370 likes | 593 Views
This presentation discusses the Navy's holistic systems engineering process for enhancing cybersecurity readiness, integrating the Risk Management Framework (RMF), and addressing continuously evolving cyber threats.
E N D
Navy Cybersecurity Engineering17 October 2017 Presented to: DAU West Acquisition Training Day Presented by: RDML Ron Fritzemeier Chief Engineer Space and Naval Warfare Systems Command (SPAWAR) The overall classification of this brief is: UNCLASSIFIED//FOUO DISTRIBUTION C: Distribution authorized to the U.S. Government agencies and their contractors (Administrative or Operational Use). 18 Aug 2016. Other request for this document shall be referred to COMSPAWAR or SPAWAR 5.0.
SPAWAR Organization Chief of Naval Operations Assistant Secretary of the Navy, Research, Development and Acquisition SPAWAR COMMANDER RADM C. D. Becker Executive Director Pat Sullivan PEO C4I RDML Carl Chebi John Pope, ED PEO Space Systems RDML Carl Chebi Fleet Readiness Directorate CAPT Ed Anderson Rob Wolborsky, ED SPAWAR Washington Operations Thresa Lang PEO EIS Ruth Youngs Lew CAPT Don Harder, DPEO 1.0 Comptroller Steve Dunn 2.0 Contracts Nancy Gunderson 3.0 Office of Counsel Amy Weisman 4.0 Logistics & Fleet Support William Luebke 6.0 Program Management Craig Madsen 7.0 Science & Technology Stephen Russell 8.0 Corporate Operations Kimberly Kesler 5.0 Chief Engineer RDML Ron Fritzemeier Mike Spencer, DCHENG Echelon III Activities SPAWAR Systems Center Atlantic CAPT Scott Heller, COChris Miller, ED SPAWAR Space Field Activity CAPT Eric Hendrickson, CO SPAWAR Systems Center Pacific CAPT Mel Yokoyama, CO Bill Bonwit, ED
SPAWAR: The Navy’s Information Warfare (IW) Systems Command (SYSCOM) As the Navy’s Information Warfare Systems Command, SPAWAR develops advanced communications and information warfare capabilities • Majority of systems developed at SPAWAR are software intensive systems
Overview • Navy is using a holistic systems engineering process to enhance cybersecurity readiness • RMF is a part of that holistic process • Using Navy’s technical authority construct • Cross-Navy SYSCOM team effort to define Navy’s implementation of security controls • Maximize operational effectiveness • Minimize Total Ownership Cost • Ultimately about minimizing risk to successfully complete mission • Articulate residual risk in fielded systems to support operations planning and development of TTPs to mitigate those risks RMF is being integrated into Navy’s holistic Systems Engineering process
Cyber Resilience to Address Continuously Evolving Cyber Threats The Cyber Threat • Increases in volume and sophistication at the speed of technology • Continuously Evolves • Will always remain a challenge, but… That doesn’t mean we don’t know what to do Designing for Cyber Resiliency • Move to a defendable architecture by executing IT/IA TAB guidance • Implement the Defense-in-Depth Functional Implementation Architecture (DFIA) • Implement the IA TA (Cybersecurity) Standards
Anatomy of a Cyber Attack Objective / Resources Data Gathering / Target Identification Identify Vulnerabilities / Scanning / Enumeration Gain Access / Create Foothold Gain Escalated Privileges / Root Access Multiple Footholds / Paths / Backdoors Obfuscate Presence Exploit / Exfiltration / Attack to Achieve Objective 1 2 3 4 5 6 7 8 Penetrate Discover Escalate Expand Persist Execute Motive Probe Identify Protect Detect Respond Recover
UNCLAS//FOUO Challenges to Improving Navy CybersecurityToday’s Navy Cyber Environment The Collective Result of Individual Decisions • Infrastructure: • Too much • Too varied • Too old • Software & Applications: • Too many • Too varied to maintain it all UNCLAS//FOUO Holistic Enterprise Approach to Drive Interoperability & Cybersecurity • Infrastructure: • Rapid hardware refresh as a requirement • Decouple Hardware from Software & Applications • Software & Applications: • Quality Assurance • Configuration Management Today’s Navy Infrastructure is Flat, Riddled with Seams and Flaws UNCLAS//FOUO
Holistic Implementation StrategyDesigning for Cyber • Cyber Requirements: • Higher level DoD guidance • National Institute of Standards & Technology (NIST) Information Technology (IT) / Information Assurance (IA) Technical Authority Board (TAB) provides guidance tailored for Navy-specific implementation Navy Cybersecurity Architecture with Afloat, Ashore and Aviation instantiations NAVY PoRs/Projects Cyber Specifications and Standards guide POR/Project efforts toward common implementation of Security Controls
