Embed Size (px)
Citation preview
Shore Triad Cyber Summit
NAVFAC Cyber Strategy Update
4 March 2016
Brandon T. Jones
NAVFAC CIO (Acting)
2
Six-Step RMF Process
Cyber Secure Definitions
Protect
Detect
React
(Mitigate)
Recover
Interim Secure (Mission Assurance):
Initial actions taken to address Control
System vulnerabilities as quickly as
possible.
Fully Secure: Following the six-step
RMF process to completion and
receiving an ATO for respective system.
For the FEC, it means:
PE and N-UMCS have been deployed
Accomplished Facility Control System
Assessments
Developed Accreditation Packages
Developed & Installed Facility
Equipment
Connected Facilities to PE & N-UMCS
Actively monitoring the Control
Systems
3
Cyber Strategy Accomplishments
Notable cyber accomplishments and milestones include:
Successful CYBERSAFE Audit: NAVFAC CIO worked with OPNAV to perform and pass
a functional audit of policies and procedures to certify the CYBERSAFE Program Office.
Interim secure tasks in Hawaii: Operational technology (OT) resources have completed
interim secure tasks for Hawaii installations.
PE Deployed: Performed initial deployment of Platform Enclave (PE) in support of
operational technology cyber security architecture in Hawaii, Mid-Lant, Southwest,
Southeast, Marianas, EURAFSWA. Far East will be complete in March 2016.
Tri-Service TEM and Navy TEM: NAVFAC hosted and facilitated a Tri-Service (1st of it’s
kind) and a Navy Technical Exchange Meeting (TEM) for Cyber security.
Fleet R3B Brief: Communicated and partnered with Fleet Audience led by FFC Exec
Director
Fleet FCRC Brief: Communicating the risk of shore facilities to Fleet Commanders ADM
Davidson and ADM Swift
PDASN EIE Brief: Update to Mr. Iselin on the State of Control Systems
4
Capabilities FY16 FY17 FY18 FY19 FY20
Cyber Security
ICS-PE
(Installed)
AMI
(Installed)
N-UMCS
(Installed)
TCA (PRI1)
SICA (PRI2)
EIB (PRI3)
ATFP
CYBERSAFE
Functional Audit
Categorize
Systems
Assign Grade
Cyber Hygiene Ongoing
RMF AO/SCA
NAVFAC Cybersecurity
Resourcing (IT Staff only)
High Level Timeline for NAVFAC Cyber Initiatives
MilestonePlan & Implement Activities Ongoing Activities
100 FTE
Authorized
81 FTE
Authorized
70 FTE
Authorized46 FTE Hired
(31 DEC)
Assessed, interim secure, RMF started
Assessed, interim secure, RMF started
Assessed, interim secure, RMF started
Assessed, interim secure, RMF started
5
Commanding Officer Accountability
Each CO will be responsible for completion of the following priority activities.
This will require coordination between CNIC and NAVFAC.
Activity Description
Cyber Hygiene System Inventory
Update hardware and software
Change default passwords
Inventory Leverage existing resources to begin inventory process (Maximo, DCIP if available;
POC ISSM)
Conduct manual inventory of buildings and assets with CIO4, PW6 and ISSM
Criticality Assessment Group mission capabilities by relative importance
Decompose mission capabilities into critical functions
Map missions and critical functions to critical components
Identify and include components that do not directly implement critical functions but
have unmediated access to or protect critical functions
Assign Criticality Levels to the identified critical components
CYBERSAFE Assign CS Levels 1-4
Assign Grades A/B/C
Assign Conditions of Readiness X/Y/Z
RMF Categorize Information Systems
Select Security Controls
Implement Security Controls
Assess Security Controls
Receive ATO
Monitor Security Controls
Remove unused accounts
Train administrators and operators
6
Cybersecurity Enterprise Dashboard
7
CYBERSAFE- SYSCOM Office Certification
Supply Chain Risk
Mgmt
NAVSUPSYSCOM
