New DoD Approaches on the Cyber Survivability of Weapon Systems Colonel Dean “Data” Clothier Chief, Cyberspace Division Joint Staff/J-6 CSE is the Critical Foundation for Ensuring Cyber Survivability is Considered as Part of the Operational Risk Trade-Space UNCLASSIFIED
23
Embed
New DoD Approaches on the Cyber Survivability of Weapon ... · •FY16-17 funding available for evaluations (cyber vulnerability assessments and non-recurring engineering design for
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
New DoD Approaches on the Cyber
Survivability of Weapon Systems
Colonel Dean “Data” Clothier
Chief, Cyberspace Division
Joint Staff/J-6
CSE is the Critical Foundation for Ensuring Cyber Survivability is Considered as Part of the Operational Risk Trade-Space
UNCLASSIFIED
Purpose/Objectives
• Purpose: Recommend JCB approval of Cyber Survivability Endorsement (CSE) Implementation Guide for the SS-KPP
• DepSecDef (DSD) directed Joint Staff develop Cybersecurity KPPo Initiated when DSD briefed on DOT&E Cybersecurity Report w/ OUSD(AT&L),
OUSD(P), DOD-CIO and VCJCS … Highlighted multiple weapon systems with vulnerabilities that could have been known and fixed prior to DT&E
o Intended to eliminate or sufficiently mitigate known vulnerabilities prior to fieldingo Implemented through deliberate design, test and associated DOTmLPF-P in
applicable operational environmentso Met DepSecDef intent by incorporating CSE into SS-KPP Endorsement
• Objectiveso Drive development of Joint cyber survivability requirements … to meet
requirements for cyber attack prevention, mitigation and recoveryo Ensure performance measures are consistent with the threat and consistently
applied … during requirements definition, development and testingo Ensure cyber survivability and cybersecurity requirements are considered … and
included as part of the operational risk trade-space
End State: All DoD weapon systems are cyber survivable commensurate with a risk managed approach to countering a capable and determined adversary
UNCLASSIFIED
UNCLASSIFIED 2
Kinetic Threats Non-Kinetic Threats
Cyber
Electromagnetic
Spectrum
Cyber Survivability Endorsement (CSE)
Sponsors must address the System Survivability KPP and provide specific Cyber Survivability Attributes (CSA) related to the SS KPP which must be met
- 18 December 2014 JCIDS Manual, Enclosure D
UNCLASSIFIED
UNCLASSIFIED 3
Cyber Survivability Endorsement (CSE)
• Added Cyber Survivability to the JCIDS System Survivability (SS) Key Performance Parameter (KPP)o Cyber survivability is now part of operational risk trade-space
(as of 18 Dec 2014 JCIDS Manual)
• CSE Implementation Guide: Joint Staff led effort with active participation from DoD CIO, AT&L, DOT&E, OUSD(I), DIA, and NSA.o Provides cyber survivability exemplar statements o Includes cyber survivability attributes to aid requirement definitiono Describes tailoring approach for Capabilities Development Document
(CDD) and Capabilities Production Document (CPD) requirements
Build new weapon systems that are cyber survivable commensurate with a risk managed approach to countering a capable and determined adversary
UNCLASSIFIED
UNCLASSIFIED 4
Risk Managed ApproachUNCLASSIFIED
UNCLASSIFIED
The CSE 5 step risk managed approach takes into account several variables … the resulting CSRC provides consistency between levels of CS requirements,
development and testing5
STEP 1: System Mission Types
MT 4 – Strategic / NationalSystems whose degradation would result in the highest risks to achieving national objectives, require the very best cybersecurity practices
Determining the System Mission Type helps define the required cyber survivability protection for the capability
UNCLASSIFIED
UNCLASSIFIED
MT 3 – Operational / TacticalMission systems, munitions, Command and Control capabilities that require unique DoD protections
MT 2 – Military CriticalSelected high impact systems that ensure near-continuous operation with rapid recovery from failures
MT 1 – Mission EssentialMilitary and Organizational Support systems; may be hosted within DoD or commercial facilities
Ex
am
ple
6
STEP 2: Cyber Dependence
1 – Sustain Flight / Maneuverability
2 – Maintain Internal/External Communication
3 – Perform Offensive / Defensive Activities
What is a System’s Cyber Dependence to Perform its Mission Critical Functions?
