Shore Triad Cyber Summit NAVFAC Cyber Strategy Update

Transcription

1 Shore Triad Cyber Summit NAVFAC Cyber Strategy Update Brandon T. Jones NAVFAC CIO (Acting) 4 March 2016

2 Cyber Secure Definitions Protect Detect React (Mitigate) Recover Interim Secure (Mission Assurance): Initial actions taken to address Control System vulnerabilities as quickly as possible. Fully Secure: Following the six-step RMF process to completion and receiving an ATO for respective system. For the FEC, it means: PE and N-UMCS have been deployed Accomplished Facility Control System Assessments Developed Accreditation Packages Developed & Installed Facility Equipment Connected Facilities to PE & N-UMCS Actively monitoring the Control Systems Six-Step RMF Process 2

3 Cyber Strategy Accomplishments Notable cyber accomplishments and milestones include: Successful CYBERSAFE Audit: NAVFAC CIO worked with OPNAV to perform and pass a functional audit of policies and procedures to certify the CYBERSAFE Program Office. Interim secure tasks in Hawaii: Operational technology (OT) resources have completed interim secure tasks for Hawaii installations. PE Deployed: Performed initial deployment of Platform Enclave (PE) in support of operational technology cyber security architecture in Hawaii, Mid-Lant, Southwest, Southeast, Marianas, EURAFSWA. Far East will be complete in March Tri-Service TEM and Navy TEM: NAVFAC hosted and facilitated a Tri-Service (1 st of it s kind) and a Navy Technical Exchange Meeting (TEM) for Cyber security. Fleet R3B Brief: Communicated and partnered with Fleet Audience led by FFC Exec Director Fleet FCRC Brief: Communicating the risk of shore facilities to Fleet Commanders ADM Davidson and ADM Swift PDASN EIE Brief: Update to Mr. Iselin on the State of Control Systems 3

4 High Level Timeline for NAVFAC Cyber Initiatives Cyber Security Capabilities FY16 FY17 FY18 FY19 FY20 ICS-PE (Installed) AMI (Installed) N-UMCS (Installed) TCA (PRI1) Assessed, interim secure, RMF started SICA (PRI2) EIB (PRI3) ATFP Assessed, interim secure, RMF started Assessed, interim secure, RMF started Assessed, interim secure, RMF started Functional Audit CYBERSAFE Categorize Systems Assign Grade Cyber Hygiene RMF Ongoing AO/SCA NAVFAC Cybersecurity Resourcing (IT Staff only) 46 FTE Hired (31 DEC) 70 FTE Authorized 81 FTE Authorized 100 FTE Authorized Plan & Implement Activities Ongoing Activities Milestone 4

5 Commanding Officer Accountability Each CO will be responsible for completion of the following priority activities. This will require coordination between CNIC and NAVFAC. Activity Description Cyber Hygiene System Inventory Update hardware and software Change default passwords Inventory Leverage existing resources to begin inventory process (Maximo, DCIP if available; POC ISSM) Conduct manual inventory of buildings and assets with CIO4, PW6 and ISSM Criticality Assessment Group mission capabilities by relative importance Decompose mission capabilities into critical functions Map missions and critical functions to critical components Identify and include components that do not directly implement critical functions but have unmediated access to or protect critical functions Assign Criticality Levels to the identified critical components CYBERSAFE Assign CS Levels 1-4 Assign Grades A/B/C Assign Conditions of Readiness X/Y/Z RMF Categorize Information Systems Select Security Controls Implement Security Controls Remove unused accounts Train administrators and operators Assess Security Controls Receive ATO Monitor Security Controls 5

6 Cybersecurity Enterprise Dashboard 6

7 CYBERSAFE- SYSCOM Office Certification ADNS SPAWAR OPNAV 2-6 Nov 2015 Lessons Learned Lessons Learned SSDS ICS Platform Enclave NAVSEA NAVFAC Jan Jan 2016 Implementation Test- Drives will serve as a certifying event for CYBERSAFE processes at each SYSCOM Lessons Learned H60 & Unmanned Vehicle NAVAIR 8-10 Feb 2016 Lessons Learned GATOR MARCOR SYSCOM TBD HQMC Lead Lessons Learned Supply Chain Risk Mgmt NAVSUP SYSCOM Mar

8 Functional Audit Objectives Assess NAVFAC CS management processes are compliant with the Draft CS Instruction V.06 Conduct tabletop process review of NAVFAC CS Program to assess end-to-end program compliance This audit did NOT focus on technical assessment of Industrial Control System Platform Enclave 8