15-16 Mar2016
Lessons Learned
ADNSSPAWAROPNAV
2-6 Nov2015
SSDS NAVSEA12-14 Jan
2016
ICS Platform Enclave
NAVFAC26-28 Jan
2016
H60 & Unmanned
VehicleNAVAIR
8-10 Feb2016
GATORMARCORSYSCOM
TBD
Lessons Learned
Lessons Learned
Lessons Learned
Lessons Learned
Implementation Test-
Drives will serve as a
certifying event for
CYBERSAFE processes at
each SYSCOM
HQMC Lead
8
Functional Audit Objectives
Assess NAVFAC CS management processes are compliant with the
Draft CS Instruction V.06
Conduct tabletop process review of NAVFAC CS Program to assess
end-to-end program compliance
This audit did NOT focus on technical assessment of Industrial
Control System Platform Enclave
9
Functional Audit Outbrief
Evident that this is a Commander’s priority– Mr. McLaurin 9-month detail to OPNAV CYBERSAFE Office & Navy Cybersecurity Division (formally TFCA);
Ms. Deb Jordan was TFCA Deputies participant
Two major findings– Designation Letter for NAVFAC CYBERSAFE Program Director
• COMPLETED
– Designation Letter for CYBERSAFE ICS-PE Program
• COMPLETED
Improvements – People – capacity for execution
– Processes – sufficient and maturing while we learn
– Authorities - documentation revisions
NAVFAC and ICS-PE Program commitment list– Regular progress updates
SECNAV/OPNAV Instructions
Provided lessons learned for future audits– NAVAIR: February 2016
– NAVSUP: March 2016
Final Report upon completion of all audits
Purpose: To assess if NAVFAC’s CYBERSAFE (CS) management
processes are compliant with the Draft CS Instruction v0.6
10UNCLASSIFIED/FOUO
Audience:
Air Force, Army, Marine Corps,
Navy, DLA, National Labs, CYBERCOM,
and OSD
Speakers:
NAVFAC, Air Force, Army, Navy, Office of
Naval Research, SPAWAR, NAVSEA,
USACE, AFCEC, DOD, National Labs
Over 90 attendees over the course of the 4-day conference
Attendees included 18 SES, 1 Flag Officer, and 4 Senior Officers
Attendee feedback was collected on a scale of 1-5 (unsatisfied to very satisfied) via survey for a
series of questions; overall satisfaction analyzed for Days 1-3 fell in the satisfied to very
satisfied range
Audience Metrics
Organizations Present
Tri-Service TEM Metrics
4.79
4.48 4.424.15
4.74
1
2
3
4
5
Day One Day Two Day Three Day Four Overall
Rating
RESPONDENT OVERALL SATISFACTION
11UNCLASSIFIED/FOUO
1
TEM Day 1
Facility Commands
Cyber Overviews:
NAVFAC
Air Force
USACE
Enterprise Cyber
Security:
Holistic Approach to
Cybersecurity
The Unique Challenges
to Secure Control
Systems
Navy’s Task Force
Cyber Awakening
Air Force’s Task Force
Cyber Secure
2
TEM Day 2
Cyber Security
Science:
Delivery Secure
Facilities
Planning Secure
Facilities
Johns Hopkins
University/Applied
Physics Lab
Cyber Security Policy:
Navy: OPNAV N2/N6
Air Force: AFCYBER
ARCYBER/2nd Army
OSD: Overview of
Efforts
3
TEM Day 3
Technical Discussion:
Navy’s Platform Enclave
New Instruction:
Cyber UFC and UFGS
DoD Guidance:
Risk Management
Framework:
Fundamentals, Process,
and Issues
4
TEM Day 4
Roundtable
Discussions:
Outcome of Army’s
Systematic CS
Inspection
Update on Control
System Inventory
Configuration
Management Control
Workforce
Development Plan
Strategy to Cyber
Secure Facilities
Navy Control Systems
Test Bed
Tri-Service TEM Agenda
12UNCLASSIFIED/FOUO
Overarching Tri-Service TEM Themes
The following themes were reiterated throughout the TEM:
3. Differentiate Compliance vs. Residual Risk
4. Reach Reciprocity through Inheritance
5. Consolidate Assessments
2. Address Policy Gaps
1. Train the Workforce
Provide training for the workforce which allows them to be successful given new requirements
Consider the following trainings: control systems, cybersecurity, facility engineering, etc.
