Facility Cybersecurity Framework Tool Suite

The Facility Cybersecurity Framework (FCF) Tool Suite is designed to help organizations, specifically federal agencies, evaluate and strengthen the cybersecurity of their industrial control systems. The tool seeks to address the growing challenge of operational technology (OT) cybersecurity by focusing on facility-related control systems.

Developed by Pacific Northwest National Laboratory (PNNL) in partnership with the Federal Energy Management Program (FEMP), this suite of tools provides a structured and practical approach for facility teams to identify vulnerabilities or gaps in a building’s OT environment, prioritize improvements, and build stronger cybersecurity practices. The tool suite also includes on-demand, interactive training based on real-world examples aimed at helping users better understand how to apply security controls and policies across a variety of scenarios.

Laws and policies require federal agencies to enhance their cybersecurity posture. This collaboration with FEMP ensures that federal agencies make informed decisions that strengthen mission readiness, reduce operational costs, and enhance the overall performance of federal infrastructure.

Since the introduction of these tools, dozens of federal agencies, organizations, and educational institutions, including the U.S. Department of War, U.S. Department of Veterans Affairs, and U.S. Department of Homeland Security, have leveraged them, establishing their value as a proven resource for enhancing cyber readiness across federal operations.

The suite helps users do the following:

  • Conduct self-assessments of facility-related control systems to find cybersecurity gaps
  • Develop actionable improvement plans for their facilities
  • Train personnel to recognize and mitigate cybersecurity risks in day-to-day operations
  • Support compliance with federal cybersecurity requirements

Explore the FCF Tool Suite to find resources for improving facility-related control system cybersecurity.

Identify Needs

Users start by identifying requirements necessary to protect and manage the facility’s OT effectively.

Management Priorities

The Management Priorities tool helps users identify key OT cybersecurity priorities from facility and site management. This tool guides users in assessing, mitigating, and tracking their facility’s cybersecurity posture over time. This streamlined tool helps users understand where cybersecurity actions and investments can best align with management priorities.

After completing a Management Priorities assessment and FCF Core Assessment, users can leverage an in-built feature to see the difference in maturity indicator level between the two and make management decisions on the basis of the discrepancies as appropriate via the Comparison of Management Priorities and Facility Cybersecurity Framework (FCF) Results tool.

Find Gaps

Users next work to identify cybersecurity gaps and risks within facility operations by assessing existing policies and applying established frameworks to strengthen protection. The tool suite offers several different assessments applicable to specific cybersecurity frameworks or technology types of concern.

Understand and Mitigate Gaps

Once gaps have been identified, they are analyzed to determine potential exploitation risks.

  • The Best Practices tool leverages back-end mapping so that after a Core Assessment or RMF Pre-Assessment, users are provided with assessment-specific information about the vulnerabilities, best practices, and threat vectors they should be vigilant about.
  • The Qualitative Risk Assessment (QRA) tool is a risk-informed inventory management tool that can be used by the facility owners and operators to qualitatively annotate and track the vulnerability, impact, and risk pertaining to their OT systems.
  • Architecture Generation (ArcGen) is a visualization tool for users to better understand their OT network and identify secure deployment of new systems in their network. Users can map assets from the QRA into ArcGen to help ensure that assets aren’t stranded or overlooked in network maps.
  • The Mitigation of Externally Exposed Energy Delivery Systems (MEEDS) tool, currently in beta, is a downloadable tool that helps users discover vulnerabilities from OT assets that are inadvertently exposed to the public internet. The tool has over 700 scripted queries that can be used to discover cybersecurity vulnerabilities.

Cybersecurity Training

Cybersecurity is a constantly evolving field. The FCF Tool Suite provides users with the opportunity to enhance their cybersecurity skills and knowledge through interactive, accredited training games that apply real-world scenarios to reinforce policies, best practices, and OT system concepts.

  • The scenario Training Game is based on real-world scenarios, allowing users to explore the process of balancing a variety of investment decisions regarding the implementation of new cybersecurity policies and controls to contain a breach.
  • The Network Defense Training Game responds to user actions to help mimic how an adversary evolves to match user decisions and responses. Users seek to defend the OT network from adaptive cyberattacks by directly configuring the physical network environment and implementing security policies in a turn-based simulated cyberattack.
  • The Network Defense Training Game 3D (Network Defense 3D) is an immersive training game where users are tasked with defending their network against consecutive cyberattacks. Users must survey their network to determine which devices are vulnerable and determine the best countermeasures.

Contact 

Julie Rotondo 
Project Manager 
julia.rotondo@pnnl.gov 
509-372-6577

Chris Bonebrake
Principal Investigator 
christopher.bonebrake@pnnl.gov