9 Functional Audit Outbrief Evident that this is a Commander s priority Mr. McLaurin 9-month detail to OPNAV CYBERSAFE Office & Navy Cybersecurity Division (formally TFCA); Ms. Deb Jordan was TFCA Deputies participant Two major findings Designation Letter for NAVFAC CYBERSAFE Program Director COMPLETED Designation Letter for CYBERSAFE ICS-PE Program COMPLETED Improvements People capacity for execution Processes sufficient and maturing while we learn Authorities - documentation revisions NAVFAC and ICS-PE Program commitment list Regular progress updates SECNAV/OPNAV Instructions Provided lessons learned for future audits NAVAIR: February 2016 NAVSUP: March 2016 Final Report upon completion of all audits Purpose: To assess if NAVFAC s CYBERSAFE (CS) management processes are compliant with the Draft CS Instruction v0.6 9

10 Rating Tri-Service TEM Metrics Audience Metrics Over 90 attendees over the course of the 4-day conference Attendees included 18 SES, 1 Flag Officer, and 4 Senior Officers Attendee feedback was collected on a scale of 1-5 (unsatisfied to very satisfied) via survey for a series of questions; overall satisfaction analyzed for Days 1-3 fell in the satisfied to very satisfied range RESPONDENT OVERALL SATISFACTION Organizations Present Audience: Air Force, Army, Marine Corps, Navy, DLA, National Labs, CYBERCOM, and OSD Day One Day Two Day Three Day Four Overall Speakers: NAVFAC, Air Force, Army, Navy, Office of Naval Research, SPAWAR, NAVSEA, USACE, AFCEC, DOD, National Labs UNCLASSIFIED/FOUO 10

11 Tri-Service TEM Agenda Facility Commands Cyber Overviews: NAVFAC Air Force USACE Enterprise Cyber Security: Holistic Approach to Cybersecurity The Unique Challenges to Secure Control Systems Navy s Task Force Cyber Awakening Air Force s Task Force Cyber Secure Cyber Security Science: Delivery Secure Facilities Planning Secure Facilities Johns Hopkins University/Applied Physics Lab Cyber Security Policy: Navy: OPNAV N2/N6 Air Force: AFCYBER ARCYBER/2nd Army OSD: Overview of Efforts Technical Discussion: Navy s Platform Enclave DoD Guidance: Risk Management Framework: Fundamentals, Process, and Issues New Instruction: Cyber UFC and UFGS Roundtable Discussions: Outcome of Army s Systematic CS Inspection Update on Control System Inventory Configuration Management Control Workforce Development Plan Strategy to Cyber Secure Facilities Navy Control Systems Test Bed TEM Day 1 TEM Day 2 TEM Day 3 TEM Day 4 UNCLASSIFIED/FOUO 11

12 Overarching Tri-Service TEM Themes The following themes were reiterated throughout the TEM: 1. Train the Workforce Provide training for the workforce which allows them to be successful given new requirements Consider the following trainings: control systems, cybersecurity, facility engineering, etc. 2. Address Policy Gaps Create DOD-level policy to provide standard direction across services Develop cradle to grave guidance which can be used to cyber secure facilities (RFP through build and maintenance) 3. Differentiate Compliance vs. Residual Risk Risk Management Framework is used as a compliance tool but should be leveraged to determine overall risk to the mission and to the shore domain Compliance does not equate to security 4. Reach Reciprocity through Inheritance Leverage service specific accreditations across DOD to reduce duplication of effort for similar systems Risk Management Framework process maximizes inheritance within the systems 5. Consolidate Assessments Consolidate existing assessments to one that meets varying needs Reduce level of effort to collect required information UNCLASSIFIED/FOUO 12

13 Rating Navy Ashore TEM Metrics Audience Metrics Over 80 attendees over the course of the 4-day conference Attendees included 13 SES, 2 Flag Officers, and 4 Senior Officers Attendee feedback was collected on a scale of 1-5 (unsatisfied to very satisfied) via survey for a series of questions; overall satisfaction analyzed for Days 1-3 fell in the satisfied to very satisfied range RESPONDENT OVERALL SATISFACTION Day One Day Two Day Three Day Four Overall Organizations Present Audience: SPAWAR, NAVSUP, NAVSEA, NAVFAC, Navy Information Forces, DOE, NAVMETOCCOM, ONI, OPNAV N46, CNIC, NAVMED, PNNL Speakers: CNIC, DISA, NAVAIR, NAVFAC, NAVMED, NAVMETOCCOM, NAVSUP, OPNAV, SPAWAR, USCYBERCOM, PNNL UNCLASSIFIED/FOUO 13