Consolidate existing assessments to one that meets varying needs
Reduce level of effort to collect required information
Create DOD-level policy to provide standard direction across services
Develop cradle to grave guidance which can be used to cyber secure facilities (RFP through build and
maintenance)
Risk Management Framework is used as a compliance tool but should be leveraged to determine overall risk to the
mission and to the shore domain
Compliance does not equate to security
Leverage service specific accreditations across DOD to reduce duplication of effort for similar systems
Risk Management Framework process maximizes inheritance within the systems
13UNCLASSIFIED/FOUO
Audience:
SPAWAR, NAVSUP, NAVSEA, NAVFAC,
Navy Information Forces, DOE,
NAVMETOCCOM, ONI, OPNAV N46,
CNIC, NAVMED, PNNL
Speakers: CNIC, DISA, NAVAIR,
NAVFAC, NAVMED, NAVMETOCCOM,
NAVSUP, OPNAV, SPAWAR,
USCYBERCOM, PNNL
Over 80 attendees over the course of the 4-day conference
Attendees included 13 SES, 2 Flag Officers, and 4 Senior Officers
Attendee feedback was collected on a scale of 1-5 (unsatisfied to very satisfied) via survey for a
series of questions; overall satisfaction analyzed for Days 1-3 fell in the satisfied to very
satisfied range
Audience Metrics
Organizations Present
Navy Ashore TEM Metrics
4.65 4.65 4.59 4.43 4.56
0
1
2
3
4
5
Day One Day Two Day Three Day Four Overall
Rating
RESPONDENT OVERALL SATISFACTION
14UNCLASSIFIED/FOUO
Navy Ashore TEM Agenda
1
TEM Day 1
Navy Cyber Overview
NAVFAC’s Cyber Role Ashore
NAVSUP Cyber Overview
2
TEM Day 2
Navy’s Cybersecurity
Landscape
Navy Exchange Service
Command Information
Technology Overview
Supply Chain Cyber Landscape
Securing Power to the Navy
3
TEM Day 3
Cybersecurity
Architecture
Shore Control Systems Test Bed
Zoning and Anomaly Detection in
a Low Entropy Environment
IA / TA Update
4
TEM Day 4
Command Cybersecurity
Overview
NAVSEA
SPAWAR
NAVAIR
NAVFAC’s Role as Shore AO /
SCA
Components of
Cybersecurity
IoT Vulnerability Research,
Cyber Talent Gaps, and the
Global CSIRT Community
NAVFAC’s Security Architecture
Cyber Engineering Best
Practices
Cyber Hygiene
Cyber UFC and UFGSCybersecurity Technology
in Action
Cyber in Medical Technology
Cybersecurity for the Naval
Meteorology and Oceanography
Comment
Breaking Down Barriers and
Modernizing Cyber in the Navy
Ashore Environment
Securing Building and Utility
Systems
Tri-Service TEM Summary
and Highlights
Cybersecurity Strategic
Approach
Securing the Security Systems
PSNet for Secure Transport
Enabling the Fleet
Cybersecurity Workforce
Development
1
TEM Day 1
Navy Cyber Overview
NAVFAC’s Cyber Role Ashore
NAVSUP Cyber Overview
2
TEM Day 2
Navy’s Cybersecurity
Landscape
Navy Exchange Service
Command Information
Technology Overview
Supply Chain Cyber Landscape
Securing Power to the Navy
3
TEM Day 3
Cybersecurity
Architecture
Shore Control Systems Test Bed
Zoning and Anomaly Detection in
a Low Entropy Environment
IA / TA Update
4
TEM Day 4
Command Cybersecurity
Overview
NAVSEA
SPAWAR
NAVAIR
NAVFAC’s Role as Shore AO /
SCA
Components of
Cybersecurity
IoT Vulnerability Research,
Cyber Talent Gaps, and the
Global CSIRT Community
NAVFAC’s Security Architecture
Cyber Engineering Best
Practices
Cyber Hygiene
Cyber UFC and UFGSCybersecurity Technology
in Action
Cyber in Medical Technology
Cybersecurity for the Naval
Meteorology and Oceanography
Comment
Breaking Down Barriers and
Modernizing Cyber in the Navy
Ashore Environment
Securing Building and Utility
Systems
Tri-Service TEM Summary
and Highlights
Cybersecurity Strategic
Approach
Securing the Security Systems
PSNET for Secure Transport
Enabling the Fleet
Cybersecurity Workforce
Development
15UNCLASSIFIED/FOUO
Overarching Navy Ashore TEM Themes
