Cyberspace T&E Drivers and Initiatives

Transcription

1 Cyberspace T&E Drivers and Initiatives ITEA Cyber Security Workshop Dr. C. David Brown, PE, CTEP Deputy Assistant Secretary of Defense (DT&E) Director, Defense Test Resource Management Center Residence Inn by Marriot, Arlington, VA March 17, 2016

2 50 Years of Exponential Progress We ve hit the 50 th anniversary of Moore s Law Cramming more components onto integrated circuits By Gordon Moore Electronics Magazine, Volume 38, Number 8, April 19, 1965 What does exponential progress look like during the last 5 decades? Produced in 1971 Produced in ,000X Faster 5,000X Less Energy 50,000X < cost/transistor 2,300 transistors Built by hand Used in F-14 Tomcat 1.4 Billion transistors 5 Billion transistors built per second Annual production = 20 Million for every person on earth 2

3 Technology Infusion 3

4 What did Exponential Increases Provide? Since The ipod Nano released. First gen iphone is two years away The first video was uploaded to YouTube Facebook was a year old, and acquired URL facebook.com for $200K Android was a small startup that Google had just acquired The term Drone meant a military weapon system An early prototype autonomous car completed DARPA Grand Challenge for the first time 4

5 What did Exponential Increases Provide? iphone 6: 4 million preorders in first 24 hours; 700 million total iphones sold to date Billion users, 300 hours of video uploaded an hour 1.4 billion users from every country on earth Share 2.5 million pieces of content every minute Over a billion Android users Drones from $50 - $1,500 used by everyone from kids to Amazon Google s autonomous cars have logged > 1M miles Every auto manufacturer working on a version 5

6 SLOC Increase in Avionics Software ( ) Increasingly complex Weapons Systems Increasingly complex to de-bug and make cyber resilient! 6

7 Cyber Attack Surfaces (c. 1980) Example 3 rd Generation Aircraft NAVIGATION & LANDING Pulsed-Doppler Radar TACAN NAVIGATION PODS Threat Warning / Targeting TARGETING SYSTEM PODS ECM PODS Threat and Radar Warning Systems (RWR) VOICE UHF / VHF Radios Attack Surface: A system s exposure to reachable and exploitable cyber vulnerabilities Source: Adapted from SANS Attack Surface Problem: 7

8 Cyber Attack Surfaces (c. 2015) Example 5 th Generation Aircraft VOICE UHF / VHF SINCGARS HAVEQUICK Link-16 DATA Link-16 MADL VMF-K P5 Combat Tng NAVIGATION & LANDING INS GPS ILS TACAN JPALS ID / SURVEILLANCE Mark XII AUDIO CTOL Maint Intercom 3D Audio EW DAS AESA EOTS Attack Surface: A system s exposure to reachable and exploitable cyber vulnerabilities Source: Adapted from SANS Attack Surface Problem: 8

9 The Internet of Things By the year 2020: More than 25 billion embedded and intelligent IoT systems DoD systems increasingly dependent on IoT technology Governments are 2 nd largest sector implementing IoT 41% CAGR We inherit both the Good (lower development costs, interoperability) and Bad (i.e. vulnerabilities) CAGR = Compound Annual Growth Rate 9

10 The Good and the Bad of Interconnection MDD T&E Phases Understand Cybersecurity Requirements MS A Req Decision Pre- EMD Characterize Cyber Attack Surface MS B Cooperative Vulnerability Identification IATT MS C ATO Materiel Technology DRAFT Engineering & Solution AOA Maturation & CDD CDD Manufacturing Analysis Risk Reduction Development CPD DT&E ASR SRR SFR PDR CDR TRR Event SVR DT&E Assess - ment Adversarial Cybersecurity DT&E DT&E Assess - ment Full Rate Production Decision Review Production and Deployment OTRR IOT&E Cooperative Vulnerability and Penetration Assessment O&S Adversarial Assessment Attack Surfaces Adversary Opportunities Dependency Growing Exponentially Exponential Challenges for Development and T&E 10

