New DoD Approaches on the Cyber Survivability of Weapon Systems

Transcription

1 New DoD Approaches on the Cyber Survivability of Weapon Systems Colonel Dean Data Clothier Chief, Cyberspace Division Joint Staff/J-6 CSE is the Critical Foundation for Ensuring Cyber Survivability is Considered as Part of the Operational Risk Trade-Space

2 Purpose/Objectives Purpose: Recommend JCB approval of Cyber Survivability Endorsement (CSE) Implementation Guide for the SS-KPP DepSecDef (DSD) directed Joint Staff develop Cybersecurity KPP o Initiated when DSD briefed on DOT&E Cybersecurity Report w/ OUSD(AT&L), OUSD(P), DOD-CIO and VCJCS Highlighted multiple weapon systems with vulnerabilities that could have been known and fixed prior to DT&E o Intended to eliminate or sufficiently mitigate known vulnerabilities prior to fielding o Implemented through deliberate design, test and associated DOTmLPF-P in applicable operational environments o Met DepSecDef intent by incorporating CSE into SS-KPP Endorsement Objectives o Drive development of Joint cyber survivability requirements to meet requirements for cyber attack prevention, mitigation and recovery o Ensure performance measures are consistent with the threat and consistently applied during requirements definition, development and testing o Ensure cyber survivability and cybersecurity requirements are considered and included as part of the operational risk trade-space End State: All DoD weapon systems are cyber survivable commensurate with a risk managed approach to countering a capable and determined adversary 2

3 Cyber Survivability Endorsement (CSE) Kinetic Threats Non-Kinetic Threats Electromagnetic Spectrum Cyber Sponsors must address the System Survivability KPP and provide specific Cyber Survivability Attributes (CSA) related to the SS KPP which must be met - 18 December 2014 JCIDS Manual, Enclosure D 3

4 Cyber Survivability Endorsement (CSE) Added Cyber Survivability to the JCIDS System Survivability (SS) Key Performance Parameter (KPP) o Cyber survivability is now part of operational risk trade-space (as of 18 Dec 2014 JCIDS Manual) CSE Implementation Guide: Joint Staff led effort with active participation from DoD CIO, AT&L, DOT&E, OUSD(I), DIA, and NSA. o Provides cyber survivability exemplar statements o Includes cyber survivability attributes to aid requirement definition o Describes tailoring approach for Capabilities Development Document (CDD) and Capabilities Production Document (CPD) requirements Build new weapon systems that are cyber survivable commensurate with a risk managed approach to countering a capable and determined adversary 4

5 Risk Managed Approach The CSE 5 step risk managed approach takes into account several variables the resulting CSRC provides consistency between levels of CS requirements, development and testing 5

6 Example STEP 1: System Mission Types MT 4 Strategic / National Systems whose degradation would result in the highest risks to achieving national objectives, require the very best cybersecurity practices MT 3 Operational / Tactical Mission systems, munitions, Command and Control capabilities that require unique DoD protections MT 2 Military Critical Selected high impact systems that ensure near-continuous operation with rapid recovery from failures MT 1 Mission Essential Military and Organizational Support systems; may be hosted within DoD or commercial facilities Determining the System Mission Type helps define the required cyber survivability protection for the capability 6

7 Example STEP 2: Cyber Dependence Criticality Analysis provides basis for cyber survivability emphasis for critical functions, components and information exchanges Determine the Mission Critical Functions of the System 1 Sustain Flight / Maneuverability 2 Maintain Internal/External Communication 3 Perform Offensive / Defensive Activities What is a System s Cyber Dependence to Perform its Mission Critical Functions? 7

8 Example STEP 3: How Select Threat Actors What level of cyber actor must the system be capable of withstanding if it is to fulfill its warfighting purposes? Cyber Threat Actor Capability Level Tier IV Tier III Tier II Tier I Advanced Moderate Limited Nascent *NOTIONAL SCORING IF Insurgent & Irregular Forces, THEN Determine the Level of Most Capable Cyber Threat Actor to the System 8

9 Example STEP 4: Mission Impact Critical Function I: What is the mission impact of compromised flight or maneuverability due to a cyber attack? Mission Critical Functions I Sustained Flight / Maneuverability II Internal / External Communication III Offensive / Defensive Capabilities Confidentiality H Severe Integrity H Disruptive Availability H Minutes M Serious M Degraded M Hours L Limited L Nuisance Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information Integrity Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity Availability Ensuring timely and reliable access to and use of information Determine the Mission Impact of Loss For All Mission Critical Functions Due to a Cyber Event L Days *NOTIONAL SCORING 9

10 Example STEP 5: System Survivability Risk The aggregation of the System Risk and the Threat Actor inform the level of System Security Engineering & Controls applied and the Residual Operational Risk assumed based on the purpose and intended operational environment of the system Fly Communicate Act Systemic Vulnerability Confidentiality Integrity Availability X X X X X X X X X Low High Medium Low Low High Medium High Medium Factor Cyber Threat Actor for the UAV System Tier IV Tier III Tier II Tier I System Survivability Risk Threat Actor Levels Ti er IV III II I X IL4, Severe Adverse Effect IL3, Serious Adverse Effect IL2, Limited Adverse Effect IL1, Risks Acceptable for Meeting Military and Organization Needs *NOTIONAL SCORING Vulnerability in the face of Threat Capability yields Survivability Risk 10

