Title: Integrated Program Protection Integ… · Case Study of Warfighter Information Network –...
Transcript of Title: Integrated Program Protection Integ… · Case Study of Warfighter Information Network –...
Title: Integrated Program Protection
Date: 12 Dec 2018
Presenters: Steve Kern, CENG, NAVAIR Cyber Warfare Detachment and Vincent Lamolinara, Prof.of Acquisition Cybersecurity, Defense Acquisition University, Mid-Atlantic Region
Moderator: Jim Davis, Logistics Department Chair, Defense Acquisition University, Mid-Atlantic Region
Objectives
• Show that Cybersecurity is a principal integrating factor in System Security Engineering and Program Protection Planning (PPP)
• Show that Integrated Cybersecurity / PPP properly characterizes and prioritizes residual weapon system risk
• Discuss how to improve DoD acquisition outcomes and achieve higher mission success and survivability in a cyber-contested environment through integrated PPP across the system lifecycle by:
• Transformational approaches• Reducing / eliminating redundancy• Building on existing Systems Engineering processes
Integrated System Security Engineering:Cybersecurity is the Common Link Across Functional Areas
3
Critical Program Information• Anti-tamper
Information• Cybersecurity
• C, I, A• Resilience• Survivability
Mission Critical Components &
Functions• TSN / SCRM
System
Security Engineering
• HW/SW/FW Assurance• Phys/Op/Info/Pers/ComSEC
Cybersecurity & the Acquisition Lifecycle Integration Tool (CALIT) CALIT Ver 3.0 Aug 2018
Presented to:
Presented by:
Integrated Program Protection Vision
11/2018
Steve Kern, Cyber Warfare Chief EngineerSenior Scientific Technical Manager (SSTM)
Acquisition Community
Vision
An integrated Program Protection Process to protect
– advanced technology, – safety of flight, – mission critical functions, and– components
throughout the acquisition lifecycle,apply countermeasures and protections
from malicious adversarial intent,illuminate and balance cyber risk and
maximize resilience in a cyber contested environment.
6
Program Protection Instructions
7
Slide from DASD(SE) Melinda Reed briefing to NDIA on 25 Oct 2017
Observations
1. Process and organizational structure has been developed to address the individual program protection instructions. There are redundancies and overlaps in tasks among the processes.
2. There is an imbalance of Program Office effort across the processes.• RMF and CPI/AT receive significant emphasis• TSN/CA and the “cyber part” of SCRM receive less emphasis
3. An integrated Program Protection Process will identify opportunities to include technical and procedural security measures at the beginning of Systems Engineering and throughout the lifecycle during updates and engineering changes, as opposed to selecting controls after susceptibilities have been designed into the system.
4. One of the first steps in many processes is to decompose the mission of the platform/system into critical systems that are required to execute that mission.
• RMF from the data protection perspective (if NIST Control RA-3 is selected)• CRA Step 1 is to “Decompose Mission Essential Functions”• CPI Steps 1 & 2 are “Identify Mission Capability” and “Decompose System into components“• TSN/CA Step 1 process is “ID principle mission threads and mission system functions”• CYBERSAFE is to implement TSN/CA and is based on “Mission Essential Functions”
8
Observations (cont.)
5. The second (or third/fourth) step in many of the processes is to conduct some sort of criticality analysis/judgement of the identified subcomponents
• RMF Step 2 is to “Select Controls” – judge criticality of the data • CRA Step 3 is to “Develop Attack Surface/ Attack Trees” • CPI Step 3 process is to “Evaluate Criticality of each component (at least 3 levels)”• TSN/CA Step 4 process is to “Assign criticality failure levels (I, II, III, IV) to components”
6. An adversarial-based assessment is required by all of the processes• RMF does NOT require a Threat Assessment but NIST control RA-3 could be implemented
and is part of a Common Control Package (CCP)• CRA’s require an intelligence-driven Threat Assessment• CPI requires a intelligence (and Counter-Intelligence) driven Threat Assessment• TSN/CA requires a (vendor) supply chain assessment (and CI assessment) for sources for
components that are deemed critical level I/II components (not an adversarial based Threat Assessment )
7. We can do better
9
SYSTEMS ENGINEERING PROCESS| Step 2 Step 3 Step 5 Step 9 Step 10 |System Requirements High-Level Design | H/W S/W Development | System Validation | Changes/UpgradesFUNCTIONAL ANALYSIS AND ALLOCATION | DESIGN SYNTHESIS | VERIFICATION | DEPLOYMENT
