Navy Information Dominance Industry Day June 11, 2015
1996 Joint Chiefs of Staffs released Joint Vision 2010 (Net Centric Warfare) 2006 Operation CYBER CONDITION ZEBRA: Perimeter security for legacy Navy Networks 2008 Russia conducts cyber attacks against Georgia 2008 Operation BUCKSHOT YANKEE: USB Intrusion on DoD Computers (Host Based) 2009 Establishment of OPNAV N2/N6 (IDC) 2010 Cyber War published 2010 Establishment of USCYBERCOM and FCC/C10F 2010 Establishment of NCF 2013 Mandiant releases espionage report alleging PLA ex-filtrating U.S. proprietary data 2013 Operation ROLLING TIDE: Adversary Intrusion on Navy Networks 2014 Blackbeard project demonstration 2014 Establishment of NAVIDFOR 2014 Establishment of Task Force Cyber Awakening (TFCA) 2015 Establishment of Enduring Cyber Security Organization, including CYBERSAFE Navy Task Organizes to Meet Challenge 2
Disconnected Response through stove-piped assessments & initiatives across the enterprise: Operation ROLLING TIDE N81 Cyber Defense Studies Cyber Platform Risk Assessment Unsupported Systems Eradication Unified Response through Task Force Cyber Awakening: NOT N2/N6-centric. The cyber platform spans the entire Navy Use existing mechanisms where possible, but rigor will prevail Cyber security must be a resourcing and organizing principle Accountability and rigor are key Cyber Resiliency Plan & POM-17 Cyber Resiliency BAM inclusive of full DOTMLPF Cyber is as important as the next missile or platform It s now COMMANDER S BUSINESS 3
TRANSPORT COMMERCIAL INTERNET DISN SCI Coalition Networks ADNS TELEPORT NMCI & ONE-NET JRSS MOC GNOC NCDOC USMC ISNS / CANES / SUBLAN / TSCE TACTICAL SWITCH (TSw) A P P L I C A T I O N S Installations Air Combat HM&E Navigation C O N T R O L S Y S T E M S C 4 I S Y S T E M S DISN Core INTERNET ADNS NCTAMS/NOC DISN CORE NCDOC MOC Public Works Physical Security PSNET Public Safety Air Ops Port Ops C O N T R O L S Y S T E M S Other Connections (Commercial, Coalition, RF) Cyber remediation efforts need to extend across the Enterprise 4
Navy Cyber Defense Operations Command (NCDOC) 2014 Annual Incident / Event Summary Report Defense in Depth strategies, Information Assurance awareness, signature refinement, and the placement and/or re-alignment of both IDS and IPS sensor locations have afforded the Navy the capability to promptly avert and/or mitigate incidents-events and malware infections directed against its networks this reporting period. * Confirmed Incidents-Events Incident Category Description FY11 FY12 FY13 FY14 FY14 CAT 1 Root Level Intrusion Cat 2 User level Intrusion Cat 4 Denial of Service CAT 5 Non-Compliance Activity CAT 6 Scan / Probe CAT 7 Malicious Logic Unauthorized Root/Admin level access to DoD system Consequence - ability to launch wide scale attacks Example - bring down complete systems/networks/ships Unauthorized User level access to DoD system Consequence - limited ability to launch attacks Example - unauthorized data exfiltration Activity that impairs, impedes, or halts normal functionality Consequence - limits availability of a system and or service Example - block access to a Web site or complete network Activity that discovers non-compliant DoD systems Consequence - ability to exploit vulnerabilities Example - web exploits (SQL injections, X site scripting) Probes to identify systems or open services for later exploits Consequence - adversary maps out network Example - port and protocol scanning Installation of Malicious software Consequence - loss of integrity of data/system/network Example - Trojans, backdoor, virus, or worms 9 1 33 1 9 9 10 1 1 3 3 0 432 447 729 680 30 34 51 24 1,029 1,051 1,094 1,435 Trend Investments and actions to date are improving our Enterprise Cyber Resiliency * IDS: Intrusion Detection System; IPS: Intrusion Prevention System 5
Source: http://www.ascelade.com/quotes/photo/insanity-thing-expecting-different-results//
Organization TFCA MISSION Deliver fundamental change to Navy s organization, resourcing, acquisition, and readiness Align and strengthen authority, accountability, and rigor in Navy Cyber Security Chief of Staff OPNAV N2N6F1 CAPT David Serber DCNO OPNAV N2N6 VADM Branch Task Force Lead Mr. Matt Swartz (SES) Deputies Mr. Claude Barron (SES), NAVSEA Mr. Stu Young (SES), NAVAIR Mr. Brian Marsh (SES), SPAWAR Col David McMorries, USMC Technical Director Mr. Bob Stephenson (SES), CPF/SPAWAR EXCOM (Co-Chair) VCNO & ASN RDA Secretary: Dr. John Zangardi, DASN C4I FCC Commander OPNAV N-Codes USMC C4/CIO ASN (RDA) PMD / DASNs SYSCOM CDRs / NR DCOM USFF / PACFLT DCOMs & TYCOMs Advisory Board Trusted Advisors of EXCOM E N T E R P R I S E S T A K E H O L D E R S TG 1 Capabilities RADM Herman Shelanski November 2014 Delivered Cyber Resiliency Plan to inform FY15, POM-16 TG 2 CYBERSAFE CAPT Mark Elliott, USN March 2015 Establish CYBERSAFE Program w/limited AOR CYBERSAFE Office IOC 21 Apr 15 TG 3 Navy Cyber Security Mr. Troy Johnson (DISL) August 2015 Define and Develop implementation of an updated approach for overall Navy Cyber Security Task Group Technical Mr. Greg Shaffer (SES) (IT/IA TAB) August 2015: Establish Technical Authority development group TFCA well represented from across the Navy Enterprise 7