14 Navy Ashore TEM Agenda Navy Cyber Overview NAVFAC s Cyber Role Ashore NAVSUP Cyber Overview Tri-Service TEM Summary and Highlights Cybersecurity Technology in Action Cyber in Medical Technology Cybersecurity for the Naval Meteorology and Oceanography Comment Breaking Down Barriers and Modernizing Cyber in the Navy Ashore Environment Securing Building and Utility Systems Components of Cybersecurity IoT Vulnerability Research, Cyber Talent Gaps, and the Global CSIRT Community NAVFAC s Security Architecture Cyber Engineering Best Practices Cyber Hygiene Cyber UFC and UFGS Navy s Cybersecurity Landscape Navy Exchange Service Command Information Technology Overview Supply Chain Cyber Landscape Securing Power to the Navy Cybersecurity Architecture Shore Control Systems Test Bed Zoning and Anomaly Detection in a Low Entropy Environment IA / TA Update Command Cybersecurity Overview NAVSEA SPAWAR NAVAIR NAVFAC s Role as Shore AO / SCA Cybersecurity Strategic Approach Securing the Security Systems PSNET PSNet for Secure Transport Enabling the Fleet Cybersecurity Workforce Development TEM Day 1 TEM Day 2 TEM Day 3 TEM Day 4 UNCLASSIFIED/FOUO 14

15 Overarching Navy Ashore TEM Themes The following themes were reiterated throughout the TEM: 1. Fleet: One Team, One Fight Users must understand that cybersecurity is no longer an option, it s the way of life Cross-SYSCOM team working with Fleet, OPNAV, FCC and other stakeholders 2. Train the Workforce Provide training for the workforce which allows them to be successful given new requirements Understand the differences between HQ and Echelon personnel Workforce retention and insourcing inherently government roles is critical 3. Educate on Risk Management Framework Risk Management Framework offers a systems-engineering based approach to managing security controls Compliance does not equate to security; what risk is being assumed Selection of security controls presents an opportunity for inheritance 4. System Inter-relationships Ashore Recognize complexity of shore systems with other SYSCOMs back to NAVFAC Collaboration is paramount to accurately assess and secure control systems against adversaries UNCLASSIFIED/FOUO 15

16 Workforce Development Gaps realized with the need to cyber secure control systems: Business Systems security process is well defined and appropriately staffed; not applicable to control systems under old requirements Control Systems were installed without regard to cybersecurity; supported by facility engineers and last for decades with little change Traditional cyber staff lack control system experience and process knowledge Facility Operational personnel prioritize availability, not cybersecurity Accreditation: business focused; ashore control systems not required Solution to begin workforce development: Insert cyber into each step of Facility Life Cycle Train & Team with SME process owners Develop cyber criteria, specs, and guidance Take on SYSCOM TA role and AO/SCA mission Leverage SYSCOM partners courses Increase awareness with every opportunity Training dedicated cybersecurity staff onboard and along existing staff to become cyber-smart Control System Cyber Boot Camps DEC 15 and MAR/JUN 16 Standards, Guidance & Processes being created and updated 16

17 Workforce Training The following actions are being taken to develop workforce: Explore control system cyber security certification programs Increase Validator, Information Assurance training Obtain forensic, monitoring, and ethical hacking expertise Build expertise for IT and SCADA product programs Gain training on cyber security tools and supporting suite Partner with DoD Cyber Range and leverage National Labs Provide internal training (i.e. NAVFAC ICS Boot Camp Dec 15): Security Architecture, Threat, Control Systems, Substation, ICS OPS Center, Strategy Participation with NAVFAC Functional, OSD, Air Force, SECNAV, CNIC, USMC Utilize global cybersecurity support staff 9 Regions, Dev Lab and Test Bed NAVFAC Cybersecurity Staff FY14 FY15 FY16 FY17 FY18 Hired Authorized 17

18 Current Challenges NAVFAC also recognizes there are current challenges that may prevent organizations from reaching their ideal cybersecurity end state. 1 Risk Management Framework Knowledge gap of experience exists- makes the transition from DIACAP to RMF seem very daunting The application of RMF is not clearly defined; must identify shore critical assets in addition to TCAs There is disagreement surrounding how to measure risk vs. compliance 2 Workforce Education and Training Agility is something to insource Differences in training approaches in the cyber workforce, about cyber hygiene, and between the fleet vs. echelon staff 3 Coordination within and between Organizations Looking for more buy-in and support from external organizations Furthering partnerships within Navy, DoD, National Labs Continuing momentum with process after the TEM has concluded 4 Unified Presence and Stance Implementation of CYBERSAFE across the supply chain and all of Command IT ashore Standardized definitions and requirements Set expectations from Command to Users- one team, one fight Contradicting perspectives of secure systems between non-dod government leaders, who follow industry convention, and the DoD intelligence community UNCLASSIFIED/FOUO 18