11 Shift Way Left Requirements Decision Developmental RFP Decision A B C IOT&E FRP MDD Materiel Solution Analysis Technology Maturation & Risk Reduction Engineering & Manufacturing Development Production and Deployment O&S PDR CDR LLP User Needs TEMP TEMP Draft TEMP DT&E TEMP DIACAP/RMF Systems Engineering Planning Concept of Operations System Requirements High-Level Design & Subsystem Requirements Risk Management Framework Cybersecurity DT/OT Earlier Interoperability Testing System Verification & Deployment Subsystem Verification DOT&E IA Memo System Validation Interoperability Mission Context Introduce Mission Context Earlier Operation & Maintenance Detailed Design Unit Testing Reliability Growth Software Coding Hardware Fabrication C 11

12 Shift Way Left S&T IRAD R&D 12

13 T&E Value Proposition The emerging Cyberspace domain has the potential to diminish or enhance the perceived value proposition of T&E Testing of Yesterday T&E at the end of a serial process separated from Systems Engineering Testing of Tomorrow T&E integrated with the Systems Engineering Process Data Information Knowledge 13

14 Workforce Development is the Lynchpin for Cyber Resiliency T&E of Yesterday T&E of Tomorrow The Workforce of Yesterday The Workforce of Tomorrow Attaining the Cyber T&E Workforce of Tomorrow will Require Updating Our: Approach to Attract & Recruit Ability to Hire Ability to Retain Culture that Aligns with the Next Generation We are Making Progress Cyberspace T&E integrated in DAU T&E Curriculum TRMC Internship Initiative NCR Interns TRMC T&E Connect Outreach (FLEX-ACE) DoD T&E must aggressively invest in the human domain 14

15 The Cyber Policy/Regulatory Eco-System 15

16 New/Ongoing Cybersecurity Policy and Guidance Activities The Large amount of Policy and Guidance is a Making it difficult to pin down what is the most critical to test DT&E and TRMC stand ready to help navigate the cyber T&E maze: Workforce and Infrastructure initiatives Practical and proven processes like the Cyber Table Top Integrated design and test philosophy; the Cyber T&E Value Proposition 16

17 NDAA16 Section 1647: Evaluation of Cyber Vulnerabilities of Major [DoD] Weapons Systems The Secretary of Defense shall complete an evaluation of the cyber vulnerabilities of each major [DoD] weapon system not later than December 31, 2019 Additional funding identified Short time frame will stress existing resources The Department is just beginning to understand the required resources! 17

18 Cyber T&E Infrastructure (CT&EI) Vision System Integration Laboratories (SILs) DISA SILs Army SILs Navy SILs AF SILs Hardware-in-the-Loop Laboratories (HWILs) DISA HWILs RSDPs SDPs Installed System Test Facilities (ISTFs) Navy ISTFs AF ISTFs Distributed Access to Persistent Cyber T&E Capabilities Army HWILs Navy HWILs Realistic Mission Environments Army Ranges Navy Ranges AF Ranges AF HWILs JMETC MILS Net Open-Air Ranges (OARs) NCR CSR C4AD Director TRMC: Goals as Newly Appointed Cyber T&E Range Executive Agent Integration of existing HWIL, SWIL & similar facilities without danger of damaging them Interoperability of cyber T&E ranges Environments reusable on any range Common tools Increase capacity to meet cyber vulnerability test requirements for BOTH legacy AND developing systems Enhanced automation for event design & execution, greater efficiency 18

19 T&E Infrastructure Security No Innocent By-Standers in the Cyber World The most advanced technologies in DoD go thru the T&E infrastructure (S&T, Development, System s Acquisition and System Sustainment) How cyber secure are the test capabilities in the DoD and its contractors facilities? Unmitigated Risks can and should be prioritized, budgeted for, fixed and verified! Looking for partners to develop & refine the process Poor Cyber Security in our T&E Infrastructure can Negate the Best DoD Weapon Technologies 19

20 The Challenge for Cyber T&E We build systems for, and fight our wars in, an increasingly complex and interconnected world Cyber attack surfaces are increasing, to include T&E infrastructure Shifting Left A paradigm shift for T&E, that includes cyberspace as a domain The challenge of cyber securing both systems under development as well as legacy systems Workforce recruitment, training and retention the key to building a strong cyber T&E force Questions for the Services Panel: How are you cyber testing systems under development and how is that going? How are you cyber testing legacy systems, and how is that going? How Cyber Secure is your T&E infrastructure? 20

21 Improve the Testing Improve the Process Improve the Product ARMY NAVY DEFENSE AGENCY AIR FORCE 21