government Accountability Office (GAO), EULs may approach to the resilient and secure delivery of energy to a site.
include long-term leases of 25-50 years to private developers
for the installation of renewable energy systems in exchange for
cash or in-kind services.

To learn more about funding, including the use of federal, state, and local incentives, download, Beyond Appropriated Funding: An
Innovative Financial Equation for Building Energy Resilience. For more information on EaaS, download Energy as a Service: A Cost-
Effective Path to Energy Resilience for the Federal Government.

Footnote: 1. U.S. Military Could Save Over $1 Billion and Boost Energy Security, New Research Finds,” The Pew Charitable Trusts, January 2017
Cybersecurity in Federal Facilities: A Converged Approach to Securing Operational Technology August 2019 | 15

What to look for in an OT provider

The primary driver behind any security program is the reduction of risk. Federal agencies need to develop a holistic defense-in-depth.
Oftentimes, agencies cannot achieve the comprehensive security goals for OT without the assistance of a knowledgeable partner.
For agencies that want to team up with an industry expert, they should look for the following capabilities:

A global team of experts focused on cybersecurity that includes response teams to help recover from threats and incidents.

The ability to assess operational needs and risk profiles to design, build, and implement secure OT systems and technology.

The ability to integrate OT security with IT security and obtain ATO authorization.

Familiarity and in-depth knowledge of all federate mandates for cybersecurity.

Knowledge of best practices to meet those federal mandates.

Funding expertise that can help agencies receive and supplement funding for cybersecurity initiatives.

A partner who understands the need for transparency between government agencies and their contractors.

Conclusion
Federal agencies can ensure a more comprehensive cybersecurity posture by securing the OT that runs facilities, installations, equipment,
systems, infrastructure, and other physical assets. When these efforts are integrated with IT security, agencies can more easily meet federal
mandates while combating the inherent challenges of protection from physical and cyber threats. Working with outside cybersecurity
experts helps ensure the overall reliability of cybersecurity plans while leveraging funding options, resources, and expertise.
Contact us
The expertise to bring it all together.
You need a comprehensive, proactive infrastructure management approach and a partner with proven experience
and extensive capabilities. Schneider Electric has more than 25 years of experience helping our clients tackle
operational challenges and optimize infrastructure performance.

Ranked #1 Leader in building One of the top 100 One of the top 100
Energy Service Company energy management world’s most ethical world’s most sustainable
Navigant, 2017 systems companies corporations
Navigant, 2016 Ethisphere, 2011 – 2018 Corporate Knights, 2017

www.schneider-electric.us/fedgov

©2019 Schneider Electric. All Rights Reserved.

All trademarks are owned by Schneider Electric Industries SAS or its affiliated companies.