Criticality Analysis provides basis for cyber survivability emphasis
for critical functions, components and information exchanges
Determine the Mission Critical Functions of the System
UNCLASSIFIED
UNCLASSIFIED
Ex
am
ple
7
STEP 3: How Select Threat Actors
Determine the Level of Most Capable Cyber Threat Actor to the System
Tier IV Advanced
Tier III Moderate
Tier II Limited
Tier I Nascent
Cyber Threat Actor Capability Level
What level of cyber actor must the system be capable of
withstanding if it is to fulfill its warfighting purposes?
IF Insurgent & Irregular Forces, THEN
UNCLASSIFIED
UNCLASSIFIED
*NOTIONAL SCORING
Ex
am
ple
8
STEP 4: Mission Impact
Determine the Mission Impact of Loss For All Mission Critical Functions Due to a Cyber Event
H
M
L
Availability
Minutes
Days
Hours
H
M
L
Integrity
Disruptive
Degraded
Nuisance
H
M
L
Confidentiality
Limited
Serious
Severe
Mission Critical Functions
I Sustained Flight / Maneuverability
II Internal / External Communication
III Offensive / Defensive Capabilities
Critical Function I: What is the mission impact of compromised flight or
maneuverability due to a cyber attack?
• Confidentiality – Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
• Integrity – Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity • Availability – Ensuring timely and reliable access to and use of information
*NOTIONAL SCORING
UNCLASSIFIED
UNCLASSIFIED
Ex
am
ple
9
Ti
er
IV
III
II XI
Tier IV
Tier III
Tier II
Tier I
Threat Actor Levels
IL4, Severe Adverse Effect
IL3, Serious Adverse Effect
IL2, Limited Adverse Effect
Fly X
Communicate X
Act X
X
X
X
Confidentiality
X
X
Integrity Availability
Lo
w
Me
diu
m
Hig
h
Lo
w
Me
diu
m
Hig
h
Lo
w
Me
diu
m
Hig
h
X
Vulnerability in the face of Threat Capability yields Survivability Risk
Systemic VulnerabilityFactor Cyber Threat Actor
for the UAV System System Survivability Risk
The aggregation of the System Risk and the Threat Actor inform the level
of System Security Engineering & Controls applied and the Residual
Operational Risk assumed based on the purpose and intended
operational environment of the system
IL1, Risks Acceptable
for Meeting Military and
Organization Needs
STEP 5: System Survivability Risk
*NOTIONAL SCORING
UNCLASSIFIED
UNCLASSIFIED
Ex
am
ple
10
Cybersecurity Framework IntegrationUNCLASSIFIED
UNCLASSIFIED 11
• Prevent – Design requirements that protect weapon system’s functions from most likely and
greatest risk cyber threats.
• Mitigate – Design requirements that detect and respond to cyber-attacks; enabling weapon
systems functions resiliency to complete the mission.
• Recover – Design requirements that ensure minimum cyber capability available to recover
from cyber attack and enable weapon system quickly restore full functionality
Cyber Survivability Attributes to Tailor in the CDD/CPD
SS KPP Pillars(Mandatory)
Cyber Survivability Attributes (CSA)(All are considered, select those applicable)
Prevent
CSA 01 - Control Access
CSA 02 - Reduce Cyber Detectability
CSA 03 - Secure Transmissions and Communications
CSA 04 - Protect Information and Exploitation
CSA 05 - Partition and Ensure Critical Functions at Mission Completion Performance Levels
CSA 06 - Minimize and Harden Cyber Attack Surfaces
CSA 08 - Manage System Performance if Degraded by Cyber Events
Recover CSA 09 - Recover System Capabilities
All 3 Pillars CSA 10 – Actively Manage System’s Configuration to Counter Vulnerabilities
Fundamental to the CSE construct is enabling sponsor to select and articulate CSA choices to achieve each SS KKP Pillar
UNCLASSIFIED
UNCLASSIFIED 12
CSE Scorecard is a management tool to help guide requirements development, andstreamline review process to ensure CSAs are logically considered and articulated
CSE Scorecard Assessment Process
• Requirement Sponsors use the Cyber Survivability Scorecard to document that appropriate CSAs have been considered, and where they are articulated within requirement’s documents.
