Cybersecurity vs. Cyber Survivability: A Paradigm Shift

Similar documents
Shift Left: Putting the Process Into Action

The Perfect Storm Cyber RDT&E

Net-Centric Systems Design and Requirements Development in today s environment of Cyber warfare

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

New DoD Approach on the Cyber Survivability of Weapon Systems

DOD Medical Device Cybersecurity Considerations

Risk Management Framework for DoD Medical Devices

Cybersecurity Test and Evaluation Achievable and Defensible Architectures

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

April 25, 2018 Version 2.0

T&E Workforce Development

ISA 201 Intermediate Information Systems Acquisition

UNCLASSIFIED FY 2016 OCO. FY 2016 Base

Test and Evaluation Methodology and Principles for Cybersecurity

Cybersecurity in Acquisition

Cybersecurity, Trade, and Economic Development

The NIST Cybersecurity Framework

Dr. Steven J. Hutchison Principal Deputy Developmental Test and Evaluation

Air Force Test Center

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

Business Continuity: How to Keep City Departments in Business after a Disaster

Cyber Security Summit 2014 USCENTCOM Cybersecurity Cooperation

DoDD DoDI

ALIGNING CYBERSECURITY AND MISSION PLANNING WITH ADVANCED ANALYTICS AND HUMAN INSIGHT

U.S. FLEET CYBER COMMAND U.S. TENTH FLEET Managing Cybersecurity Risk

I n t e g r i t y - S e r v i c e - E x c e l l e n c e

Improving SCADA System Security

French-American Foundation Conference on cyber issues. Opening remarks. 25 October 2017

Title: Cybersecurity as it Applies to the Survivability Key Performance Parameter

2 nd Cybersecurity Workshop Test and Evaluation to Meet the Advanced Persistent Threat

Scope Cyber Attack Task Force (CATF)

DOE and Test Automation for System of Systems T&E

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

Data Management & Test Scenarios Exercise

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Enterprise Risk Management (ERM) and Cybersecurity. Na9onal Science Founda9on March 14, 2018

Providing Cybersecurity Inventory, Compliance Tracking, and C2 in a Heterogeneous Tool Environment

Improving Cybersecurity through the use of the Cybersecurity Framework

FPM-IT-420B: FAC-P/PM-IT Planning & Acquiring Operations of IT Systems Course Details

Department of Defense Installation Energy Resilience

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Texas Reliability Entity, Inc. Strategic Plan for 2017 TEXAS RE STRATEGIC PLAN FOR 2017 PAGE 1 OF 13

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

A New Cyber Defense Management Regulation. Ophir Zilbiger, CRISC, CISSP SECOZ CEO

Understanding the Changing Cybersecurity Problem

Copyright 2016 EMC Corporation. All rights reserved.

Strategic Foresight Initiative (SFI)

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 8 R-1 Line #18

Advanced Technology Academic Research Council Federal CISO Summit. Ms. Thérèse Firmin

Vulnerability Assessments and Penetration Testing

AMRDEC CYBER Capabilities

Antiterrorism / Force Protection (AT/FP) Assessment Tool Training. Module 1: Policy Drivers for MARMS & AT/FP Assessments

STUDENT GUIDE Risk Management Framework Step 5: Authorizing Systems

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

NDIA SE Conference 2016 System Security Engineering Track Session Kickoff Holly Dunlap NDIA SSE Committee Chair Holly.

Department of Defense. Installation Energy Resilience

Safeguarding unclassified controlled technical information (UCTI)

DoD Energy Resilience

Critical Cyber Asset Identification Security Management Controls

Test and Evaluation. The Key to Successful Acquisition Outcomes. Steve Hutchison. 3 October Director Office of Test and Evaluation

EUROPEAN COMMISSION JOINT RESEARCH CENTRE. Information Note. JRC activities in the field of. Cybersecurity

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

The Confluence of Physical and Cyber Security Management

Section One of the Order: The Cybersecurity of Federal Networks.

Space Cyber: An Aerospace Perspective

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

Cyber Attacks & Breaches It s not if, it s When

Cyber Security For Utilities Risks, Trends & Standards. IEEE Toronto March 22, Doug Westlund Senior VP, AESI Inc.

