1 / 19

Chris Lovejoy

Chris Lovejoy. GS-15/Computer Scientist. Cyber Technologies Division. 27 Feb 2019. CONTROL SYSTEMS APPROVED PRODUCTS LIST. Distribution Statement A: Approved for public release; distribution is unlimited. U.S. critical infrastructure is at risk

ulysses
Télécharger la présentation

Chris Lovejoy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chris Lovejoy GS-15/Computer Scientist Cyber Technologies Division 27 Feb 2019 • CONTROL SYSTEMS APPROVED PRODUCTS LIST Distribution Statement A: Approved for public release; distribution is unlimited

  2. U.S. critical infrastructure is at risk Extensive dependency on highly vulnerable information technology and industrial control systems equals unacceptable and growing risk The threat is pervasive Virtually any actor with substantial resources can now develop or buy the capability to attack elements of U.S. critical infrastructure/DoD warfighting facilities with cyber weapons DoD is not postured to stop most dangerous attacks The offensive cyber capabilities of our most capable potential adversaries are likely to far exceed our ability to defend Defense Science Board 2017 Due to numerous other DoD priorities, a low-cost or no-cost solution is needed Problem

  3. Threat Description Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.  KEY POINT: They find and exploit unknown vulnerabilities. Defense Science Board – Cyber Threat Tier IV Adversary IT = Information Technology OT = Operational Technology (i.e. control systems)

  4. Beginning on 23 December 2015, Ukraine lost power to 225,000 people, and the U.S. Department of Energy, FBI, and others concluded that the outage was caused by remote cyber attackers The attackers were successful since they were able to: Damage human-machine interface and other systems with malware, rendering them inoperable Modify firmware on serial-to-ethernet devices at substations, causing them to not function properly Disable control center backup power by remotely reconfiguring “uninterruptable power supplies” to fail. DoD uses similar equipment, and these types of vulnerabilities in commercial systems would be identified and resolved by the CS APL Vignette of a Preventable CS Failure, Example 1

  5. DoD is spending billions of dollars on microgrids due to concerns for the future reliability of the main power grid Per microgrid vulnerabilities seen in Combat Capability Development Command (CCDC) Aviation & Missile Center labs, DoD’s microgrids might not be any more reliable than the main power grid We have also seen these microgrids employed at DoD installations with back-door connections that bypass border security, making the vulnerabilities easily accessible by remote attackers Vulnerabilities to these commercial microgrid controllers and DERs would be identified and resolved via the CS APL Vignette of a Preventable CS Failure, Example 2 DER = Distributed Energy Resource (solar cells, battery banks, etc.)

  6. The Solution: Control Systems Approved Products List Current State $ $ $ $ x 500 Redundant Evaluations • Weapons Posts Camps Stations $ $ $ = $ • Emergency Higher Cyber Risk x 500 + $ $ $ $ $ • Medical • Power Grid & Microgrid Proposed State • Industrial • 1Expert Centralized • Evaluation Process • Cybersecurity • Interoperability • Secured Functionality Approved Products List for all posts, camps, & stations $ x 1 • Fire • Systems • Building CS Evaluate ONCE instead of at EVERY post, camp, and station • Fuel/Logistics

  7. Anticipated Benefit #1: Large-scale Cost Avoidance Avg Cost of Each OT Assessment: $149K Number of Installations: 5,000 % of Installations Using the same specific OT: 50 Cost per year for 1% of the Installations to Assess the same specific OT Product ($149K * 50): $7.45M • Currently Under Development: • Fully functional test environment (facility with test tools, traffic generators, etc.) staffed by qualified personnel • Test plans and processes • Portal where manufacturers can check status and Gov’t buyers can see APL and access sensitive reports • The process will be self-sustaining via FAR Part 9.2 * Not Adjusted for Time Value of Money ** Accounts for Initial investment of $3.5M

  8. Qualified test and assessment team Garrisons and others have not been equipped to deal with the recent trend of connecting devices that have historically not been connected (e.g. “industrial internet of things”), so cybersecurity has either not properly been addressed, or not addressed at all An expert team that knows how to test, assess, and secure control systems fills this gaping void Easy to use, and desired by numerous DoD and other Federal organizations and CS manufacturers, so benefits will be achieved Anticipated Benefit #2: Massive Improvement to Cybersecurity for our Nation’s Sensitive Underbelly