• CRA Viewpoint 1• RMF Step 1 • Intel Threat
Assessment• AT Step 1 CPI
Assessment• T&E Cybersecurity
Requirements Analysis
• Cyber Attack Trees
• Cyber Risk Cube• Categorization
Letter • PM Signature • CPI Memo• Intel Production
Requests• Threat Model• Cyber VOLT• Cyber T&E
Strategy
• CRA Viewpoint 2• RMF Step 2• CTT• CPI Assessment• AT Steps 2• Intel Threat
Assessment• T&E Attack
Surface Characterization
• Cyber Attack Trees• Cyber Risk Cube• Initial RMF Control
Selection & Security Assessment Plan
• AT Mission Essential Function
• AT Level of Protection Requirement
• AT Letter of Concurrence
• CYBERSAFE Mission Criticality
• Critical Intelligence Parameters
• Intel Production Requests
• Threat Model
• CRA Viewpoint 3• RMF Step 2/3• AT Steps 3 & 4• TSN/Criticality
Analysis• SCRM Illumination• Intel Threat
Assessment• CYBERSAFE
Planning• T&E Cooperative
Vulnerability Identification
• Cyber Attack Trees• Cyber Risk Cube• RMF Control
Selection & Control Design Plan
• Initial/ Final AT Plan• AT Attack Trees• Critical ICT
Components• SCRM-TAC Request• DT Test Plan• CYBERSAFE EDRAP• Intel Production
Requests• Threat Model• Critical Component
CVI Reports
• CRA Viewpoint 4• RMF Step 4/5• SCRM Assessment• Developmental
Testing• CYBERSAFE OQE
& Risk Review Board
• OT CVPA• OT Adversarial
Assessment
• Cyber Attack Trees• Cyber Risk Cube• RMF Risk
Assessment Report, Security Assessment Report, FSCA Endorsement & Authorization to Operate
• SCRM Supply Chain• AT Implemented• DT Test Report• OT Test Report• FINTEL• CYBERSAFE
Certification
• RMF Continuous Monitoring
• CYBERSAFE continuous Monitoring
Integrated Program Protection VisionPR
OC
ESS
STEP
OU
TPU
TS
System Security Engineering (SSE)
11
Anti-Tamper (AT)
Defense Exportabilty Features (DEF)
Software Assurance (SwA)
Hardware Assurance (HwA)
Cybersecurity
Supply Chain Risk Management (SCRM)
Other Security (OPSEC, INFOSEC, PERSEC, COMSEC)
Survivability / Resilience
System Security Engineering DCs
Performance RequirementsStructure
MaintainabilityPropulsion
SecuritySafetyPower
ReliabilityOther System Engineering
24 System Engineering Design Considerations
Source: Defense Acquisition Guidebook (DAG)
SSE Produces Common Sets of Artifacts
12
Authority to Operate
CYBERSAFE Certification
Requirements Design Implementation Assessment
Common set of artifacts tailored into separate approval packages for CYBERSAFE, Cyber Survivability Endorsement, ATO and AT Approval
Artif
acts
Anti-tamper ApprovalATEA
Cyber Survivability Endorsement
DT / OT Blue & Red Team Test
System Security Working Group
13
SSWG
LOGPOPL
Cyber TeamISSMISSOISSE
Security
Intel
T&E SEAT
User
Training
Ad Hoc includes as needed:PM, BFM, CON, et. al.
DeveloperAd Hoc
S/W Engr
The IPT Model Integrates Cybersecurity across Competencies
System Security Working Group
14
System Security Working Group (SSWG) Charter
SSWGInputs OutputsCDDAcq StratDODAFDoDI 5000.02 (enclosure 14)DoDI 5000.75DoDI 8500.01DoDI 5200.44NIST SP 800-53DoD Cybersecurity T&E GuideCNSS 505CNSSI 1253Security Technical Implementation Guides (STIGs)
Program Protection Plan (PPP)Cybersecurity StrategyCriticality AnalysisTest & Evaluation Master Plan (TEMP) Appendix EAnti-Tamper (AT) PlanSecurity Engineering Inputs
System Engineering Plan (SEP)System DesignSoftware Development Plan (SDP)Request for Proposal (RFP)Program Security Classification Guide (SCG)Supply Chain Risk Management (SCRM) PlanLife Cycle Support Plan (LCSP)Software Assurance Plan Program Budget
How do we make these Outputs “living” documents?
Test as a Cyber Integrator
• T&E links the Risk Management Framework (RMF) & Program Protection Plan (PPP) Analysis
• Mission-Based Cyber Risk Assessment (MBCRA)– CTT, CRA, SCA-V, CJA, etc.– Institute for Defense Analyses comparative study
provides a decision diagramhttps://intelshare.intelink.gov/sites/atlcoi/cyberTableTops
Cyber Risk Assessment (CRA)
16
Mission Critical Functions Mapped to Subsystems
Attack Tree Nodal AnalysisCombining All Risk Aspects
Mission–Based Risk
• Shows mission risk, recommends test, justifies fixes, tradeoffs• Re-assess selected Cybersecurity Controls
CRA comprehensively Assesses People, Processes & Technology (PPT)
17
Joint Staff Survivability KPP provides a Framework for Integrated Cybersecurity Requirements
Why do we need CYBERSAFE, Trusted Systems and Networks, etc.?
18
Exposing Engineers to Failures More Frequently Incentivizes Them to Build Resilient Services.
Continuous Red & Blue “Testing” is the New Normal
*Chaos Monkey is a service which identifies groups of systems and randomly terminates one of the systems in a group.
Case Study of Warfighter Information Network –Tactical (WIN-T) Inc 2
• Passed Adversarial Cyber FOT&E!
