Transcript Slide 1
Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society of Naval Engineers 4 March 2015 Presented by: Mr. Mike Spencer Distribution Statement A. Approved for Public Release. Distribution is unlimited (2 March 2015). Deputy Chief Engineer SPAWAR 5.0 Current Cyber Environment Since RDML Ailes took command as SPAWAR’s new Chief Engineer (Aug 2014), there have been numerous reported incidents that highlight the severity of the cyber threat: ▼ Sony Hack Stole data (employees’ personal information, e-mails, ~100TB of data/content) Implanted malware to erase data from servers ▼ Anthem Data Breach Infiltrated database to gain access to customers’ names, birthdays, Social Security numbers, addresses and employment data (could affect as many as 80M customers) ▼ German Steel Mill Massive physical damage by manipulating and disrupting control systems Access through business network via spear-phishing to inject malware; worked their way into production networks 2 Holistic Enterprise Approach to Cybersecurity Vision: A Single Navy Plan for Cyber Cybersecurity Today Attackers see a single network with seams ▼ ▼ Inefficient, duplicative efforts are not cost effective ▼ Introduces seams & vulnerabilities…and larger attack vector Overly complex design ▼ C4I, HM&E, Combat, Aviation Each program implements security controls ATO covered by ODAA Difficult for sailors to operate and maintain multitude of devices that provide similar functions Perpetuates interoperability issues Holistic enterprise cybersecurity architecture Compilation of systems segregated by enclave ▼ ▼ ▼ Provides a layered, Defense-in-Depth approach that enables inheritance Provides Sailors with cyber situational awareness across the network ▼ Mandatory implementation of standardized security controls Certified systems meet security requirements ▼ Streamlined investment ▼ Fewer seams and smaller attack vector ▼ Easier for sailors to operate and manage ▼ Greater interoperability ▼ Upfront Systems Engineering Informs Investments in Cybersecurity Solutions Across the Navy Enterprise 3 View Systems From Adversary Perspective and Recognize Cyber as a System of Systems Problem Viewing Systems From Adversary’s Perspective ▼ Security controls for C4I and the IT components of Navy Control Systems (NCS)/Industrial Control Systems (ICS) provide same/similar functions (boundary protection, intrusion defense, etc.) ▼ Cyber risks for C4I and IT components of NCS/ICS are similar Portable storage device attacks Man-in-the-Middle Poorly configured Firewalls Trusted Systems without Data Inspection Cyber is a SoS Problem ▼ Need to assess and prioritize risks from an enterprise/SoS perspective vice addressing vulnerabilities and only portions of the systems on our platforms CSIs focus on vulnerabilities in C4I systems and look at systems individually SETRs and other technical reviews look at individual systems vice SoS/Enterprise ▼ Real time systems have latency and determinism requirements, but often interface with vulnerable non-real time systems Need to View IT & IT Components of NCS/ICS the Same Way Our Adversaries Do 4 Anatomy of Attack 1 2 3 Motive Discover Probe Objective / Resources Data Gathering / Target Identification Identify Vulnerabilities / Scanning / Enumeration 6 7 8 Expand Persist Execute Multiple Footholds / Paths / Backdoors Obfuscate Presence Exploit / Exfiltration / Attack to Achieve Objective 5 4 Penetrate Escalate Gain Access / Create Foothold Gain Escalated Privileges / Root Access Protect Detect Respond 5 Technical Authority for Navy Information Technology (IT) & Information Assurance (IA) SYSCOM CDRs IT TA Agreement Signed 06 JUN 2013 Navy Enterprise Network Weapon Systems Industrial Control Systems National Security Systems Enclave Network Enclave Network C4ISR NGEN/CANES/ADNS/??? Enclave Network Business Systems Enclave Network INFORMATION TECHNOLOGY (LAN/WAN/GIG) IT TA Boundary SPAWAR is responsible for the Logical & Physical Interfaces Between Enclaves & the Naval Enterprise Network SYSCOM TA Boundaries SYSCOMs are responsible for the Logical & Physical Interfaces Internal to their Enclaves with SPAWAR Design Guidance IA TA Boundary SPAWAR is responsible for the IA Security Architecture, Specs, Standards & Protocols for all GENSER & Below IT Systems Enterprise Approach to Ensure Our Systems Are Secure & Interoperable 6 IT/IA TA Technical Authority Board (TAB) ▼ Cross-SYSCOM governance board for reviewing, adjudicating & endorsing IT & IA TA products for use throughout the Naval Network Enterprise PRINCIPAL MEMBERS SPAWAR (TAB CHAIR) ▼ Charter signed by SYSCOM CHENGs ▼ Stakeholders provide key policy & operational perspectives ▼ Working Groups collaborate & refine SPAWAR-initiated IT & IA TA products ▼ Supports Task Force Cyber Awakening Objectives NAVSEA NAVSUP NAVAIR MARCOR NAVFAC DASN RDT&E STAKEHOLDERS • • • • PEOs/PMs NAVSEA 08 HQMC C4 DDON (MC) CIO • FCC/C10F • OPNAV N2/N6 • DON CIO WORKING GROUPS IA Working Group IT Working Group TAB is the Cross-SYSCOM Governing Body for Enforcing IT/IA TA Discipline 7 Collaboration Across SYSCOMs is Working Some Initial Progress ▼ TAB Endorsed Products to Date: Four (4) IA Standards: − Host Level Protection, Firewall, Intrusion Detection & Prevention, Defense-inDepth Functional Implementation Architecture (DFIA) Afloat Overview Seven (7) Interface Control Documents (ICDs): − Navy Cash to CANES; CDLS to DCGS-N; CDLS to CV-TSC (Remote Interface); CDLS to CV-TSC (MH-60R); BFTT to TVS; BFFT to CANES; BFFT to NAVSSI ▼ Still much to be done! Nine (9) TAB-Prioritized IA Standards in FY15; 22 planned for FY16/17 − FY15: Security Information & Event Management (SIEM); Vulnerability Scanning; Boundary Protection; Risk Assessment Process; DFIA Airborne; Asset Management; Cyber Situational Awareness; Supply Chain Risk Management (SCRM); DFIA Ashore 43 remaining ICDs (many of which are in various stages of development/coordination) ▼ Quickly move focus to the end state—determine our cybersecurity readiness across the Navy and define our plan to protect, detect and respond to cyber threats 8 Summary ▼ Threats continually evolve and so must our policies, tools, products and processes No domain is immune to these threats ▼ Technology growth and its impact challenge both government and commercial cybersecurity enterprises ▼ Successful IT and IA TA increases our interoperability and security posture ▼ Cybersecurity is a team sport 9 10