The following themes were reiterated throughout the TEM:
3. Educate on Risk Management Framework
4. System Inter-relationships Ashore
2. Train the Workforce
1. Fleet: One Team, One Fight
Users must understand that cybersecurity is no longer an option, it’s the ‘way of life’
Cross-SYSCOM team working with Fleet, OPNAV, FCC and other stakeholders
Provide training for the workforce which allows them to be successful given new requirements
Understand the differences between HQ and Echelon personnel
Workforce retention and insourcing inherently government roles is critical
Risk Management Framework offers a systems-engineering based approach to managing security controls
Compliance does not equate to security; what risk is being assumed
Selection of security controls presents an opportunity for inheritance
Recognize complexity of shore systems with other SYSCOMs back to NAVFAC
Collaboration is paramount to accurately assess and secure control systems against adversaries
16
Workforce Development
Gaps realized with the need to cyber secure control systems:–Business Systems security process is well defined and appropriately staffed; not
applicable to control systems under old requirements
–Control Systems were installed without regard to cybersecurity; supported by facility
engineers and last for decades with little change
–Traditional cyber staff lack control system experience and process knowledge
–Facility Operational personnel prioritize availability, not cybersecurity
–Accreditation: business focused; ashore control systems not required
Solution to begin workforce development:–Insert cyber into each step of Facility Life Cycle
–Train & Team with SME process owners
–Develop cyber criteria, specs, and guidance
–Take on SYSCOM TA role and AO/SCA mission
–Leverage SYSCOM partners’ courses
–Increase awareness with every opportunity
Training dedicated cybersecurity staff onboard and along existing staff to become cyber-smart || Control System
Cyber Boot Camps DEC 15 and MAR/JUN 16 || Standards, Guidance & Processes being created and updated
17
Workforce Training
The following actions are being taken to develop workforce:
Explore control system cyber security certification programs
Increase Validator, Information Assurance training
Obtain forensic, monitoring, and ethical hacking expertise
Build expertise for IT and SCADA product programs
Gain training on cyber security tools and supporting suite
Partner with DoD Cyber Range and leverage National Labs
0
50
100
FY14 FY15 FY16 FY17 FY18
1133
4611
43
70 81100
Hired Authorized
Provide internal training (i.e. NAVFAC ICS
Boot Camp Dec ’15):
–Security Architecture, Threat, Control
Systems, Substation, ICS OPS Center,
Strategy
–Participation with NAVFAC Functional,
OSD, Air Force, SECNAV, CNIC, USMC
Utilize global cybersecurity support staff
– 9 Regions, Dev Lab and Test Bed
NAVFAC Cybersecurity Staff
18UNCLASSIFIED/FOUO
Current Challenges
Risk Management Framework Knowledge gap of experience exists- makes the transition from DIACAP to RMF seem very
daunting
The application of RMF is not clearly defined; must identify shore critical assets in addition
to TCAs
There is disagreement surrounding how to measure risk vs. compliance
Workforce Education and Training Agility is something to insource
Differences in training approaches in the cyber workforce, about cyber hygiene,
and between the fleet vs. echelon staff
Coordination within and between Organizations Looking for more buy-in and support from external organizations
Furthering partnerships within Navy, DoD, National Labs
Continuing momentum with process after the TEM has concluded
1
2
3
NAVFAC also recognizes there are current challenges that may prevent organizations
from reaching their ideal cybersecurity end state.