11 Cybersecurity Framework Integration 11

12 Cyber Survivability Attributes to Tailor in the CDD/CPD SS KPP Pillars (Mandatory) Prevent Mitigate Recover All 3 Pillars CSA 01 - Control Access CSA 02 - Reduce Cyber Detectability Cyber Survivability Attributes (CSA) (All are considered, select those applicable) CSA 03 - Secure Transmissions and Communications CSA 04 - Protect Information and Exploitation CSA 05 - Partition and Ensure Critical Functions at Mission Completion Performance Levels CSA 06 - Minimize and Harden Cyber Attack Surfaces CSA 07 Baseline & Monitor Systems, and Detect Anomalies CSA 08 - Manage System Performance if Degraded by Cyber Events CSA 09 - Recover System Capabilities CSA 10 Actively Manage System s Configuration to Counter Vulnerabilities Prevent Design requirements that protect weapon system s functions from most likely and greatest risk cyber threats. Mitigate Design requirements that detect and respond to cyber-attacks; enabling weapon systems functions resiliency to complete the mission. Recover Design requirements that ensure minimum cyber capability available to recover from cyber attack and enable weapon system quickly restore full functionality Fundamental to the CSE construct is enabling sponsor to select and articulate CSA choices to achieve each SS KKP Pillar 12

13 CSE Scorecard Assessment Process Requirement Sponsors use the Cyber Survivability Scorecard to document that appropriate CSAs have been considered, and where they are articulated within requirement s documents. CSE analysts use the Cyber Survivability Scorecard to review ICDs, and assess CDDs and CPDs entered into KM/DS with JROC Interest, JCB Interest, or qualify as Joint Integration. CSE assessment occurs during the 21 day Document Review and commenting stage within the JCIDS deliberate staffing process. CSE Scorecard is a management tool to help guide requirements development, and streamline review process to ensure CSAs are logically considered and articulated 13

14 Systemic Ability to Adapt to New Cyber Threats Systems must be capable of quickly adapting to new cyber threats Sustaining a system s cyber survivability requires elements in the resourcing, design, Life Cycle Sustainment Plans, and Ops & Maintenance procedures Cyber threats will continue to increase in capability for the foreseeable future 14

15 IPT Approach Terms of Reference: Identify exemplars of cyber survivability and cybersecurity capability requirements, which can be utilized in requirements documentation and associated CONOPS use cases and operational architecture information. Action Groups: Overall CSE Integrated Product Team led by JS-J6 o Requirements Action Group: Co-Led by JS-J6 and DoD CIO o Intelligence Action Group: Led by OUSD(I) o Acquisition Action Group: Led by AT&L o Testing Action Group: Led by DASD(DT&E) Scope: Review capability requirements documentation to ensure traceability and consistency of Cyber requirements throughout the programs development, testing and sustainment activities. Deliverable: Implementation Guide to support articulating and assessing Cyber Survivability within Capability Requirements Documentation 15

16 Wrap Up Problem: System survivability requirements not sufficiently articulated for cyber-attack prevention, mitigation and recovery, within requirements documents CSE Implementation Guide: Joint Staff led effort, with active participation from DOD-CIO, OUSD(AT&L), OUSD(I), DOT&E, DIA, and NSA o Includes high level cybersecurity threat exemplar statements prior to availability of DIA or Service developed system specific threat assessments o Defines Cyber Survivability Risk Category (CSRC) to enable a consistent approach to cybersecurity requirements, development and testing o Outlines Cyber Survivability Attributes (CSAs) to be considered by the requirement sponsor, which can be consistently applied, implemented by system security engineers and tested by DT&E/OT&E o Provides Exemplar Requirements and Scorecard supports development, assessment and management of requirements CSE Enables System Survivability KPP Endorsement 16

17 NDAA Section 1647: Evaluation of Cyber Vulnerabilities of Major Weapon Systems of the DoD 17

18 NDAA Section Nov 2015: Congress enacted FY16 NDAA S.1647 to evaluate the impact of cyber vulnerabilities on major weapon systems. Create a plan based on the criticality of major weapon systems, as determined by the Chairman of the Joint Chiefs of Staff. FY16-17 funding available for evaluations (cyber vulnerability assessments and non-recurring engineering design for remediation) 17 May 2016: JROCM endorsed CJCS prioritization required to release funds 29 Jun 2016: Briefed 4 Star- Cyber Investment Management Board Funding profile and execution strategy 22 Aug 2016: Develop the plan for conducting evaluations in FY16-19 Submit quarterly findings to HASC and SASC 31 Dec 2019: The Secretary of Defense shall, complete an evaluation of the cyber vulnerabilities of each major weapon system of the Department of Defense 18

