AF Life Cycle Management Center Avionics Weapon Systems Cybersecurity Risk Management Framework Assessment & Authorization Update Harrell Van Norman AFLCMC/EZAS Cybersecurity Technical Expert aflcmc.en-ez.weapon.systems.ia.team@us.af.mil 1
Cybersecurity... so I connected the unclassified black & classified red wires for ONE com & data channel...
What is Cybersecurity? Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. Source: DoDI 8500.01 Cybersecurity replaced Information Assurance (IA) Requires independent assessment & authorization Cybersecurity required by law, DoD & USAF instruction AFLCMC mandatory process 3
Terminology Confidentiality Assurance that information is not disclosed to unauthorized persons Integrity Data, processes, material is what is expected Availability Timely, reliable access to data and information services for authorized users 4
PIT Examples weapons systems Aircraft Armament Command and Control training simulators diagnostic test and maintenance equipment calibration equipment R&D equipment medical devices buildings and associated control systems utility distribution systems (such as electric and water) telecommunications systems for industrial control systems including control devices and advanced metering data transport mechanisms (e.g., data links, dedicated networks) Source: DoDI 8500.01 5
Roots of DoD Policy 6
Cybersecurity Policy 7
RMF Workflow 8
Contractor Laptop Removable Media Boundary Example IFF UHF/VHF comm HF comm Data Links UHF/VHF comm SATCOM Simple Key Loader Mission Planning Depot SW Development Flightline Laptop LRUs Various LRUs 1553 Bus Caps Bus Data Recorder NIPR/ SIPR Data Recorder Equipment Backshop Memory Loader Test Station Legend Classified Unclassified
Risk Management Framework (RMF) Monitoring risk, managing change, reporting progress Categorize How important is the Mission/system/information What Cyber requirements apply? Requirements analysis Monitor Dispose Initiate Select Authorize Acceptable risks and/or plans to reduce risks to acceptable levels. Issue authorization? O&M RMF Implement Assess Design Implement Design in Cyber requirements via Systems Engineering and Test & Evaluation How effective are the cyber requirements. What are the risks? 10
MDD Program Documents Materiel Solution Analysis (MSA) AOA MS A PPP/ Cybersecurity Strategy, TEMP, SEP, LCSP RFP Release Decision Technology Maturation & Risk Reduction (TMRR) MS MS B C Engineering & Manufacturing Development (EMD) PPP/ Cybersecurity Strategy, TEMP, SEP, LCSP PPP/ Cybersecurity Strategy, TEMP, SEP, LCSP Production & Deployment (P&D) FRP/ FDD Milestones/ Formal Decision Points Operations & Support (O&S) Intel Program tasks IN for support IN Submits PR to NASIC NASIC Responds Update PR with Detailed System Design NASIC SUBMITS COLLECTION REQUIREMENTS Feedback & Reassess Intel Request System Engineering Technical Reviews Risk Management Framework ASR Categorize Select SP SRR SFR PDR CDR TRR SVR OTRR Implement Assess Select SP SAP Implement Assess Authorize DT&E Select SP SAR Implement Assess Authorize IATT Monitor ATO DISTRIBUTION A. Approved for public release: distribution POA&M unlimited IOT&E Monitor
Threats Insider Threat (Often under-estimated) Disgruntled personnel Unintentional actions of user Trusted insider Hacker/Cracker Malicious Code/Viruses/Worms Via link or HW/SW upgrades State Sponsored Cyber Attack DOS (Denial of Service) Attacks Self imposed Deliberate actions of others 12
CNSS 1253 Cybersecurity Requirements IDENTIFIER FAMILY CLASS AC Access Control Technical AT Awareness and Training Operational AU Audit and Accountability Technical CA Security Assessment and Authorization Management CM Configuration Management Operational CP Contingency Planning Operational IA Identification and Authentication Technical IR Incident Response Operational MA Maintenance Operational MP Media Protection Operational PE Physical and Environmental Protection Operational PL Planning Management PS Personnel Security Operational RA Risk Assessment Management SA System and Services Acquisition Management SC System and Communications Protection Technical SI System and Information Integrity Operational PM Program Management Management 13
Risk Based Approach RMF replacing DIACAP 14
Components of Risk Risk Analysis Cause Effect Threat Likelihood Vulnerability Impact Means & Opportunity of the threat Severity of vulnerability & Criticality of the system/subsystem 15
Vulnerability Severity Likelihood Oportunity LIKELIHOOD Risk Assessment Risk Likelihood O-5 L-2 L-3 L-4 L-5 L-5 O-4 L-2 L-3 L-4 L-5 L-5 O-3 L-1 L-2 L-3 L-4 L-5 O-2 L-1 L-2 L-3 L-4 L-4 O-1 L-1 L-1 L-2 L-3 L-3 M-1 M-2 M-3 M-4 M-5 Likelihood Means Risk Likelihood L-5 5 - Near Certainty L-4 4 - Probable L-3 3 - Occasional L-2 2 - Remote L-1 1 - Improbale Likelihood Impact Risk Overall Risk Factor Matrix L-5 L-4 L-3 X L-2 L-1 I-1 I-2 I-3 I-4 I-5 Impact IMPACT S-5 I-2 I-3 I-4 I-5 I-5 S-4 I-2 I-3 I-3 I-4 I-5 S-3 I-1 I-2 I-3 I-4 I-5 S-2 I-1 I-1 I-2 I-3 I-4 S-1 I-1 I-1 I-1 I-2 I-3 C-1 C-2 C-3 C-4 C-5 System Criticality Risk Impact I-5 5 - Catastrophic I-4 4 - Major I-3 3 - Moderate I-2 2 - Minor I-1 1 - Negligible
Technology Challenges Automated aircraft system architecture vulnerability identification tools Aircraft cyber threat modeling tool V&V software supply chain integrity Criticality assessment tool Test & measure aircraft cyber resiliency 17
Summary Cybersecurity Requirements adapted for Weapon System Requirements Cybersecurity part of the system engineering process Risk assessment accomplished on all requirements Independent Certification and Accreditation (risk taking authority)