Requirements Flow • Requirements References: • DoDI 8500.01: Cybersecurity • DoDI 8510.01: Risk Management Framework for DoD IT • CNSSI 1253: Committee on National Security Systems (CNSSI) 1253, “Security Categorization & Control Selection for National Security Systems” • NIST SP 800-53: National Institute of Standards & Technology (NIST) Special Publication (SP) 800-53, “Security & Privacy Controls for Federal Information Systems & Organizations” • NIST SP 800-82: National Institute of Standards & Technology (NIST) Special Publication (SP) 800-53, “Guide to Industrial Control Systems Security” • DFIA: Defense-in-Depth Functional Implementation Architecture • HLP: Host Level Protection • ISCM: Information Systems Continuous Monitoring DoDI 8500.01 DoDI 8510.01 Applicable Guidance CNSSI 1253 NIST SP 800-53 NIST SP 800-82 (Applicable to NCS) DFIA (e.g. HLP, ISCM, Cyber SA, etc.) (e.g. HLP, ISCM, Cyber SA, etc.) TAB Products Standards (e.g. HLP, ISCM, Cyber SA, etc.) Individual System Cybersecurity Requirements * Flowchart is representative of the DFIA vision to satisfy the required Cybersecurity controls
Providing Technical Leadership to Guide the Navy’s Enterprise Approach to Cyber • SPAWAR chairs the Information Technology (IT) / Information Assurance (IA) Technical Authority Board (TAB) • Cross-Navy governance board for reviewing, adjudicating & endorsing IT & IA TA products for use throughout the Naval Enterprise • The authority, responsibility, and accountability to establish, monitor and approve technical standards, tools, and processes in conformance with DoD and DON policy, requirements, architectures, and standards • PRINCIPAL MEMBERS SPAWAR (TAB CHAIR) • NAVSEA • NAVAIR • NAVFAC • NAVSUP • MARCOR • DASN RDT&E • STAKEHOLDERS • PEOs / PMs • NAVSEA 08 • HQMC C4 • DDCIO (MC) • FCC / C10F • OPNAV N2N6 • DON CIO • DASN C4I / IO & Space • WORKING GROUPS • Information Assurance WG • Information Technology WG • Implementation WG • Cyber Risk to Mission WG Driving Cybersecurity Consistently Across the Navy Enterprise
DFIA Standard Overview DFIA: Defense-in-Depth Functional Implementation Architecture Off Platform Communications Provides Quality of Service and Data in Transit Encryption Manages connections (communication) that goes off the platform (e.g., connects to the WAN) Platform Boundary Enclave Enclave Boundary Enclave • Same security domain • Continuous security perimeter Manages connections (communication) between enclaves on the same platform
Standards Mapped to the Architecture *DFIA: Defense-in-Depth Functional Implementation Architecture
IA Standards Aligned to NIST FrameworkDesigned to Disrupt Cyber Kill Chain NIST Framework Anatomy of a Cyber Attack Security & Resiliency
Risk Management FrameworkProcess Overview ACAS, VRAM, etc. Cybersecurity Engineering Step 1 CATEGORIZE System Step 6 MONITOR Security Controls Step 2 SELECT Security Controls • Categorize the system in accordance with the CNSSI 1253 • Initiate the Security Plan • Register system with DoD Component Cybersecurity Program • Assign qualified personnel to RMF roles • Common Control Identification • Select security controls • Develop system-level continuous monitoring strategy • Review and approve Security Plan and continuous monitoring strategy • Apply overlays and tailor • Determine impact of changes to the system and environment • Assess selected controls annually • Conduct needed remediation • Update Security Plan, SAR, and POA&M • Report security status to AO • AO reviews reported status • Implement system decommissioning strategy RMF Authorizing Official (AO) / Functional Security Controls Assessor (SCA) Program Implementation Step 3 IMPLEMENT Security Controls Step 5 AUTHORIZE System Step 4 ASSESS Security Controls • Implement control solutions consistent with DoD Component Cybersecurity architectures • Document security control implementation in Security Plan • Prepare the POA&M • Submit Security Authorization Package (Security Plan, SAR, and POA&M) to AO • AO conducts final risk determination • AO makes authorization decisions • Develop and approve Security Assessment Plan • Assess security controls • SCA prepares Security Assessment Report (SAR) • Conduct initial remediation actions Risk Management Framework Intended to Provide Greater Insight into Cyber Risk Not DIACAP by Another Name!