Unified Presence and Stance Implementation of CYBERSAFE across the supply chain and all of Command IT ashore
Standardized definitions and requirements
Set expectations from Command to Users- one team, one fight
Contradicting perspectives of “secure” systems between non-DOD government leaders,
who follow industry convention, and the DoD intelligence community
4
19
RMF for IS and PIT Systems
Step 1 Categorize Systems
Step 2 Select Controls
Step 3 Implement Security Controls
Step 4Assess Security
Controls
Step 5 Authorize System
Step 6 Monitor Security
Controls
Categorize the systems in
accordance with the CNSSI
1253
Initiate the Security Plan
Register the system with DoD
Component Cybersecurity
Program
Assign qualified personnel to
RMF roles
Common control identification
Select security controls
Develop system-level continuous
monitoring strategy
Review and approve the security
plan and continuous monitoring
strategy
Apply overlays and tailor
Implement Controls Solutions
consistent with DoD component
cybersecurity architectures
Document security control
implementation in the security
plan Develop and approve security
assessment plan
Assess security controls
SCA prepares security assessment
report (SAR)
Conduct initial remediation actions
Determine impact of changes to the
system and environment
Assess selected controls annually
Conduct needed remediation
Update security plan, SAR and POA&M
Report security station to AO
AO reviews reported status
Implement system decommissioning
strategy
Prepare the POA&M
Submit Security Authorization
Package to AO
AO conducts final risk
determination
AO makes authorization decision
Risk Management
Framework (RMF) for
DoD IT replaces
previous DIACAP
framework in providing
DoD Information
Assurance.
The RMF POA&M for
Operational
Technology is
currently being
developed by
NAVFAC with an
expected
implementation start
date in 2017.
FEC cybersecurity
team members will
use the RMF POA&M
to implement controls
based on the
assessments and
grading done during
CYBERSAFE.
20
ICS-PE / N-UMCS Relationship
Base A
Base B
Base C
21
Appendix
22
CYBERSAFE Assessment Components
Cyber System Level Cyber Condition
Y
Z
X FULL NET
• --------------
• --------------
• --------------
• --------------
TE
CH
NIC
AL
CA
PA
BIL
ITIE
S
CYBERSAFE Grade
NO NET
SEMI NET
• --------------
• --------------
CSL 1: Platform Safety
CSL 2: Platform Combat
CSL 3: Networked Combat
CSL4: Sustained Combat
Grade A:
Mission Critical
Grade B:
Mission Essential
Material Grade C:
Non-Mission Essential
Operate
Operating mode of platform based on likelihood of cyber attack
Design
Functionality Hierarchy of system to end-to-end mission
Procure, Design & Build
Level of cyber protection incorporated into system design
CYBERSAFE is the assessment of assets to determine criticality categorization and
grade in preparation for controls assignment.
The assessment consists of the following three components:
− Cyber System Levels
− CYBERSAFE Grades
− Cyber Conditions of Readiness
23
NAVFAC CYBERSAFE Prioritization Approach
NAVFAC will leverage existing Mission Assurance (MA) efforts and lessons
learned from these efforts to execute CYBERSAFE across the command.
NAVFAC will prioritize all assets to determine the order they will be
assessed for CYBERSAFE compliance utilizing the following approach:
Priority 1: Task Critical Assets.
Priority 2: Supporting Infrastructure Critical Assets.
Priority 3: Other priority assets as identified by CNIC’s Commander and
Combatant Commands.
Priority 4: All remaining assets.
FEC cybersecurity teams will contribute to CYBERSAFE categorization,
grading, and documentation.
24
FEC CYBERSAFE Process
NAVFAC System Categorized process begins with FEC level system
categorization.
FEC cybersecurity teams will:
Categorize the system using Navy’s CYBERSAFE and RMF standards and
guides.
Assign CYBERSAFE grade using CYBERSAFE grade criteria and AO
standards.
Conduct criticality analysis.
Assign CYBERSAFE controls based on grade.
Tailor controls based on RMF Process.
Document and justify security controls for RMF and CYBERSAFE.
Documents generated at the ECH IV level will be reviewed and approved
by ECH III and NAVFAC CYBERSAFE PMO.
NAVFAC approved documents will be distributed to OPNAV,
FFC/CPF/FCC, TYCOMS, and IDFOR.
25
CYBERSAFE Audit Team Members
OPNAV N2/N6 (Theresa Everette, CDR Low, Paula Jackson)
NAVFAC (Mike Kilcoyne, Marrio McLaurin, James Kim, Craig St. John)
CNIC (Wendy McFadden, Kim Ellis)
NAVSEA (Pat Hoff)
SPAWAR (Charlie Nolan)
IDFOR (CDR Fernandez, LCDR Fisher)
MARCORSYSCOM (Erin Valliere)
NAVAIR (Kafayat Kelani)
NAVSUP (Steve Kozick)
FCC (Alan Rickman)
