Dept. of Homeland Security Science & Technology Directorate DHS S&T Cyber Security Division (CSD) Overview TCIPG Industry Workshop UIUC November 8, 2011 Greg Wigton Program Manager Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) Gregory.Wigton@dhs.gov 202-254-6140
2 Comprehensive National Cybersecurity Initiative (CNCI) Establish a front line of defense Reduce the Number of Trusted Internet Connections Deploy Passive Sensors Across Federal Systems Pursue Deployment of Automated Defense Systems Coordinate and Redirect R&D Efforts Resolve to secure cyberspace / set conditions for long-term success Connect Current Centers to Enhance Situational Awareness Develop Gov t-wide Counterintelligence Plan for Cyber Increase Security of the Classified Networks Expand Education Shape future environment / secure U.S. advantage / address new threats Define and Develop Enduring Leap Ahead Technologies, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Manage Global Supply Chain Risk Cyber Security in Critical Infrastructure Domains http://cybersecurity.whitehouse.gov 2
Federal Cybersecurity Research and Development Program: Strategic Plan 3
Federal Cybersecurity R&D Strategic Plan Research Themes Tailored Trustworthy Spaces Moving Target Defense Cyber Economics and Incentives Designed-In Security (New for FY12) Science of Cyber Security Transition to Practice Technology Discovery Test & Evaluation / Experimental Deployment Transition / Adoption / Commercialization Support for National Priorities Health IT, Smart Grid, NSTIC (Trusted Identity), NICE (Education), Financial Services 28 October 2011 4
Quadrennial Homeland Security Review The Core Missions 1. Preventing terrorism and enhancing security; 2. Securing and managing our borders; 3. Enforcing and administering our immigration laws; 4. Safeguarding and securing cyberspace; and 5. Ensuring resilience to disasters. Mission 6: Maturing and Strengthening the Homeland Security Enterprise Foster Innovative Solutions Through Science and Technology Ensure scientifically informed analyses and decisions are coupled to effective technological solutions Conduct scientific assessments of threats and vulnerabilities Foster collaborative efforts involving government, academia, and the private sector to create innovative approaches to key homeland security challenges 28 October 2011 5
DHS S&T Mission Strengthen America s security and resiliency by providing knowledge products and innovative technology solutions for the Homeland Security Enterprise 28 October 2011 6
28 October 2011 7
Cyber Security Division (CSD) R&D Execution Model 28 October 2011 8
Cyber Security Program Areas Research Infrastructure to Support Cybersecurity (RISC) Trustworthy Cyber Infrastructure (TCI) Cyber Technology Evaluation and Transition (CTET) Foundational Elements of Cyber Systems (FECS) Cybersecurity User Protection and Education (CUPE) 29 October 2010 9
Research Infrastructure (RISC) Experimental Research Testbed (DETER) Researcher and vendor-neutral experimental infrastructure DETER - http://www.isi.edu/deter/ Research Data Repository (PREDICT) Repository of network data for use by the U.S.- based cyber security research community PREDICT https://www.predict.org Software Quality Assurance (SWAMP) A software assurance testing and evaluation facility and the associated research infrastructure services 28 October 2011 10
Trustworthy Cyber Infrastructure (TCI) Secure Protocols DNSSEC Domain Name System Security SPRI Secure Protocols for Routing Infrastructure Process Control Systems LOGIIC Linking Oil & Gas Industry to Improve Cybersecurity TCIPG Trustworthy Computing Infrastructure for the Power Grid Internet Measurement and Attack Modeling Geographic mapping of Internet resources Logically and/or physically connected maps of Internet resources Monitoring and archiving of BGP route information 28 October 2011 11
Evaluation and Transition (CTET) Assessment and Evaluations Red Teaming of DHS S&T-funded technologies Experiments and Pilots Experimental Deployment of DHS S&T-funded technologies into operational environments Transition to Practice (CNCI) New FY12 Initiative 28 October 2011 12
Foundational Elements (FECS) Enterprise Level Security Metrics and Usability Homeland Open Security Technology (HOST) Software Quality Assurance Cyber Economic Incentives (CNCI) New FY12 Initiative Leap Ahead Technologies (CNCI) Moving Target Defense (CNCI) New FY12 Initiative Tailored Trustworthy Spaces (CNCI) New FY12 Initiative 28 October 2011 13
Cybersecurity Users (CUPE) Cyber Security Competitions National Initiative for Cybersecurity Education (NICE) NCCDC (Collegiate); U.S. Cyber Challenge (High School) Cyber Security Forensics More later Identity Management National Strategy for Trusted Identities in Cyberspace (NSTIC) Data Privacy Technologies New Start in FY13 28 October 2011 14
DHS S&T Cybersecurity Program Cyber Economic Incentives Moving Target Defense Tailored Trustworthy Spaces Leap Ahead Technologies Transition To Practice Software Quality Assurance Homeland Open Security Technology Experiments & Pilots Assessments & Evaluations PEOPLE SYSTEMS INFRASTRUCTURE Identity Management Enterprise Level Security Metrics & Usability Data Privacy Cyber Forensics Competitions Secure Protocols Process Control Systems Internet Measurement & Attack Modeling RESEARCH INFRASTRUCTURE Experimental Research Testbed (DETER) Research Data Repository (PREDICT) Software Quality Assurance (SWAMP) 28 October 2011 15