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Cybersecurity & Privacy Enhancements

Integrated C4isr and Cyber Solutions

Cyber Resilience. Think18. Felicity March IBM Corporation

Information Warfare Industry Day

Cybersecurity is one of the most important challenges for our military today. Cyberspace. Cybersecurity. Defending the New Battlefield

An Integrative Framework for Secure and Resilient Mission Assurance

Naval Surface Warfare Center,

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

Avionics Cyber T&E Examples Testing Cyber Security Resilience to support Operations in the 3rd Offset Environment

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

UNCLASSIFIED. R-1 Program Element (Number/Name) PE D8Z / Software Engineering Institute (SEI) Applied Research. Prior Years FY 2013 FY 2014

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

CYBER ASSISTANCE TEAM OVERVIEW BRIEFING

Looking Forward: USACE MILCON Cybersecurity Integration

NYDFS Cybersecurity Regulations

Disaster Unpreparedness June 3, 2013

Cybersecurity (CS) (as a Risk Based Approach) & Supply Chain Risk Management (SCRM) (Levels of Assurance for HwA, SwA & Assured Services?

Regional Resilience: Prerequisite for Defense Industry Base Resilience

Security and Privacy Governance Program Guidelines

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Protecting the Nation s Critical Assets in the 21st Century

Why you should adopt the NIST Cybersecurity Framework

Cybersecurity Planning Lunch and Learn

Balancing Compliance and Operational Security Demands. Nov 2015 Steve Winterfeld

Cybersecurity for Department of Defense Microgrids: An Army Perspective

DoD Strategy for Cyber Resilient Weapon Systems

MIMOSA. PMA-209 Industry Day and FACE Exhibition/TIM Event. October 17, Mr. Matthew Baxter

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Bonnie A. Goins Adjunct Industry Professor Illinois Institute of Technology

Transcription:

U.S. ARMY EVALUATION CENTER Cybersecurity vs. Cyber Survivability: A Paradigm Shift March 8, 2018

BLUF The T&E community should stop using the term cybersecurity when what we mean is cyber survivability blogtalkradio.com 2

Agenda What we really want to find out from T&E Definitions of key terms Limitations of the term Cybersecurity Cyber Survivability System Survivability KPP Cyber endorsement Proposed COIC Conclusion Questions 3

What We Really Want to Find Out from T&E Title X: Operational Effectiveness, Suitability, and Survivability DOT&E Policy: Protect, Detect, React, Restore Vulnerabilities and operational impacts System Survivability KPP Cyber Endorsement: Protect, Mitigate, and Restore Survivability COI: resilience and robustness against threats 4

Definitions of Key Terms Cyberspace: global domain within the information environment consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers. JP 3-13 Cybersecurity: Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. DODI 8500.01 Survivability: the capability of military forces to avoid or withstand hostile actions while retaining the ability to fulfill their primary mission(s). AR 73-1 5

Limitations of the term Cybersecurity Cybersecurity How the system is designed Assumed fielding conditions and protections Compliance Evaluation Gap Military Operations How operators actually configure and use the system Actual fielding conditions and threats 6

Cyber Survivability Cyber Survivability Cybersecurity Military Operations 7

System Survivability KPP Cyber Endorsement Cyber Survivability Endorsement IPT published implementation guide Attempts to help craft relevant and meaningful survivability requirements for the cyber domain Leverages RMF but not limited to RMF Creates categories based on mission and risk Three KPP pillars of prevent, mitigate, and recover 8

Proposed Critical Operational Issues and Criteria Critical Operational Issue: Does the system provide robustness and resiliency against hostile activity? Criteria Meets all Federal and DOD Cyber security regulations, guidelines, and practices. Introduces no new Medium/High to High risk exploitable cyber vulnerabilities to the networks and systems with which it interoperates. While access to the system may fail under hostile action, it provides the ability to detect a loss of system integrity and provides the ability to restore the system and data to a known good state. 9

Conclusion The T&E community should stop using the term cybersecurity when what we mean is cyber survivability. Current and emerging policies and regulations concern themselves with cyber survivability and not just cybersecurity. Cybersecurity is a vague and potentially misleading term for senior leadership with limited expertise in that area. We re already evaluating cyber survivability ; we just haven t been consistently using the right term. 10

Questions? www.pinterest.com 11

12 Backup

Cybersecurity Is Important, But It means different things to different people RMF Compliance to get ATO Protection against cyber threats Doesn t translate well beyond traditional IT systems Modern militaries fight with networked weapon systems Security controls are a best-guess effort and threats will find and exploit any false assumptions made in implementation Operational impact of combat systems vastly different than impacts of traditional IT systems It can be mistaken as a discrete attribute that a system either has or doesn t have Perception that efforts are futile Falsely believing a system can be secure 13

Cyber Survivability In line with shift to defining cyberspace as a domain of warfare Emphasizes operational impacts Addresses JROC System Survivability KPP Cyber endorsement Remains in line with DOT&E policy 14

Cybersecurity vs. Cyber Survivability Cybersecurity Adequacy of technical attributes and procedural controls Focused on risk identification and management Cyber Survivability Ability to survive in the cyber domain Focused on impacts to mission(s) systems support/enable 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback