unclassified - afcea international · unclassified unclassified 4 cyber resilience strategy cyber...
TRANSCRIPT
Information Warfare Industry Day
20180510 RDML Barrett, OPNAV N2N6G
Unclassified
Unclassified
ADNS
MOC GNOC
NCDOC
TRANSPORT
NMCI & ONE-NETJRSS
DISN
COMMERCIAL INTERNET
INTERNET
TACTICAL
SWITCH
(TSw)
DISN Core
TELEPORT
C O N T R O L S Y S T E M SC 4 I
S Y S T E M S
ISNS / CANES / SUBLAN / TSCE
SCI
Coalition
Networks
USMC
DISN CORENCTAMS/NOC
ADNS
NCDOC MOC
A P P L I C A T I O N S
Air Combat HM&E Navigation
Other Connections(Commercial, Coalition, RF)
Public
Works
Installations
Physical
Security
Public
Safety
Air
Ops
Port
Ops
PSNET
C O N T R O L S Y S T E M S
2
Cyber resilience extends across the enterprise
Unclassified
Unclassified
Unclassified3
Cyber resilience is continued operations in a contested cyber environment
Unclassified
Unclassified4
Cyber Resilience Strategy
Cyber resilience is the Navy’s long-term strategy
CYBER RESIL IENCY APPROACH
Cyber situational awareness
Build-in-resiliency
Control points
Cyber hygiene
Cyber workforce
TFCA (2014/5) 2016
REACT
RESTORE
+ FOUNDATIONAL
Cyber Resilience
5
Unclassified
Unclassified
IA Standards Aligned to NIST FrameworkDesigning for Security & Resiliency
NIST Framework Anatomy of a Cyber Attack
Disrupting the Adversary’s Cyber Kill Chain
Implementation
StandardsStds 11/33 26/33 19/33 7/33 5/33 15/33 27/33 28/33 22/33 23/33 16/33 23/33
1 HLP • • • • • • • • •2 Network Firewall • • • • • • •3 IDPS • • • • • • • • •4 ISCM • • • • • • • •5 SIEM • • • • • • •6 Vulnerability Scan • • • • • •7 Boundary Protect • • • • • • •8 OS • • • • • • • •9 Cyber Risk • • • • • • • • • • • •10 TSN • • • • • • • • • •11 Cyber SA • • • • • • • • • •12 IT Asset Mgmt • • •13 Account Mgmt • • • • • •14 Cyber CM • • • • • • • •15 Web Security • • • • • • •16 Cross Domain Solution • • • • • •17 Email Security • • • • • • • •18 Software Assurance • • • • • • •19 RAS • • • •20 Patch Mgmt • • • • • • • • •21 BIOS • • • • • •22 IdAM • • • •23 Event Mgmt • • • • • • • • • •24 Info Mgmt • • •25 PKE • • • •26 Wireless Comms • • • • •27 WEAC • • • • • •28 Data in Transit • • • • •29 Data at Rest • • • •30 Key Mgmt Exchange • • • •31 DNS • • • • •32 Cloud Security • • • • • • • • • •33 Unified Capability • • • • •
FY15
FY16
FY17
Stan
dard
sC
ompl
etio
n St
atus
Discover PenetrateProbe Escalate Persist ExecuteExpandIdentify DetectProtect Respond Recover
Data
Application
Presentation
End-to-end architecture with micro web services - transforming our enterprise information environment
USS UNDERWAY
NOC
Teleport Site
Commercial Cloud w/XML Compression
“Compile to Combat- 24 hours” End-to-End Micro Services Architecture
CompressedXML
SensorsUV/AVsLink dataEtc.
CompressedXML
Most transactions happen on theship, only data exchanged ship/shore
4 PILLARS Use of Commercial Cloud Automated testing of Web Services to include RMF
Shared Infrastructure Data Standardization
Objectives: • From development through automated fielding
• They will be our “FEDEX” and will package up delivery of content for afloat (compressed XML), only those data “ordered up” by the ship
• Big data analytics
• From “Compile to delivery on ship” –24 hours all automated
• Functional testing against Open standards compliant web Services development guidance and XML data standardization
• Automated RMF testing, to include intel assessment of risk, inherit shared infrastructure accreditation
• Use CANES• Already accredited• Uses standard / approved Ports and
Protocols• Drop “code not boxes”• Reduce attack surface
• XML Open Standard Data• eXML compression
Why it matters:
• Leverage commercial technology
• Improved security• Data compression• Data analytics• Commercial Cloud afloat $
savings
• Reduce cost/time to field capability• Eliminate cybersecurity risks of legacy
apps
• Drop code not infrastructure• Improve speed for fielding capability
and cybersecurity solutions• Operate with 80% of needed info in
denied space environment• Exploring afloat commercial
infrastructure as a service
• Standardized data = date reuse by many, improved QOS, efficient use of bandwidth, can apply AI all lead to improved decision making, improve cross domain use etc.
Unclassified
Unclassified
Automation, automation, automation…
– Dependent on People – Processes – Technology
– Crucial to balance automated response against man-in-the-loop monitoring, especially for complex systems-of-systems
– Real-time, machine driven solutions. Automated through machine learning:
Mapping, continuous monitoring, sensing and warning, reporting, alerting etc.
Configuration baselines
RMF in the C2C24 model
DEVOPS, system development & vulnerability assessment
Control system code assurance
Artificial Intelligence and Big Data Analytics
7
Unclassified
Unclassified8
IA Standards Roadmap Develop control systems with security controls (from NIST 800-82 Rev
2) “baked in” – adherence to open standards
Help us answer:
– What are the leading approaches to securing and sensing control systems?
– How should we decide what data or systems to protect first and what we’re
willing to spend?
– How do you measure cybersecurity risk and establish a threshold of
acceptance vs. mitigation for resiliency?
– What are the best ways to minimize your attack surface and to detecting
anomalous activity?
– What are the best ways to create and maneuver an agile network of systems
to frustrate would-be attackers?
– How do you approach the development and retention of a cyber smart
workforce? (other than compensation)
– How to C2 of our information in the commercial cloud – shared responsibility
Cyber resilience relies on a partnership between government & industry
Unclassified
Unclassified9
IA Standards Roadmap
Covered defense information (CDI) = unclassified information that:
– Requires safeguarding
– Provided to a DoD contractor or used by DoD contractor in support of a contract
DFARS Clause 252.204-7012 requires DoD contractors to:
– Safeguard CDI
– Report cyber incidents to DoD
– Submit malicious software from a cyber incident to DoD
– Preserve images and data from a cyber incident for 90 days
Minimum cybersecurity standards for safeguarding CDI described in NIST 800-171
– 14 areas (access control, incident response, identification, authentication, etc.)
– Full compliance required no later than 31 Dec 2017
http://business.defense.gov/Small-Business/Cybersecurity/
DoD contractors are responsible for safeguarding Navy information