10
Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society of Naval Engineers 4 March 2015 Presented by: Mr. Mike Spencer Deputy Chief Engineer SPAWAR 5.0 Distribution Statement A. Approved for Public Release. Distribution is unlimited (2 March 2015).

Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

Embed Size (px)

Citation preview

Page 1: Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

Disciplined Engineering to Support Navy Cybersecurity:

SPAWAR’s Integrated Information Technology & Cybersecurity Technical

Authority

American Society of Naval Engineers4 March 2015

Presented by:

Mr. Mike SpencerDeputy Chief Engineer

SPAWAR 5.0Distribution Statement A. Approved for Public Release.Distribution is unlimited (2 March 2015).

Page 2: Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

2

Current Cyber EnvironmentSince RDML Ailes took command as SPAWAR’s new Chief Engineer (Aug 2014), there have been numerous reported incidents that highlight the severity of the cyber threat:

▼ Sony Hack Stole data (employees’ personal information, e-mails, ~100TB of data/content) Implanted malware to erase data from servers

▼ Anthem Data Breach Infiltrated database to gain access to customers’ names, birthdays, Social Security numbers,

addresses and employment data (could affect as many as 80M customers)

▼ German Steel Mill Massive physical damage by manipulating and disrupting control systems Access through business network via spear-phishing to inject malware; worked their way

into production networks

Page 3: Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

3

Holistic Enterprise Approach to Cybersecurity

Cybersecurity Today Vision: A Single Navy Plan for Cyber

▼ Inefficient, duplicative efforts are not cost effective

▼ Compilation of systems segregated by enclave C4I, HM&E, Combat, Aviation

▼ Each program implements security controls▼ ATO covered by ODAA

▼ Introduces seams & vulnerabilities…and larger attack vector

▼ Overly complex design Difficult for sailors to operate and maintain

multitude of devices that provide similar functions Perpetuates interoperability issues

▼ Fewer seams and smaller attack vector

▼ Easier for sailors to operate and manage

▼ Greater interoperability

▼ Holistic enterprise cybersecurity architecture Provides a layered, Defense-in-Depth approach that

enables inheritance Provides Sailors with cyber situational awareness

across the network▼ Mandatory implementation of standardized security

controls▼ Certified systems meet security requirements

▼ Streamlined investment

Attackers see a single network with seams

Upfront Systems Engineering Informs Investments in Cybersecurity Solutions Across the Navy Enterprise

Page 4: Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

4

View Systems From Adversary Perspective and Recognize Cyber as a System of Systems Problem

Viewing Systems From Adversary’s Perspective

▼ Security controls for C4I and the IT components of Navy Control Systems (NCS)/Industrial Control Systems (ICS) provide same/similar functions (boundary protection, intrusion defense, etc.)

▼ Cyber risks for C4I and IT components of NCS/ICS are similar Portable storage device attacks Man-in-the-Middle Poorly configured Firewalls Trusted Systems without Data Inspection

▼ Real time systems have latency and determinism requirements, but often interface with vulnerable non-real time systems

Need to View IT & IT Components of NCS/ICS the Same Way Our Adversaries Do

Cyber is a SoS Problem

▼ Need to assess and prioritize risks from an enterprise/SoS perspective vice addressing vulnerabilities and only portions of the systems on our platforms CSIs focus on vulnerabilities in C4I

systems and look at systems individually SETRs and other technical reviews look

at individual systems vice SoS/Enterprise

Page 5: Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

5

Exploit / Exfiltration /

Attack to Achieve

Objective

Objective / Resources

Data Gathering /

Target Identification

Identify Vulnerabilities / Scanning / Enumeration

Gain Access / Create

Foothold

Multiple Footholds /

Paths / Backdoors

Gain Escalated

Privileges / Root Access

Obfuscate Presence

4321 65 7 8

Motive Discover PenetrateProbe Escalate Persist ExecuteExpand

Anatomy of Attack

Protect

Detect

Respond

Page 6: Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

6

INF

OR

MA

TIO

N T

EC

HN

OLO

GY Business

Systems

C4ISR

NG

EN

/CA

NE

S/A

DN

S/?

??

Navy Enterprise Network

Enc

lave

Net

wor

k

Enc

lave

Net

wor

k

Enc

lave

Net

wor

k

Enc

lave

Net

wor

k

(LAN/WAN/GIG)

Wea

pon

Sys

tem

s

Indu

stria

l C

ontr

ol

Sys

tem

sN

atio

nal

Sec

uri

ty S

yste

ms

Technical Authority for Navy Information Technology (IT) & Information Assurance (IA)

SPAWAR is responsible for the IA Security Architecture, Specs, Standards &

Protocols for all GENSER & Below IT Systems

IT TA Boundary

SPAWAR is responsible for the Logical & Physical Interfaces Between Enclaves &

the Naval Enterprise Network

Enterprise Approach to Ensure Our Systems Are Secure & Interoperable

SYSCOM CDRs IT TA AgreementSigned 06 JUN 2013

IA TA Boundary

SYSCOMs are responsible for the Logical & Physical Interfaces Internal to

their Enclaves with SPAWAR Design Guidance

SYSCOM TABoundaries

Page 7: Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

7

IT/IA TA Technical Authority Board (TAB)▼ Cross-SYSCOM governance board for

reviewing, adjudicating & endorsing IT & IA TA products for use throughout the Naval Network Enterprise

▼ Charter signed by SYSCOM CHENGs

▼ Stakeholders provide key policy & operational perspectives

▼ Working Groups collaborate & refine SPAWAR-initiated IT & IA TA products

▼ Supports Task Force Cyber Awakening Objectives

TAB is the Cross-SYSCOM Governing Body for Enforcing IT/IA TA Discipline

STAKEHOLDERS

• PEOs/PMs• NAVSEA 08• HQMC C4• DDON (MC) CIO

• FCC/C10F

• OPNAV N2/N6• DON CIO

WORKING GROUPS

IA Working Group IT Working Group

PRINCIPAL MEMBERS

NAVSEA

NAVAIR

NAVFAC

NAVSUP

MARCOR

DASN RDT&E

SPAWAR(TAB CHAIR)

Page 8: Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

8

Collaboration Across SYSCOMs is WorkingSome Initial Progress

▼ TAB Endorsed Products to Date: Four (4) IA Standards:

− Host Level Protection, Firewall, Intrusion Detection & Prevention, Defense-in-Depth Functional Implementation Architecture (DFIA) Afloat Overview

Seven (7) Interface Control Documents (ICDs):− Navy Cash to CANES; CDLS to DCGS-N; CDLS to CV-TSC (Remote

Interface); CDLS to CV-TSC (MH-60R); BFTT to TVS; BFFT to CANES; BFFT to NAVSSI

▼ Still much to be done! Nine (9) TAB-Prioritized IA Standards in FY15; 22 planned for FY16/17

− FY15: Security Information & Event Management (SIEM); Vulnerability Scanning; Boundary Protection; Risk Assessment Process; DFIA Airborne; Asset Management; Cyber Situational Awareness; Supply Chain Risk Management (SCRM); DFIA Ashore

43 remaining ICDs (many of which are in various stages of development/coordination)

▼ Quickly move focus to the end state—determine our cybersecurity readiness across the Navy and define our plan to protect, detect and respond to cyber threats

Page 9: Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

9

Summary

▼ Threats continually evolve and so must our policies, tools, products and processes No domain is immune to these threats

▼ Technology growth and its impact challenge both government and commercial cybersecurity enterprises

▼ Successful IT and IA TA increases our interoperability and security posture

▼ Cybersecurity is a team sport

Page 10: Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society

10