Critical Infrastructure / Key Resources DECIDE (Distributed Environment for Critical Infrastructure Decisionmaking Exercises) Provide a dedicated exercise capability to foster an effective, practiced business continuity effort to deal with increasingly sophisticated cyber threats Enterprises initiate their own exercises, define their own scenarios, protect their proprietary data, and learn vital lessons to enhance business continuity The Financial Services Sector Coordinating Council R&D Committee has organized a user-group of subject matter experts paid by their respective financial institutions to support the project over the next two years. LOGIIC Linking the Oil & Gas Industry to Improve Cybersecurity A collaboration of oil and natural gas companies and DHS S&T to facilitate cooperative research, development, testing, and evaluation procedures to improve cyber security in Industrial Automation and Control Systems Consortium under the Automation Federation TCIPG Trustworthy Computing Infrastructure for the Power Grid Partnership with DOE funded at UIUC with several partner universities and industry participation Drive the design of an adaptive, resilient, and trustworthy cyber infrastructure for transmission & distribution of electric power, including new resilient smart power grid 16
DECIDE (Distributed Environment for Critical Infrastructure Decision-making Exercises) Enable enterprise decision-makers to think through responses to operational disruptions of market-based transactions across networks Sector(s), Market(s), Institution(s) Provide a dedicated exercise capability for several critical infrastructures in the U.S. Beginning with Banking and Finance Foster an effective, practiced business continuity effort to deal with increasingly sophisticated cyber threats Enterprises will be able to initiate their own large-scale exercises, define their own scenarios, protect their proprietary data, and learn vital lessons to enhance business continuity, all from their desktops Think through sector impacts of the National Planning Scenarios Enhance coordination during a large-scale disruption to key infrastructures The concept has been reviewed by and developed with input from experts at ChicagoFIRST, the Options Clearing Corporation, ABN-AMRO, Eurex, Archipelago, Bank of New York, and CitiBank. The Financial Services Sector Coordinating Council R&D Committee is organizing a user-group of subject matter experts paid by their respective financial institutions to support the project over the next two years. 17
DECIDE Goal: Create a Finance-sector requested, software-based simulation environment for sector-risk exercises Began as a gleam in the eye of a BNY Risk Manager in 2004 Seen as a logical follow-on the the 2003 Livewire Cyber Exercise Simulation Designed to stress the massive interdependencies of critical infrastructures and help them prepare for low probability / high consequence disruptions Prototyped in 2005 / 2006 with some Homeland Security funding Gained FSSCC Support in 2006 Meets a priority FSCCC R&D Need Transitioned to a $15 million full-scale R&D effort funded by the Department of Homeland Security in 2008 R&D team led by Norwich University Applied Research Institutes 18
Partnership Project LOGIIC is a model for government-industry technology integration and demonstration efforts to address critical R&D needs Industry contributes Requirements and operational expertise Project management Product vendor channels DHS S&T contributes National Security Perspective on threats Access to long term security research Independent researchers with technical expertise Testing facilities 19
Overview Opportunity: Reduce vulnerabilities of oil & gas process control environments by correlating and analyzing abnormal events to identify and prevent cyber security threats Approach: Identify new types of security sensors for process control networks Adapt a best-of-breed correlation engine to this environment Integrate in testbed and demonstrate Transfer technology to industry External Events Business Network Attack Indications and Warnings LOGIIC Correlation Engine Process Control Network 20
Consortium DHS S&T ISA Automation Federation (AF) DHS PCII Oil & Gas Sector Participating Companies Project #N Project #4 Project #3 Project #2 Project #1 Labs Vendors Researchers 21
SIS Project Security of Safety Instrumented Systems SIS Objective: bring a process plant to a safe state when an excursion outside pre-established operating parameters occurs SIS increasingly integrated with PCS is the integrity of production facilities jeopardized? LOGIIC SIS will result in Security improvements Characterization of residual risk Architectural recommendations Confidence in the architectural integrity of SIS Final summary report provides architectural recommendations for PCS/SIS integration Outreach to standards bodies and the sector is underway
Current TCIPG Effort $18.5 M over 5 years Trustworthy Cyber Infrastructure for the Power Grid Jointly funded with Department Of Energy 5 universities, 20 senior investigators University of Illinois at Urbana-Champaign Washington State University Cornell University Dartmouth University University of California at Davis Over 40 Graduate and Undergraduate Students External Advisory Board (8 members) Industry interaction board (75 members) 23
Industrial Control Systems Joint Working Group (ICSJWG) Administered by the Dept. of Homeland Security s Control Systems Security Program. Provides a vehicle for collaboration between government and private sector control systems stakeholders Government Coordinating Council Sector Coordinating Council Subject Matter Experts Meets twice a year in conference as a plenary session, sub groups meet as needed. Includes 5 subgroups plus 1 Pending ICS Roadmap Development International Research and Development Standards and Metrics (pending) Vendor / Public Coordination Workforce Development 24