  9. Stakeholders currently involved in development of the process:

  10. Program Inception and Development • OASD, Energy and the Combat Capability Development Command (CCDC) Aviation & Missile Center conceived the program, and CCDC Aviation & Missile Centerhas been provided DoD Reform start-up funds to develop the program • The aggressive program development is on schedule • Key CS APL dates: • Initial Operating Capability: 15 Dec 18  • Full Operational Capability: 8 Apr 19 • Numerous Federal departments eagerly await the CS APL, • and manufacturers are eager to participate

  11. Grassroots Development • In addition to the CCDC Aviation & Missile Center’s efforts, a 98-person group of participants from across the DoD and the Federal Government meets every two months to discuss status • Tiger Teams meet twice a week to work through key challenges to ensure a program is developed that meets the needs of all DoD and Federal Government organizations • Tiger team participants include volunteers from: • Army • Navy • Air Force • Marine Corps • DoD Chief Information Office • Defense Information Systems Agency • Coast Guard • Washington Headers Services • General Services Administration • National Security Agency • Numerous Federal departments eagerly await the CS APL, • and manufacturers have said they are eager to participate

  12. Why does a CS APL matter to Services? •  Provides vetted list of approved CS products, easing acquisition burden • Testing documentation may be reused •  Reduces assessor burden with standard, repeated process •  Doesn’t cost them anything—initial test and assessment funded once by Manufactures (FAR 9.2) then reused • CS APL delivers benefits that are security multipliers: value and efficiency

  13. Why an Approved Products List for CS? TECHNOLOGY Risk Reduction Secure DoD Control Systems CS Acquisition Confidence Cost Savings/ Cost Avoidance Support of Federal, DoD Initiatives Validated CS Security Reliable, Interoperable Systems Streamlined Approval Processes PROCESSES Cost Savings/Avoidance Ease of Specification/Acquisition Burden Centralized Support of Cybersecurity Initiatives Mission Assurance Support PEOPLE Dedicated, Trained CS Testing Workforce Increased Industry Collaboration Eased Burden of CS Owners • A CS APL Brings People, Processes, and Technology Together for Enhanced • and Cost-Effective Control System Cybersecurity and Resiliency

  14. Evaluation Scope - IT vs. OT (CS) External IP NetworkExternal Firewalls, DMZs DISA UC APL Level 5 CS Perimeter, DMZ, Management CS Firewalls, Scan, Patch, Audit Servers Level 4 CS Front End, IP Network CS Network Enclave, Servers, Workstations Level 3 Field Point of Connection CS Switches, Routers, Firewalls Level 2 Field IP-Based Control Systems Controllers, Field Switches, Computers OSD/CCDC Aviation & Missile Center CS APL Level 1 Non-IP Field Control System Serial/Non-IP Controllers, Network Level 0 Sensors & Actuators

  15. To fully exploit RMF “reuse,” need to build reusable components/subsystems in eMASS. There are two ways to do this: Assess Only. This is the replacement for previous “Certification of Networthiness.” System Owner would be able to request inheritance from the Assess Only entity. Type Authorization. This would require identical implementation of systems in order to achieve reuse. Assess Only These options are still being considered by the Office of the Secretary of Defense with no definitive guidance at this time. RMF = Risk Management Framework eMASS = Enterprise Mission Assurance Support Service

  16. What Else do Manufacturers Need to Know? • Test and assessments to be funded by manufactures via FAR Part 9.2—start budgeting now (costs to be announced later) • Comply with applicable NIST requirements (e.g. SP 800-53) as a baseline • Planned start for test and assessment: 8 April 2019 • More information coming. Possible distribution channels include: • www.fbo.gov • www.cs-apl.com • www.serdp-estcp.org

  17. The CS APL will reduce RMF costs while also increasing security DoD and other Federal organizations are helping to develop it and are eager for it Manufacturers are eager to participate (and fund it) CS APL will be self-sustaining, though funding a PMO will save even more cost and will fill the second gaping cybersecurity hole of not knowing where control system equipment is located Conclusion • Massive Cost Avoidance AND Massive Cybersecurity Improvements

  18. Questions? There will be a CS APL table in the lobby for the rest of the day. Please stop by if you have remaining questions.

  19. Web Site www.amrdec.army.mil Facebook www.facebook.com/rdecom.amrdec Instagram www.instagram.com/USARMYAMRDEC Twitter @usarmyamrdec Public Affairs usarmy.redstone.rdecom-amrdec.mbx.pao@mail.mil

More Related