Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society of Naval Engineers 4 March 2015 Presented by: Mr. Mike Spencer Deputy Chief Engineer SPAWAR 5.0 Distribution Statement A. Approved for Public Release. Distribution is unlimited (2 March 2015).
10
Embed
Disciplined Engineering to Support Navy Cybersecurity: SPAWAR’s Integrated Information Technology & Cybersecurity Technical Authority American Society.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Disciplined Engineering to Support Navy Cybersecurity:
SPAWAR’s Integrated Information Technology & Cybersecurity Technical
Authority
American Society of Naval Engineers4 March 2015
Presented by:
Mr. Mike SpencerDeputy Chief Engineer
SPAWAR 5.0Distribution Statement A. Approved for Public Release.Distribution is unlimited (2 March 2015).
2
Current Cyber EnvironmentSince RDML Ailes took command as SPAWAR’s new Chief Engineer (Aug 2014), there have been numerous reported incidents that highlight the severity of the cyber threat:
▼ Sony Hack Stole data (employees’ personal information, e-mails, ~100TB of data/content) Implanted malware to erase data from servers
▼ Anthem Data Breach Infiltrated database to gain access to customers’ names, birthdays, Social Security numbers,
addresses and employment data (could affect as many as 80M customers)
▼ German Steel Mill Massive physical damage by manipulating and disrupting control systems Access through business network via spear-phishing to inject malware; worked their way
into production networks
3
Holistic Enterprise Approach to Cybersecurity
Cybersecurity Today Vision: A Single Navy Plan for Cyber
▼ Inefficient, duplicative efforts are not cost effective
▼ Compilation of systems segregated by enclave C4I, HM&E, Combat, Aviation
▼ Each program implements security controls▼ ATO covered by ODAA
▼ Overly complex design Difficult for sailors to operate and maintain
multitude of devices that provide similar functions Perpetuates interoperability issues
▼ Fewer seams and smaller attack vector
▼ Easier for sailors to operate and manage
▼ Greater interoperability
▼ Holistic enterprise cybersecurity architecture Provides a layered, Defense-in-Depth approach that
enables inheritance Provides Sailors with cyber situational awareness
across the network▼ Mandatory implementation of standardized security
controls▼ Certified systems meet security requirements
▼ Streamlined investment
Attackers see a single network with seams
Upfront Systems Engineering Informs Investments in Cybersecurity Solutions Across the Navy Enterprise
4
View Systems From Adversary Perspective and Recognize Cyber as a System of Systems Problem
Viewing Systems From Adversary’s Perspective
▼ Security controls for C4I and the IT components of Navy Control Systems (NCS)/Industrial Control Systems (ICS) provide same/similar functions (boundary protection, intrusion defense, etc.)
▼ Cyber risks for C4I and IT components of NCS/ICS are similar Portable storage device attacks Man-in-the-Middle Poorly configured Firewalls Trusted Systems without Data Inspection
▼ Real time systems have latency and determinism requirements, but often interface with vulnerable non-real time systems
Need to View IT & IT Components of NCS/ICS the Same Way Our Adversaries Do
Cyber is a SoS Problem
▼ Need to assess and prioritize risks from an enterprise/SoS perspective vice addressing vulnerabilities and only portions of the systems on our platforms CSIs focus on vulnerabilities in C4I
systems and look at systems individually SETRs and other technical reviews look
43 remaining ICDs (many of which are in various stages of development/coordination)
▼ Quickly move focus to the end state—determine our cybersecurity readiness across the Navy and define our plan to protect, detect and respond to cyber threats
9
Summary
▼ Threats continually evolve and so must our policies, tools, products and processes No domain is immune to these threats
▼ Technology growth and its impact challenge both government and commercial cybersecurity enterprises
▼ Successful IT and IA TA increases our interoperability and security posture