19 Weapon System Prioritization Approach Step 1: Services identified major weapon systems to include: A subset of OUSD (AT&L) s Major Defense Acquisition Programs (MDAP) and Major Automated Information Systems (MAIS) Including major weapon systems and associated C2 systems essential to accomplishing the QDR missions Weapon systems must have reached Milestone B on or before 31 Dec 2015 to be included Step 2: Services prioritized Mission Areas (MAs) Service methodology for prioritizing major weapon systems Service MAs Self-identified, Mission Capabilities, Core Service Functionality Step 3: Services binned major WS within their MAs Step 4: Services characterized WS Intrinsic Cyber Vulnerabilities (ICV) Specific design, technical, programmatic and operational characteristics of a weapon system which may increase its vulnerability to cyber attack from a threat actor Define cyber vulnerability assessment levels Step 5: Joint Staff prioritized WS by binning it to its highest QDR priority and highest ICV score Mission priorities identified in the 2014 Quadrennial Defense Review (QDR) 19

20 Services Prioritized Mission Areas Army Strategic Mission Command Strategic Weapon System Tactical Mission Command Tactical Weapon System Enablers Service Mission Areas USMC Military Engagement, Security Cooperation and Deterrence Crisis Response and Limited Contingency Operations Major Operations and Campaigns Navy Decision Superiority Power Projection Maritime Security Sea Control Force Generation Air Force Nuclear Deterrence Operations ISR Command and Control Air Superiority Space Superiority Cyber Superiority Global Precision Attack Special Operations Personnel Recovery Rapid Global Mobility JCA Force Support Battlespace Awareness Force Application Logistics Command and Control Communications and Computers Protection Building Partnerships Corporate Mgt. and Support 2014 QDR Priorities 1. Maintain a secure and effective nuclear deterrent 2. Provide for military defense of the homeland 3. Defeat an adversary 4. Provide a global, stabilizing presence 5. Combat terrorism 6. Counter weapons of mass destruction 7. Deny an adversary s objectives 8. Respond to crisis and conduct limited contingency operations 9. Conduct military engagement and security cooperation 10.Conduct stability and counterinsurgency operations 11.Provide support to civil authorities 12.Conduct humanitarian assistance and disaster response 20

21 Notional Example Step 4: Intrinsic Cyber Vulnerability (ICV) Scoring System Name / Service/ MA Hermes / Navy / Combat Terrorism ICV Cumulative Score 63 Range Score Comments Range Score Comments 1. Technical Exposure: a. Origin of technology b. Export of technology 1 to 8 1 to Remaining System Life Expectancy 1 to 3 3 Overall Technical Exposure 9 Overall Remaining Life Expectancy 3 2. Degree of Connectivity or Isolation: a. Type of networks required for WS b. Level of connectivity required for WS data flows c. Type of COMSEC: strength of encryption 1 to 17 1 to 15 1 to Vulnerability Assessments: a. Level of Assessment b. Currency of Assessment 0 to 4 0 to 3 Overall Degree of Connectivity 16 Overall Vulnerability Assessment Intrinsic Cyber Dependency a. Type of remote access required b. Critical components/functions exposed to cyber threats c. Cyber capabilities required throughout the operations cycle 1 to 5 1 to 17 1 to System Owner Insights: a. Cyber Mitigation to Vulnerabilities b. Cyber Resilience 1 to 9 1 to Overall Intrinsic Cyber Dependence 26 Overall Owner Insight 7 ICV Cumulative Score 63 Intrinsic Cyber Vulnerability: Specific design, technical, programmatic and operational characteristics of a weapon system, which are indicators of vulnerability to cyber attack 21

22 Evaluation Process Step 1: Target List - Provides a list of systems to Evaluated by FY, by Event Step 2: Threat Folders/Cyber Table Top - Outlines Key Cyber Terrain; informs planners, operators, and system owners Step 3: Test Design - Describes the purpose, scope and objectives of the event to include: Design of Experiments w/ MOP s, and MOE s and Mission Thread Analysis Step 4: Detailed/Operational Test Plan Developed with event /range planners details MEL, scenarios, and rules of the road Step 5: Test Execution - Operational/ Laboratory event designed to stress the system and or the operators in a cyber contested environment Step 6: Green Book Mitigation - cost, performance, and schedule implications of the vulnerabilities discovered. Includes a Senior Level Review and approval of Risk (Operational and Acquisition) Step 7: Validation Confirmation of implementation of Corrective Actions Step 8: Quarterly Report to Congress Co Authored summary of findings and path forward Step 9: Waiver Candidates Determine if any systems qualify for assessment exclusion This 9-step process follows the DoDI and the DOT&E TEMP Guidebook

23 FY17 Goals & Objectives Conduct cyber vulnerability assessments Develop a knowledge sharing capability Service Chiefs present risk assessments and mitigation plans to SECDEF Initiating effort to better understand what cyber SA for mission systems Investment buys down risk for military operations in FY19 and beyond 23