ICSJWG Research & Development Subgroup The Research and Development Subgroup will identify existing and planned research and development needs and priorities as they relate to industrial control systems Objectives Identify existing and planned R&D needs and priorities as they relate to ICS Identify desired areas of ICS research not currently under way Evaluate if a more secure process or mechanism is needed for sharing sensitive R&D information DHS S&T co-chairs the R&D subgroup For more information, visit: http://www.us-cert.gov/control_systems/icsjwg 25
HSARPA Cyber Security R&D Broad Agency Announcement (BAA) 11-02 Delivers both near-term and medium-term solutions To develop new and enhanced technologies for the detection of, prevention of, and response to cyber attacks on the nation s critical information infrastructure, based on customer requirements To perform research and development (R&D) aimed at improving the security of existing deployed technologies and to ensure the security of new emerging cybersecurity systems; To facilitate the transfer of these technologies into operational environments. Proposals Received According to 3 Levels of Technology Maturity Type I (New Technologies) Applied Research Phase Development Phase Demo in Op Environ. Funding $3M & 36 mos. Type II (Prototype Technologies) More Mature Prototypes Development Phase Demo in Op Environ. Funding $2M & 24 mos. Type III (Mature Technologies) Mature Technology Demo Only in Op Environ. Funding $750K & 12 mos. Note: Technology Demonstrations = Test, Evaluation, and Pilot deployment in DHS customer environments 28 October 2011 26
Technical Topic Areas (TTAs) TTA-1 Software Assurance DHS, FSSCC TTA-2 Enterprise-level Security Metrics DHS, FSSCC TTA-3 Usable Security DHS, FSSCC TTA-4 Insider Threat DHS, FSSCC TTA-5 Resilient Systems and Networks DHS, FSSCC TTA-6 Modeling of Internet Attacks DHS TTA-7 Network Mapping and Measurement DHS TTA-8 Incident Response Communities DHS TTA-9 Cyber Economics CNCI TTA-10 Digital Provenance CNCI TTA-11 Hardware-enabled Trust CNCI TTA-12 Moving Target Defense CNCI TTA-13 Nature-inspired Cyber Health CNCI TTA-14 Software Assurance MarketPlace S&T (SWAMP) 28 October 2011 27
Small Business Innovative Research (SBIR) Important program for creating new innovation and accelerating transition into the marketplace Since 2004, DHS S&T Cyber Security has had: 60 Phase I efforts 27 Phase II efforts 4 Phase II efforts currently in progress 9 commercial/open source products available Three acquisitions Komoku, Inc. (MD) acquired by Microsoft in March 2008 Endeavor Systems (VA) acquired by McAfee in January 2009 Solidcore (CA) acquired by McAfee in June 2009 28 October 2011 28
Cyber Forensics Initial requirements working group held November 2008 Attendees from USSS, CBP, ICE, FLETC, FBI, NIJ, TSWG, NIST, Miami-Dade PD, Albany NY PD Initial list of project requirements - Mobile device and GPS forensic tools LE First responder field analysis kit High-speed data capture and deep packet inspection Live stream capture for gaming systems Memory analysis and malware tools Info Clearing House 28 October 2011 29
SBIR Solicitation 2011.2 Mobile Device Forensics NAND/NOR Chip Forensics (Lab Tool) Reading the data stored on the chip Reverse engineering of the wear-leveling algorithm Mounting the file system Bypassing PIN/PUK Codes Tool to extract PIN / PUK codes from locked SIM cards Disposable Cell Phone Analysis Demonstration and development of methods and tools that will allow an investigator to acquire all: call logs, contacts, pictures, videos, and text messages stored within all disposable cell phones. 28 October 2011 30
Timeline of Past Research Reports President s Commission on CIP (PCCIP) NRC CSTB Trust in Cyberspace I3P R&D Agenda National Strategy to Secure Cyberspace Computing Research Association 4 Challenges NIAC Hardening the Internet PITAC - Cyber Security: A Crisis of Prioritization IRC Hard Problems List NSTC Federal Plan for CSIA R&D NRC CSTB Toward a Safer and More Secure Cyberspace 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 All documents available at http://www.cyber.st.dhs.gov 28 October 2011 31
A Roadmap for Cybersecurity Research http://www.cyber.st.dhs.gov Scalable Trustrworthy Systems Enterprise Level Metrics System Evaluation Lifecycle Combatting Insider Threats Combatting Malware and Botnets Global-Scale Identity Management Survivability of Time-Critical Systems Situational Understanding and Attack Attribution Information Provenance Privacy-Aware Security Usable Security 28 October 2011 32
Summary Cybersecurity research is a key area of innovation needed to support our future DHS S&T continues with an aggressive cyber security research agenda Working to solve the cyber security problems of our current (and future) infrastructure and systems Working with academe and industry to improve research tools and datasets Looking at future R&D agendas with the most impact for the nation, including education Need to continue strong emphasis on technology transfer and experimental deployments 28 October 2011 33
Greg Wigton Program Manager Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) Gregory.Wigton@dhs.gov 202-254-6140 For more information, visit http://www.cyber.st.dhs.gov 28 October 2011 34