Information Warfare Industry Day

20180510 RDML Barrett, OPNAV N2N6G

Unclassified

Unclassified

ADNS

MOC GNOC

NCDOC

TRANSPORT

NMCI & ONE-NETJRSS

DISN

COMMERCIAL INTERNET

INTERNET

TACTICAL

SWITCH

(TSw)

DISN Core

TELEPORT

C O N T R O L S Y S T E M SC 4 I

S Y S T E M S

ISNS / CANES / SUBLAN / TSCE

SCI

Coalition

Networks

USMC

DISN CORENCTAMS/NOC

ADNS

NCDOC MOC

A P P L I C A T I O N S

Air Combat HM&E Navigation

Other Connections(Commercial, Coalition, RF)

Public

Works

Installations

Physical

Security

Public

Safety

Air

Ops

Port

Ops

PSNET

C O N T R O L S Y S T E M S

2

Cyber resilience extends across the enterprise

Unclassified

Unclassified

Unclassified3

Cyber resilience is continued operations in a contested cyber environment

Unclassified

Unclassified4

Cyber Resilience Strategy

Cyber resilience is the Navy’s long-term strategy

CYBER RESIL IENCY APPROACH

Cyber situational awareness

Build-in-resiliency

Control points

Cyber hygiene

Cyber workforce

TFCA (2014/5) 2016

REACT

RESTORE

+ FOUNDATIONAL

Cyber Resilience

5

Unclassified

Unclassified

IA Standards Aligned to NIST FrameworkDesigning for Security & Resiliency

NIST Framework Anatomy of a Cyber Attack

Disrupting the Adversary’s Cyber Kill Chain

Implementation

StandardsStds 11/33 26/33 19/33 7/33 5/33 15/33 27/33 28/33 22/33 23/33 16/33 23/33

1 HLP • • • • • • • • •2 Network Firewall • • • • • • •3 IDPS • • • • • • • • •4 ISCM • • • • • • • •5 SIEM • • • • • • •6 Vulnerability Scan • • • • • •7 Boundary Protect • • • • • • •8 OS • • • • • • • •9 Cyber Risk • • • • • • • • • • • •10 TSN • • • • • • • • • •11 Cyber SA • • • • • • • • • •12 IT Asset Mgmt • • •13 Account Mgmt • • • • • •14 Cyber CM • • • • • • • •15 Web Security • • • • • • •16 Cross Domain Solution • • • • • •17 Email Security • • • • • • • •18 Software Assurance • • • • • • •19 RAS • • • •20 Patch Mgmt • • • • • • • • •21 BIOS • • • • • •22 IdAM • • • •23 Event Mgmt • • • • • • • • • •24 Info Mgmt • • •25 PKE • • • •26 Wireless Comms • • • • •27 WEAC • • • • • •28 Data in Transit • • • • •29 Data at Rest • • • •30 Key Mgmt Exchange • • • •31 DNS • • • • •32 Cloud Security • • • • • • • • • •33 Unified Capability • • • • •

FY15

FY16

FY17

Stan

dard

sC

ompl

etio

n St

atus

Discover PenetrateProbe Escalate Persist ExecuteExpandIdentify DetectProtect Respond Recover

Data

Application

Presentation

End-to-end architecture with micro web services - transforming our enterprise information environment

USS UNDERWAY

NOC

Teleport Site

Commercial Cloud w/XML Compression

“Compile to Combat- 24 hours” End-to-End Micro Services Architecture

CompressedXML

SensorsUV/AVsLink dataEtc.

CompressedXML

Most transactions happen on theship, only data exchanged ship/shore

4 PILLARS Use of Commercial Cloud Automated testing of Web Services to include RMF

Shared Infrastructure Data Standardization

Objectives: • From development through automated fielding

• They will be our “FEDEX” and will package up delivery of content for afloat (compressed XML), only those data “ordered up” by the ship

• Big data analytics

• From “Compile to delivery on ship” –24 hours all automated

• Functional testing against Open standards compliant web Services development guidance and XML data standardization

• Automated RMF testing, to include intel assessment of risk, inherit shared infrastructure accreditation

• Use CANES• Already accredited• Uses standard / approved Ports and

Protocols• Drop “code not boxes”• Reduce attack surface

• XML Open Standard Data• eXML compression

Why it matters:

• Leverage commercial technology

• Improved security• Data compression• Data analytics• Commercial Cloud afloat $

savings

• Reduce cost/time to field capability• Eliminate cybersecurity risks of legacy

apps

• Drop code not infrastructure• Improve speed for fielding capability

and cybersecurity solutions• Operate with 80% of needed info in

denied space environment• Exploring afloat commercial

infrastructure as a service

• Standardized data = date reuse by many, improved QOS, efficient use of bandwidth, can apply AI all lead to improved decision making, improve cross domain use etc.

Unclassified

Unclassified

Automation, automation, automation…

– Dependent on People – Processes – Technology

– Crucial to balance automated response against man-in-the-loop monitoring, especially for complex systems-of-systems

– Real-time, machine driven solutions. Automated through machine learning:

Mapping, continuous monitoring, sensing and warning, reporting, alerting etc.

Configuration baselines

RMF in the C2C24 model

DEVOPS, system development & vulnerability assessment

Control system code assurance

Artificial Intelligence and Big Data Analytics

7

Unclassified

Unclassified8

IA Standards Roadmap Develop control systems with security controls (from NIST 800-82 Rev

2) “baked in” – adherence to open standards

Help us answer:

– What are the leading approaches to securing and sensing control systems?

– How should we decide what data or systems to protect first and what we’re

willing to spend?

– How do you measure cybersecurity risk and establish a threshold of

acceptance vs. mitigation for resiliency?

– What are the best ways to minimize your attack surface and to detecting

anomalous activity?

– What are the best ways to create and maneuver an agile network of systems

to frustrate would-be attackers?

– How do you approach the development and retention of a cyber smart

workforce? (other than compensation)

– How to C2 of our information in the commercial cloud – shared responsibility

Cyber resilience relies on a partnership between government & industry

Unclassified

Unclassified9

IA Standards Roadmap

Covered defense information (CDI) = unclassified information that:

– Requires safeguarding

– Provided to a DoD contractor or used by DoD contractor in support of a contract

DFARS Clause 252.204-7012 requires DoD contractors to:

– Safeguard CDI

– Report cyber incidents to DoD

– Submit malicious software from a cyber incident to DoD

– Preserve images and data from a cyber incident for 90 days

Minimum cybersecurity standards for safeguarding CDI described in NIST 800-171

– 14 areas (access control, incident response, identification, authentication, etc.)

– Full compliance required no later than 31 Dec 2017

http://business.defense.gov/Small-Business/Cybersecurity/

DoD contractors are responsible for safeguarding Navy information