Navy Approach to Cyber EngineeringTop-Down Engineering Approach • Determine Controls Using Top-down Engineering Approach • Maximizes RMF using a holistic SoS approach • SYSCOM Engineering will assist systems with Steps 1 and 2 of RMF • Categorization, Control Selection • Alignment with CYBERSAFE • Improved Inheritance • Efficiency across programs • Minimize Rework • Desired end state is to monitor systems on a continuous basis (RMF Step 6) Leverage SYSCOM Engineering to Assist Programs with Cyber Requirements and RMF Transition
CYBERSAFE Grades & Controls • CYBERSAFE Grade A and B systems are CYBERSAFE Critical Items • CYBERSAFE Grade C systems are not CYBERSAFE Critical items Applicable Security Controls CYBERSAFE Grade A Applies Grade B Controls and up to an additional 75 Enhanced Assurance Controls Grade A RMF + B + A Grade B RMF + B CYBERSAFE Grade B Applies up to 48 Assurance Controls (equivalent to high baseline for C/I/A) and 31 Enhanced Assurance Controls Grade C RMF CYBERSAFE Grade C No additional CYBERSAFE controls. Identifies RMF baseline set of controls from NIST 800-53 applicable to all DoD IT, weapons systems, and controls systems Only CYBERSAFE Grade A and B Systems Require CYBERSAFE Security Controls
Systems EngineeringIntegrated with RMF and CYBERSAFE Driving to a Single Integrated Synchronized Process with Multiple Authorities
Leadership Commitment to Improving Cyber ResilienceA Key Consideration in All Navy Acquisition Activities • Clear direction from Navy Leadership • “We must implement these standards with a sense of urgencythroughout the enterprise to counter the rapidly proliferating adversary cyber threats.” • Quarterly progress measurement and reporting reviews via the Cybersecurity EXCOM (VCNO and ASN RDA) Cybersecurity Compliance of Information Assurance Technical Authority Standards • Elevated priority of cybersecurity requirements → “a high priority when competed against other program requirements” • “…where there are significant technical and financial obstacles from incorporating cybersecurity that impact the implementation of other valid mission capabilities, identify and execute feasible trade-offs within cost, schedule and performance to ensure the implementation of cybersecurity.” Signed 8 Nov 2016 VCNO ASN RDA
Addressing VCNO/ASN RDA Direction • SPAWAR’s approach for addressing Navy direction is DFIANT • SPAWAR is using DFIANT to • Align technical artifacts to drive design with POR schedules • C4I DFIANT (Tactical Afloat)→ CANES OB2 • Shore Enterprise DFIANT → NGEN-R • Support the development of CONOPs and TTPs Cybersecurity Compliance of Information Assurance Technical Authority Standards Signed 8 Nov 2016 VCNO ASN RDA
IA TA Cybersecurity StandardsProvide High-Level Cybersecurity Requirements for Acquisition • Working across SYSCOMs to ensure consistency of technical guidance and implementation • Coordinating with PEOs to provide the requirements for the PORs/Projects • COMSPAWAR • (RADM Dave Lewis): • “Our intent in publishing these standards is for them to be included in design requirements, development and production contracts, or any other technical or engineering artifacts that touch on or influence cybersecurity designs for our various computer-based systems” Standards Lend Consistency to Cyber Acquisition Approach & Support Transition to RMF
Foundational Cybersecurity Artifacts RoadmapCompletion Status Revisions to Previously Completed Foundational Standards Required to Address Control Correlation Identifier (CCI) Mapping
Certification Building BlocksCyber Risk to Mission (CRTM) • End-to-End Cyber Certification approach that provides operational commanders with a bounded statement of cyber risk (CAPS/LIMS)
Summary The Cyber Threat • Increases in volume and sophistication at the speed of technology • Continuously Evolves • Will always remain a challenge, but… Designing for Cyber Resiliency • Move to a defendable architecture by executing IT/IA TAB guidance • Implement the Defense-in-Depth Functional Implementation Architecture (DFIA) • Implement the IA TA (Cybersecurity) Standards Implementation of IA TA architectures, specifications and standards narrows the cyber threat to more sophisticated adversaries