• CSE analysts use the Cyber Survivability Scorecard to review ICDs, and assess CDDs and CPDs entered into KM/DS with JROC Interest, JCB Interest, or qualify as Joint Integration.
• CSE assessment occurs during the 21 day Document Review and commenting stage within the JCIDS deliberate staffing process.
UNCLASSIFIED
UNCLASSIFIED 13
Systemic Ability to Adapt to New Cyber Threats
• Systems must be capable of quickly adapting to new cyber threats
• Sustaining a system’s cyber survivability requires elements in the resourcing, design, Life Cycle Sustainment Plans, and Ops & Maintenance procedures
UNCLASSIFIED
UNCLASSIFIED
Cyber threats will continue to increase in capability for the foreseeable future14
IPT Approach
• Terms of Reference: Identify exemplars of cyber survivability and cybersecurity capability requirements, which can be utilized in requirements documentation and associated CONOPS use cases and operational architecture information.
• Action Groups: Overall CSE Integrated Product Team led by JS-J6o Requirements Action Group: Co-Led by JS-J6 and DoD CIOo Intelligence Action Group: Led by OUSD(I)o Acquisition Action Group: Led by AT&Lo Testing Action Group: Led by DASD(DT&E)
• Scope: Review capability requirements documentation to ensure traceability and consistency of Cyber requirements throughout the programs’ development, testing and sustainment activities.
• Deliverable: Implementation Guide to support articulating and assessing Cyber Survivability within Capability Requirements Documentation
UNCLASSIFIED
UNCLASSIFIED 15
Wrap Up
• Problem: System survivability requirements not sufficiently articulated for cyber-attack prevention, mitigation and recovery, within requirements documents
• CSE Implementation Guide: Joint Staff led effort, with active participation from DOD-CIO, OUSD(AT&L), OUSD(I), DOT&E, DIA, and NSA
o Includes high level cybersecurity threat exemplar statements … prior to availability of DIA or Service developed system specific threat assessments
o Defines Cyber Survivability Risk Category (CSRC) … to enable a consistent approach to cybersecurity requirements, development and testing
o Outlines Cyber Survivability Attributes (CSAs) … to be considered by the requirement sponsor, which can be consistently applied, implemented by system security engineers and tested by DT&E/OT&E
o Provides Exemplar Requirements and Scorecard … supports development, assessment and management of requirements
CSE Enables System Survivability KPP Endorsement
UNCLASSIFIED
UNCLASSIFIED 16
NDAA Section 1647: Evaluation of
Cyber Vulnerabilities of Major
Weapon Systems of the DoD
UNCLASSIFIED
UNCLASSIFIED
17
NDAA Section 1647
25 Nov 2015: Congress enacted FY16 NDAA S.1647 to evaluate the impact of cyber vulnerabilities on major weapon systems.
• Create a plan based on the criticality of major weapon systems, as determined by the Chairman of the Joint Chiefs of Staff.