Device Integrity Damage Containment Defense of Accounts Secure & Available Transport NSA s Top 10 IA Mitigation Strategies Industry Recommendations (Controls against Cyber Espionage) Cyber Resiliency Approach Mitigation Strategies Application Whitelisting Control Administrative Privileges Limit Workstation-to- Workstation Communication Use Anti-Virus File Reputation Services Enable Anti-Exploitation Features Implement Host Intrusion Prevention System (HIPS) rules Set a Secure Baseline Configuration Use Web Domain Name System (DNS) Reputation Take Advantage of Software Improvements Segregate Networks and Functions Mitigation Goal Areas Patch ALL THE THINGS! Use and update antivirus (AV) Train users Segment your network Keep good logs Break the deliveryexploitationinstallation chain Spot C2 and data exfiltration Stop lateral movement inside the network Control Points: Control Points will allow us to effectively isolate portions of our networks and prevent adversaries who gain a foothold from moving laterally. Also improve boundary defenses for individual portions of the network and serve as insertion points in the network for emerging technology solutions. Cyber Situational Awareness (SA): Allow us to visualize the activity in the cyber-field, promote timely assessment of normal vs. abnormal activity, and mitigate possible threats. Cyber SA provides us with the tools to detect and respond to higher level threat actors. Designing (vice retroactively Patching-in) Resiliency within Systems & Networks: Generating common sets of standards and protocols to improve our cyber posture by driving down variance, and also designing-in resiliency in future system designs. Cyber Hygiene: Use of focused Tactics, Techniques & Procedures (TTPs) and workforce training Cyber Ready Workforce: Improving manning levels, personnel training and Fleet readiness via readiness reviews, Fleet cyber security efforts, Cybersecurity Workforce continuing education, unit patch/scan compliance and adherence to computer tasking orders (CTO). Leveraged Stakeholder, Community and Industry recommendations to develop Enterprise Approach 8
Maturity Low High UNCLASSIFIED Task Group Capabilities Issue Prioritization Metrics = Guiding Principles 1. Protect the Tactical Platforms 2. Address full spectrum of DOTMLPF 3. Improve Defensive Cyber Posture & Maturity Level of Response Near Term Focus Future Investments Prepare Protect Detect React/Restore Defensive Cyber Operations Bins Cyber Resiliency Strategy Recommendation to Resource Sponsors = Investment Strategy 1. Stay on course set during POM-16 Maintain momentum on initiatives underway (ORT, Control Point Solutions, Etc.) & implement solutions designed using R&D investments made 2. Focus on compartmentalization System by system approach is unaffordable and inflexible Prioritize reduction of consequence versus locking all vulnerabilities 3. Balance approach between maintenance vs. modernization Accelerating POR / System modernization timeline is unaffordable Invest in short term ( stop-gap ) solutions pre-modernization 4. New vs. Existing Funding Invest new money in new capabilities such as Enterprise-wide Cyber Situational Awareness Re-prioritize existing POR / System funding to mitigate for POR / System related cyber security enhancements 5. Develop and sustain a Cyber Ready Workforce Deliver a realistic and executable requirement to the Resource Sponsors that improves our Enterprise wide Cyber Resiliency both effectively and efficiently 9
Defense in Depth Protection Levels Control Points Critical Functions Enclave Boundary Protection Incident Isolation Recovery Operations Agile Technology Insertion Potential to leverage common engineering across multiple ship classes CG DDG LCS Amphibs SSDS DDG 1000 Control Points will allow us to effectively segment portions of our shipboard network, add greater ability to maneuver through intrusions, and ensure mission assurance 10