UNCLASSIFIED//FOUO Cybersecurity Standard:Host Level Protection • A “host” is defined by CNSSI 4009 as “any hardware device that has the capability of permitting access to a network via a user interface, specialized software, network address, protocol stack, or any other means.” • Host Level Protection establishes the capabilities necessary to defend against threats on client-facing systems in order to maintain a secure configuration • Requirements this Standard addresses: • Host Intrusion Detection/Prevention • Host-Based Firewall • Software Control • Host Level Configuration • Host Malicious Code Protection • Device Management • Tailored protective measures for Navy Information Systems and Navy Control Systems (NCS). Example– Host Level Protection Standard: • Requirement (IATAHLP-001.7): Hosts shall detect, log, and report unauthorized data entering and exiting the host via all external interfaces (e.g., serial, USB, and network). • Compensating Measures: In the event a host is unable to detect unauthorized data entering and exiting the host via all external interfaces, the system employs an intrusion detection mechanism external to the host. Logically Layered Set of Requirements Off-Platform Communications Platform Boundary Enclave Enclave Boundary Enclave UNCLASSIFIED//FOUO
UNCLASSIFIED//FOUO Cybersecurity Standard:Boundary Protection • Boundary protections are applied to interfaces between enclaves and systems to prevent and detect malicious and other unauthorized communications • Requirements this Standard addresses: • Denial of Service (DoS) Protection • Malicious Code Protection • Communications-Traffic Management • Access-Control and Management • System Monitoring • System Component Isolation • Failure Control • Cryptographic Protection • Information Flow This Standard is complimentary to the Network Firewall, Network Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS), Information Sharing – Cross-Domain Solution (CDS), and Remote Access Security Standards that satisfy Cybersecurity protections identified under DFIA. Logically Layered Set of Requirements Off-Platform Communications Platform Boundary Enclave Enclave Boundary Enclave UNCLASSIFIED//FOUO
IT/IA TAB Way ForwardMoving to Implementation and Compliance Information Assurance WG Requirements Information Technology WG Requirements • NIST & DoD cybersecurity requirements tailored for standardized, Navy-specific implementation of security controls • Navy-specific implementation of IT solutions Cyber Risk to Mission WG Validation • Provide operational commanders with an articulation of cyber risk to mission Implementation WG Implementation • Operationally effective & cost efficient implementations of the standards System of Systems Engineering to Address Cyber End-to-End Moving Beyond Cyber Requirements
RMF & CYBERSAFE Assessments • Established an integrated assessment process for RMF & CYBERSAFE transition • Addresses RMF Steps 1 & 2 and CYBERSAFE Phases 1 & 2 • Ensures aconsistent approach to cybersecurity engineering • Establishes a system’s full set of cybersecurity requirements • SPAWAR selected its Phase I systems to assess by identifying: • Critical Inheritance Providers – CANES, NMCI, IA/CND, NEDCs • Warfighting Enablers – GCCS-M, GPNTS, ADNS • High-Visibility Systems – N-ERP, AWS, NTCSS • CYBERSAFE Assessment status • Completed Phase I systems • Assessed an additional 86 systems beyond Phase I for a total of 142 SPAWAR systems Top 66 Progress Completed Scheduled Remaining 56 0 7 * *7 systems will decommission prior to RMF transition Performed at Least 1 Assessment with all PEO C4I System-Owning PMWs
IA TA Standards Integrate the RMF and the Systems Engineering Processes
IA Standards Mapped to NIST 800-53 • IA Standards to NIST security controls matrix • CNSSI 1253 Baselines • CYBERSAFE Controls
UNCLASSIFIED//FOUO Accounting for Control Systems ChallengesCybersecurity Standards – Compensating Measures UNCLASSIFIED//FOUO