• FY16-17 funding available for evaluations (cyber vulnerability assessments and non-recurring engineering design for remediation)
17 May 2016: JROCM endorsed CJCS prioritization required to release funds
29 Jun 2016: Briefed 4 Star- Cyber Investment Management Board
• Funding profile and execution strategy
22 Aug 2016: Develop the plan for conducting evaluations in FY16-19
• Submit quarterly findings to HASC and SASC
31 Dec 2019: “The Secretary of Defense shall, …complete an evaluation of the cyber vulnerabilities of each major weapon system of the Department of Defense…”
UNCLASSIFIED
UNCLASSIFIED 18
Weapon System Prioritization Approach
• Step 1: Services identified major weapon systems to include:
– A subset of OUSD (AT&L)’s Major Defense Acquisition Programs (MDAP) and Major Automated Information Systems (MAIS)
– Including major weapon systems and associated C2 systems essential to accomplishing the QDR missions
– Weapon systems must have reached Milestone B on or before 31 Dec 2015 to be included
• Step 2: Services prioritized Mission Areas (MAs)
– Service methodology for prioritizing major weapon systems
– Service MAs – Self-identified, Mission Capabilities, Core Service Functionality
• Step 3: Services binned major WS within their MAs
– Specific design, technical, programmatic and operational characteristics of a weapon system which “may” increase its vulnerability to cyber attack from a threat actor
– Define cyber vulnerability assessment levels
• Step 5: Joint Staff prioritized WS by binning it to its highest QDR priority and highest ICV score
– Mission priorities identified in the 2014 Quadrennial Defense Review (QDR)
UNCLASSIFIED
UNCLASSIFIED 19
Services Prioritized Mission Areas
2014 QDR Priorities1. Maintain a secure and effective
nuclear deterrent
2. Provide for military defense of the homeland
3. Defeat an adversary
4. Provide a global, stabilizing presence
5. Combat terrorism
6. Counter weapons of mass destruction
7. Deny an adversary’s objectives
8. Respond to crisis and conduct limited contingency operations
9. Conduct military engagement and security cooperation
10.Conduct stability and counterinsurgency operations
11.Provide support to civil authorities
12.Conduct humanitarian assistance and disaster response
JCA• Force Support
• Battlespace Awareness
• Force Application
• Logistics
• Command and Control
• Communications and Computers
• Protection
• Building Partnerships
• Corporate Mgt. and Support
Army• Strategic Mission
Command
• Strategic Weapon System
• Tactical Mission Command
• Tactical Weapon System
• Enablers
USMC• Military Engagement,
Security Cooperation and Deterrence
• Crisis Response and Limited Contingency Operations
“Intrinsic” Cyber Vulnerability: Specific design, technical, programmatic and operational characteristics of a weapon system, which are
indicators of vulnerability to cyber attack21
No
tio
na
l E
xa
mp
le
Evaluation Process
Step 1: Target List - Provides a list of systems to Evaluated by FY, by Event
Step 2: Threat Folders/Cyber Table Top - Outlines Key Cyber Terrain; informs planners, operators, and system owners
Step 3: Test Design - Describes the purpose, scope and objectives of the event to include: Design of Experiments w/ MOP’s, and MOE’s and Mission Thread Analysis
Step 4: Detailed/Operational Test Plan – Developed with event /range planners details MEL, scenarios, and rules of the road
Step 5: Test Execution - Operational/ Laboratory event designed to stress the system and or the operators in a cyber contested environment
Step 6: Green Book Mitigation - cost, performance, and schedule implications of the vulnerabilities discovered. Includes a Senior Level Review and approval of Risk (Operational and Acquisition)
Step 7: Validation – Confirmation of implementation of Corrective Actions
Step 8: Quarterly Report to Congress – Co Authored summary of findings and path forward
Step 9: Waiver Candidates – Determine if any systems qualify for assessment exclusion
22
This 9-step process follows the DoDI 5000.02 and the DOT&E TEMP Guidebook.
UNCLASSIFIED
UNCLASSIFIED 22
FY17 Goals & Objectives
• Conduct cyber vulnerability assessments
• Develop a knowledge sharing capability
• Service Chiefs present risk assessments and mitigation plans to
SECDEF
• Initiating effort to better understand what cyber SA for mission
systems
• Investment buys down risk for military operations in FY19 and