CYBERSAFE Definition Delivering Mission Assurance CYBERSAFE Office IOC 21 Apr 15 Specific set of requirements for design, procurement, material controls, maintenance and ops procedures, along with the change in organizational culture and crew proficiency required to institute these requirements, applied to a selected subset of platform system elements or components for which a failure caused by a cyber attack would result in loss of critical mission capability, mission critical equipment, and/or personal injury. - Approved at Dec 2014 TFCA EXCOM Modeled After SUBSAFE Tenets Independent Technical Authority sets common standards Program Managers ensure acquisition aligns with standards Independent Security Authority assesses against standards CYBERSAFE Certification Authority makes final decisions & assumes risk and accountability for platform Mission Assurance CYBERSAFE CYBERSAFE is focused on Mission Assurance of critical warfighting capabilities 11
CYBERSAFE Approach CYBERSAFE Instruction Establishes policy and assigns responsibilities for the management and implementation of Navy Cybersecurity Safety (CYBERSAFE) Program requirements Assigns responsibility for management and implementation of CYBERSAFE Program Describes 3 Facets of CYBERSAFE Cyber System Levels Design CYBERSAFE Grades Procure & Build Cyber Conditions of Readiness Operate Identifies management controls for CYBERSAFE items Describes CYBERSAFE Technical, Certification, and Threat/Risk Assessment Authorities Depicts Defense-in-Depth architecture as defined by DFIA * DFIA details control point strategy, but will also define DiD Implementation Standards across cyber environment DFIA Reference Architecture * DFIA: Defense-in-Depth Functional Implementation Architecture 12
Mission Assurance Target CONCEPTS Requirements Steering Committee CAPABILITY CAPABILITY GAPS REQ VALIDATION IA Tech Authority IT / IA TAB ARCHITECTURE PERSONNEL EQUIPMENT SUPPLIES TYCOM(s) TRAINING INDUSTRY FACILITIES RESOURCE/POLICY OPNAV Resource Sponsors ASSESS/PROCURE PRE-INTRO MAINTENANCE System Commands BASIC INTEGRATED EMPLOY / DEPLOY Fleet(s) SUSTAIN Mission Execution STUDIES IG/INSURV THREAT ASSESS POST DEPLOY FISMA COMPLIANCE Mission Assurance Assessment 13 UNCLASSIFIED Existing Organizations Recently Formed To-Be Organizations Navy Cyber Security Organization (including CYBERSAFE) Oversight: Navy Cyber Security Council (VCNO & ASN RDA co-chaired) Deliver Mission Assurance & Assess the Navy s Cyber Resiliency Posture Synchronization on All Aspects of the Cyber Readiness Kill Chain Advisor to the Risk Management Framework Implementation REQUIREMENTS MEANS WAYS ENDS ASSESS Baseline Assessment Memo (BAM) Specs & Standards Man, Train & Equip Readiness Certification Validate & Resource Requirements Design, Develop, & Maintain Platform Certification Operational Certification Operations External Assessment Fleet(s)
Leveraging Cross-SYSCOM IT / IA Technical Authority Board (TAB) to: Issue common and rigorous technical standards Design methodology and framework for both areas within which acquisition and operational elements must work when developing and sustaining technical standards Include evaluation of current technical authority approach for Navy Cybersecurity and determine necessary modifications to account for both Navy Networks & Tactical Control Systems 27 Jan 15 TAB approved standards for: Defense-in-Depth Functional Implementation (DFIA) Afloat Network Firewall Intrusion Detection & Prevention 12 May 15 TAB approved standards for: Host Level Protection Continuous Monitoring IT / IA TAB will determine method for leveraging Facets and Platform Architecture to consistently identify CYBERSAFE critical items 14
1. Optimizing Investments How do you prioritize requirements in this environment? What metrics & measures do we use? Are we looking at the right things? How did you measure cyber security risk and establish a threshold of acceptance vs. mitigation? Have you invested in and used defensive cyber maneuvers (e.g. randomization) to frustrate would-be attackers? 2. Delivering Mission Assurance How did you decide what data or systems to protect first and what were you willing to spend? Did you work to minimize your threat surface or focus on protecting what you currently have? IA Standards Roadmap 3. Developing Resilient Architectures and Standards Does this threat require a holistic architectural response? (Sum of the parts greater than the whole?) What are the differences between securing Industrial Control Systems vs. IT Systems? Where does this put us on the innovation curve? 4. Improving Culture, Accountability, and Oversight How do you design & execute organizational & cultural change? What is the most effective way to improve leadership and user compliance & behavior? How do you approach the development and retention of a Cyber Smart workforce? (other than compensation) To what extent have employee privacy concerns impeded your efforts? Achieving Cyber Resiliency requires a balance between Government & Industry 15