CYBERSAFE Roadmap System Assurance Mission Assurance 6 Months Complete CYBERSAFE Grade determination and security control selection for high priority systems Complete cross-SYSCOM CYBERSAFE Mission Thread exercise (Trident Warrior 18) to demonstrate CYBERSAFE operational value 1 Year Complete CYBERSAFE Grade determination and control selection for all Navy systems. Focus on implementing CYBERSAFE controls. Determine and formalize CYBERSAFE operational requirements in parallel with Enclave and Platform determinations 3 Years Certify CYBERSAFE systems and perform continuous monitoring. Provide CYBERSAFE requirements feedback into acquisition. Certify Enclaves, Platforms, and Missions. Perform continuous monitoring. Provide feedback into future architecture planning. Focused on providing maximum assurance of CYBERSAFE systems and components across the life of the system Focused on providing maximum assurance of system-of-systems operations in support of warfighting missions System Assurance and Mission Assurance Efforts Must Happen in Parallel
C4I DFIA Network Transformation (DFIANT) WG Implementing DFIA and the IA TA Standards Objective Determine a SPAWAR network redesign to ensure Cyber resiliency and to support the enclave/boundary control point architecture outlined in the DFIA Standard Scope Context Surface Afloat, Ashore (NCTS/NCTAMS and Fleet NOCs), Airborne and Sub-Surface Afloat VCNO and ASN RDA Executive Committee (EXCOM)
C4I Functional DomainEnclaves at OB2 / SW X Prod Enclaves Production Enclaves Production Enclaves Production Enclaves Some enclave consolidation done to keep SECREL lean and agile. Bolded enclaves require physical separation for highest resiliency Non-bolded enclaves will have logical separation / software defined firewalls for increased agility
C4I DFIANT Target Architecture Logical ViewFunction Mapping Off-Platform Communications Provides ACLs to limit traffic and thwart DoS Stores network data and provides analytics. 5 1 Defensive Cyber Operations Enclave Platform Boundary Boundary Protection Forensic Analysis Limits connections going on/off platform. Cyber SA 2 FW/IPS Provides awareness of IP traffic going on/off platform and within enclaves. Protects traffic between Platform/Enclave Boundaries. Boundary Protection 6 3 Combat Enclave Navigation Enclave ∂ ∂ CANES Protected Infrastructure Forwards traffic between various Boundaries. Protects traffic between Platform/Enclave Boundaries. H&ME Enclave Aviation Enclave 4 ∂ ∂ 7 C4I Enclave Boundary Provides remote access to services within enclaves. Boundary Protection Remote Access Cross-Domain Services 9 Provides data guard between classification levels. 8 MWR FW & IPS Management FW & IPS Production Firewalls and IPS (Virtualized) NGO FW & IPS Limits connections going between enclaves. vFW1 vFW2 vFW3 vFW4 … vFWN 10 Boundary Protection Boundary Protection Production Enclaves Boundary Protection Boundary Protection Provides ACLs to prevent traffic from circumventing boundary. MWR Enclave Enclave 1 Enclave 2 Enclave 3 Enclave 4 … EnclaveN Management Enclave NGO Enclave C4I Enclaves 11
Technical Authority to Support a Disciplined Systems Engineering Approach “Technical Authority is the authority, responsibility, and accountability to establish, monitor, and approve technical standards, tools, and processes in conformance with applicable DoD and DON policy, requirements, architectures and standards” SECNAVINST 5400.15C • Inherently governmental function assigned to the Naval SYSCOM Commanders • Executed by all Navy SYSCOMs • TA independently advises Programmatic Authority on: • Technically acceptable options • Comprehensive assessments of the technical risks prior to technical events • Implementation of technical specifications, standards, architectures, and processes • Authoritative and unbiased in providing an appropriate understanding of technical risk • SPAWAR exercises TA through warranted individuals
Enterprise Architecture AGB Target Architecture Efforts Model Based Systems Engineering Thin Line Architecture • Enterprise Architecture is about mission capability, not system capability • Mission capability requirements apply to system of systems, not single systems • Document-based design and assessment of complex systems of systems is not efficient or effective → Model Based Systems Engineering can be Defense-in-Depth Functional Implementation Architecture (DFIA) Network Transformation (DFIANT)