19 RMF for IS and PIT Systems Step 6 Monitor Security Controls Determine impact of changes to the system and environment Assess selected controls annually Conduct needed remediation Update security plan, SAR and POA&M Report security station to AO AO reviews reported status Implement system decommissioning strategy Step 5 Authorize System Prepare the POA&M Submit Security Authorization Package to AO AO conducts final risk determination AO makes authorization decision Step 1 Categorize Systems Categorize the systems in accordance with the CNSSI 1253 Initiate the Security Plan Register the system with DoD Component Cybersecurity Program Assign qualified personnel to RMF roles Step 4 Assess Security Controls Develop and approve security assessment plan Assess security controls SCA prepares security assessment report (SAR) Conduct initial remediation actions Step 2 Select Controls Common control identification Select security controls Develop system-level continuous monitoring strategy Review and approve the security plan and continuous monitoring strategy Apply overlays and tailor Step 3 Implement Security Controls Implement Controls Solutions consistent with DoD component cybersecurity architectures Document security control implementation in the security plan Risk Management Framework (RMF) for DoD IT replaces previous DIACAP framework in providing DoD Information Assurance. The RMF POA&M for Operational Technology is currently being developed by NAVFAC with an expected implementation start date in FEC cybersecurity team members will use the RMF POA&M to implement controls based on the assessments and grading done during CYBERSAFE. 19

20 ICS-PE / N-UMCS Relationship Base A Base B Base C 20

21 Appendix 21

22 CYBERSAFE Assessment Components CYBERSAFE is the assessment of assets to determine criticality categorization and grade in preparation for controls assignment. The assessment consists of the following three components: Cyber System Levels CYBERSAFE Grades Cyber Conditions of Readiness Cyber System Level CSL 1: Platform Safety CSL 2: Platform Combat CSL 3: Networked Combat CSL4: Sustained Combat Design Functionality Hierarchy of system to end-to-end mission CYBERSAFE Grade Grade A: Mission Critical Grade B: Mission Essential Material Grade C: Non-Mission Essential Procure, Design & Build Level of cyber protection incorporated into system design X Y Z Cyber Condition FULL NET SEMI NET NO NET Operate T E C H N I C A L C A P A B I L I T I E S Operating mode of platform based on likelihood of cyber attack 22

23 NAVFAC CYBERSAFE Prioritization Approach NAVFAC will leverage existing Mission Assurance (MA) efforts and lessons learned from these efforts to execute CYBERSAFE across the command. NAVFAC will prioritize all assets to determine the order they will be assessed for CYBERSAFE compliance utilizing the following approach: Priority 1: Task Critical Assets. Priority 2: Supporting Infrastructure Critical Assets. Priority 3: Other priority assets as identified by CNIC s Commander and Combatant Commands. Priority 4: All remaining assets. FEC cybersecurity teams will contribute to CYBERSAFE categorization, grading, and documentation. 23

24 FEC CYBERSAFE Process NAVFAC System Categorized process begins with FEC level system categorization. FEC cybersecurity teams will: Categorize the system using Navy s CYBERSAFE and RMF standards and guides. Assign CYBERSAFE grade using CYBERSAFE grade criteria and AO standards. Conduct criticality analysis. Assign CYBERSAFE controls based on grade. Tailor controls based on RMF Process. Document and justify security controls for RMF and CYBERSAFE. Documents generated at the ECH IV level will be reviewed and approved by ECH III and NAVFAC CYBERSAFE PMO. NAVFAC approved documents will be distributed to OPNAV, FFC/CPF/FCC, TYCOMS, and IDFOR. 24

25 CYBERSAFE Audit Team Members OPNAV N2/N6 (Theresa Everette, CDR Low, Paula Jackson) NAVFAC (Mike Kilcoyne, Marrio McLaurin, James Kim, Craig St. John) CNIC (Wendy McFadden, Kim Ellis) NAVSEA (Pat Hoff) SPAWAR (Charlie Nolan) IDFOR (CDR Fernandez, LCDR Fisher) MARCORSYSCOM (Erin Valliere) NAVAIR (Kafayat Kelani) NAVSUP (Steve Kozick) FCC (Alan Rickman) 25