PNNL

Today, everything from lightbulbs to thermostats can connect to the internet. That convenience also opens the door to cyberattacks when connected devices aren’t properly secured and regularly tested.

Pacific Northwest National Laboratory (PNNL), in partnership with the Department of Energy’s Federal Energy Management Program (FEMP), developed the Facility Cybersecurity Framework (FCF) Tool Suite to help organizations strengthen the cybersecurity of their building and industrial control systems. The FCF Tool Suite provides practical, easy-to-use resources that align with the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) and embed cybersecurity directly into facility planning and daily operations—helping federal and commercial facilities assess risks, improve security, and protect critical systems from emerging threats.

Most recently, PNNL released the Facility Cybersecurity Framework (FCF) Lite, a streamlined self-assessment tool designed to help facility cybersecurity managers quickly evaluate their cybersecurity posture. FCF Lite offers a simplified path to identifying potential vulnerabilities and strengthening cyber readiness across facilities.

Vulnerabilities grow alongside interconnected operational technologies

As U.S. infrastructure becomes more digital and interconnected, safeguarding it from cybersecurity threats has become increasingly important. Modern building and industrial control systems (ICS) rely on digital networks to manage heating, cooling, ventilation, lighting, and other essential safety and energy functions. These OT systems are foundational to daily operations across federal and commercial facilities.

However, cyber risks to ICS have grown sharply in recent years. Researchers reported a 29 percent increase in ICS vulnerabilities in 2020, and by 2021, nearly 70 percent of systems had external connections, doubling from the previous year and significantly expanding points of attack. The World Economic Forum has further documented a 58 percent increase in weekly cyberattacks over the last two years, alongside high-profile breaches affecting critical infrastructure entities, private organizations, and U.S. federal agencies.

As ICS and building systems increasingly integrate with cloud platforms and private networks, they create new pathways for cyber vulnerabilities, threatening not only data but also building operations, energy systems, and essential public services. While federal agencies are required by laws and directives to keep their networks secure, the actual operational equipment is often very old and purpose-built, designed to last for decades and not easily updated. Because these legacy systems were not built with modern connectivity or cybersecurity in mind, they can be more difficult to secure than traditional information technology systems. As a result, meeting modern cybersecurity requirements is a significant challenge, reinforcing the need for a comprehensive facility cybersecurity framework to mitigate these risks and ensure that critical systems remain safe, reliable, and continuously functional.

“With rapidly evolving threats, it is more important than ever to ensure that federal facilities understand their cybersecurity risk posture to make informed investment decisions that address key vulnerabilities in a timely manner,” said Chris Bonebrake, a senior electrical engineer and principal investigator at PNNL. “Developing facility-specific tools and resources helps users to focus on the specific security controls and cybersecurity policies that are most applicable to their situations.”

PNNL introduces the Facility Cybersecurity Framework (FCF) tool suite

Backed by two decades of PNNL expertise in protecting national strategic assets against cyberattacks, the tool suite was introduced in 2018, with the latest update being the streamlined self-assessment tool FCF Lite, and was designed to help federal agencies evaluate and strengthen the cybersecurity of their facility-related control systems.

Through the tool suite, users can identify their unique cybersecurity needs, ensuring risk management strategies align with mission goals and operational priorities. The suite helps organizations find gaps in existing systems and security controls, revealing where improvements are needed most. With these assessments to understand and mitigate those gaps, users gain the awareness and skills needed to turn insights into action by implementing practical, risk-based solutions that boost reliability and cybersecurity.

The PNNL team also collaborated with FEMP to develop FCF training games that provide continuing education units, representing the first integration of such training within FEMP’s accredited training program. The FCF Tool Suite enables structured situational training and contributes to professional development in cybersecurity. Supporting these training initiatives addresses part of the estimated global shortage of millions of cybersecurity professionals.

“We’ve been excited to see the growth in the tool suite usage,” said Julia Rotondo, PNNL’s FEMP program manager. “While we don’t store any user data on PNNL servers—a design choice meant to ensure that all information about a facility stays on a user’s network—we’ve been able to track visits, tool completes, and trainings for the last several years. The numbers are showing that more and more people are discovering and using these freely available tools and training games.”

In 2025, the tool suite had 13,300 users, who spent a combined 2800+ hours engaging with the tools and training games. That’s a 61 percent increase in tool use from the previous high-water mark in 2023, reflecting strong growth in user participation over time.

The strong growth in user engagement with the FCF Tool Suite highlights its valuable role in helping organizations address cybersecurity challenges in increasingly digital facility operations. As facilities rely more on connected systems, embedding cybersecurity into all phases of planning, design, and operation is critical for maintaining performance and protecting organizational assets and operations. The tool suite provides a structured road map to support these efforts, enabling organizations to enhance operational reliability, mitigate risks, and ensure continuity in the face of evolving cyber threats. Continued adoption and use of the suite helps facilities follow best practices and prepare for future operational and security challenges.

“PNNL has worked to leverage our long experience with energy system cybersecurity and building system operations to develop a suite of tools that will enable users to better meet the challenge of this operational technology cybersecurity,” said Bonebrake. “While cybersecurity is a continuous process, we are hopeful that the assessments and trainings within the tool suite make it easier for facility operators to identify and implement solutions.”

For more information and updates, visit the PNNL Cybersecurity for Buildings and Operational Technology site.