• Cybersecurity Integrates into systems engineering vice separate solution
• % Fix Effectiveness was key metric!• Assumption of breach• Continuous Testing & Fixes with JHU APL & Developer
• Threat models, with > 10 million threat sims
20
Summary
• Integrated PPP / Cybersecurity requires transformational SSE / RMF
• Threat and Complexity require continuous monitoring & update
• MBCRA / Test / PPP update never ends in cyber-contested environment
• Cyber Survivability offers Rosetta stone approach to unifying / translating RMF Security Controls and Systems (Security) Engineering methods
• SSWG is paramount – helps end Stovepipes
• PPP brings it all together - can highlight redundant and conflicting issues
Questions?
21
Resources• Cybersecurity in the Defense Acquisition System. Enclosure 14 of Department of
Defense Instruction (DoDI) 5000.02, Operation of the Defense Acquisition System, pp. 171-187, February 2, 2017, Incorporating Change 3, August 10, 2017
• DoD Instruction 5200.39, Critical Program Information (CPI) Identification and Protection Within Research, Development, Test, and Evaluation (RDT&E), May 28, 2015, Incorporating Change 1, November 17, 2017
• DoD Directive 5200.47E, Anti-Tamper (AT), September 4, 2015, Incorporating Change 1, August 28, 2017
• DoD Instruction 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN), November 5, 2012, Incorporating Change 2, July 27, 2017
• USD(AT&L) Memorandum, Document Streamlining – Program Protection Plan (PPP), July 18, 2011
• Cyber Survivability Endorsement Implementation Guide Vol II & Vol III (Classified)• Cyber Table Top Facilitator Site: https://intelshare.intelink.gov/sites/atlcoi/cyberTableTops
22
Additional Resources• Additional Resources & Tools such as CALIT and ACQuipedia articles and videos and can be found
at DAU Cybersecurity Community of Practice Page: https://www.dau.mil/cop/cybersecurity/Pages/Topics/Knowledge%20Sharing%20and%20Job%20Support%20Tools.aspx
• Tools:– Cybersecurity & Acquisition Lifecycle Integration Tool - CALIT– Quick Reference Card - Cybersecurity Black Card
• Videos:– Ongoing Efforts to Protect the DoD’s Unclassified Information, 13 Jan 17 (duration: 12 min)– Cybersecurity Implementation, Kevin Dulany (DoD CIO Office) - Duration: 90 Min– Cybersecurity Risk Management Framework Overview Mar 2017
• Articles:– ACQuipedia - Cybersecurity & the DoD Acquisition Lifecycle– ACQuipedia - RMF for DoD IT– ACQuipedia - System Survivability KPP– ACQuipedia - Supply Chain Risk Management– Defense AT&L Magazine - Including Cybersecurity in the Contract Mix, Mar-Apr 2018– Defense AT&L Magazine - Supply Chain Risk Management: An Introduction to the Credible Threat, Jul-Aug 16– Defense AT&L Magazine - Cybersecurity; The Road Ahead for Defense Acquisition, May-Jun 16– Defense AT&L Magazine - Cyber Integrator Concept, Mar-Apr 15– Defense AT&L Magazine - Cybersecurity Challenges for Program Managers, Sep-Oct 14– Crowd Source Article - Fact Sheet Hack the Pentagon
23
BACKUP
25
26
Rosetta Stone: SS KPP CSAs to RMF to Systems Security Engineering (SSE) Translation
SS KPP/CSE Implementation Guide Vol II ‒ Risk-Managed Performance Measures, Joint Staff J6/J8, DCIO, NSA IAC, 2018
27
CSA to RMF to System Security Engineering (SSE) Mapping
• SS KPP to CSA to RMF (NIST Security Controls) to SSE Mapping• Least Privilege• Resistance to Attack• Continuous Monitoring• Prioritized Operations• Data Segregation• Recover from a Trusted Source• Periodically Save State• Threat Evolution• Failover
• “Mesh” Interrelation
• Focus on Weapon System germane controls
• Adapt controls for SSE which is more relevant to Weapon Systems
• Exemplar SSE Requirements Language for:• ICD / CDD / CPD• RFP• SOW
RMF - CSA
RMF - SSE
CSA to SSE
Cyber Table Top (CTT) – Risk Assessment
• Input to Controls Selection / Risk Assessment / Pre-Test• User Reps / Focused Mission Areas
*Facilitator Training Available via DAU & Ms. Standard, Sarah M CIV OSD OUSD ATL (US),
ExercisePreparation
Exercise Execution
Post Exercise Analysis
Reporting
Develop Mission Plan
• Analyze Architecture, CONOPS, Intelligence
• Define Mission
• Define Attack Paths, & Vulnerabilities• Analyze adversary attacks
• Determine Cyber Risk: Likelihood vs Consequence
• Mitigations• Reports
Execute Attacks
Describe Effects
Develop Mitigations
Define Access Paths
~ 3-5 days
Color CodeOperational Team
OPFOR Team
~ 30-60 days~ 30-60 days
Control / Analysis Teams Reporting Team