New DoD Approaches on the Cyber

Survivability of Weapon Systems

Colonel Dean “Data” Clothier

Chief, Cyberspace Division

Joint Staff/J-6

CSE is the Critical Foundation for Ensuring Cyber Survivability is Considered as Part of the Operational Risk Trade-Space

UNCLASSIFIED

Purpose/Objectives

• Purpose: Recommend JCB approval of Cyber Survivability Endorsement (CSE) Implementation Guide for the SS-KPP

• DepSecDef (DSD) directed Joint Staff develop Cybersecurity KPPo Initiated when DSD briefed on DOT&E Cybersecurity Report w/ OUSD(AT&L),

OUSD(P), DOD-CIO and VCJCS … Highlighted multiple weapon systems with vulnerabilities that could have been known and fixed prior to DT&E

o Intended to eliminate or sufficiently mitigate known vulnerabilities prior to fieldingo Implemented through deliberate design, test and associated DOTmLPF-P in

applicable operational environmentso Met DepSecDef intent by incorporating CSE into SS-KPP Endorsement

• Objectiveso Drive development of Joint cyber survivability requirements … to meet

requirements for cyber attack prevention, mitigation and recoveryo Ensure performance measures are consistent with the threat and consistently

applied … during requirements definition, development and testingo Ensure cyber survivability and cybersecurity requirements are considered … and

included as part of the operational risk trade-space

End State: All DoD weapon systems are cyber survivable commensurate with a risk managed approach to countering a capable and determined adversary

UNCLASSIFIED

UNCLASSIFIED 2

Kinetic Threats Non-Kinetic Threats

Cyber

Electromagnetic

Spectrum

Cyber Survivability Endorsement (CSE)

Sponsors must address the System Survivability KPP and provide specific Cyber Survivability Attributes (CSA) related to the SS KPP which must be met

- 18 December 2014 JCIDS Manual, Enclosure D

UNCLASSIFIED

UNCLASSIFIED 3

Cyber Survivability Endorsement (CSE)

• Added Cyber Survivability to the JCIDS System Survivability (SS) Key Performance Parameter (KPP)o Cyber survivability is now part of operational risk trade-space

(as of 18 Dec 2014 JCIDS Manual)

• CSE Implementation Guide: Joint Staff led effort with active participation from DoD CIO, AT&L, DOT&E, OUSD(I), DIA, and NSA.o Provides cyber survivability exemplar statements o Includes cyber survivability attributes to aid requirement definitiono Describes tailoring approach for Capabilities Development Document

(CDD) and Capabilities Production Document (CPD) requirements

Build new weapon systems that are cyber survivable commensurate with a risk managed approach to countering a capable and determined adversary

UNCLASSIFIED

UNCLASSIFIED 4

Risk Managed ApproachUNCLASSIFIED

UNCLASSIFIED

The CSE 5 step risk managed approach takes into account several variables … the resulting CSRC provides consistency between levels of CS requirements,

development and testing5

STEP 1: System Mission Types

MT 4 – Strategic / NationalSystems whose degradation would result in the highest risks to achieving national objectives, require the very best cybersecurity practices

Determining the System Mission Type helps define the required cyber survivability protection for the capability

UNCLASSIFIED

UNCLASSIFIED

MT 3 – Operational / TacticalMission systems, munitions, Command and Control capabilities that require unique DoD protections

MT 2 – Military CriticalSelected high impact systems that ensure near-continuous operation with rapid recovery from failures

MT 1 – Mission EssentialMilitary and Organizational Support systems; may be hosted within DoD or commercial facilities

Ex

am

ple

6

STEP 2: Cyber Dependence

1 – Sustain Flight / Maneuverability

2 – Maintain Internal/External Communication

3 – Perform Offensive / Defensive Activities

What is a System’s Cyber Dependence to Perform its Mission Critical Functions?

Criticality Analysis provides basis for cyber survivability emphasis

for critical functions, components and information exchanges

Determine the Mission Critical Functions of the System

UNCLASSIFIED

UNCLASSIFIED

Ex

am

ple

7

STEP 3: How Select Threat Actors

Determine the Level of Most Capable Cyber Threat Actor to the System

Tier IV Advanced

Tier III Moderate

Tier II Limited

Tier I Nascent

Cyber Threat Actor Capability Level

What level of cyber actor must the system be capable of

withstanding if it is to fulfill its warfighting purposes?

IF Insurgent & Irregular Forces, THEN

UNCLASSIFIED

UNCLASSIFIED

*NOTIONAL SCORING

Ex

am

ple

8

STEP 4: Mission Impact

Determine the Mission Impact of Loss For All Mission Critical Functions Due to a Cyber Event

H

M

L

Availability

Minutes

Days

Hours

H

M

L

Integrity

Disruptive

Degraded

Nuisance

H

M

L

Confidentiality

Limited

Serious

Severe

Mission Critical Functions

I Sustained Flight / Maneuverability

II Internal / External Communication

III Offensive / Defensive Capabilities

Critical Function I: What is the mission impact of compromised flight or

maneuverability due to a cyber attack?

• Confidentiality – Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information

• Integrity – Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity • Availability – Ensuring timely and reliable access to and use of information

*NOTIONAL SCORING

UNCLASSIFIED

UNCLASSIFIED

Ex

am

ple

9

Ti

er

IV

III

II XI

Tier IV

Tier III

Tier II

Tier I

Threat Actor Levels

IL4, Severe Adverse Effect

IL3, Serious Adverse Effect

IL2, Limited Adverse Effect

Fly X

Communicate X

Act X

X

X

X

Confidentiality

X

X

Integrity Availability

Lo

w

Me

diu

m

Hig

h

Lo

w

Me

diu

m

Hig

h

Lo

w

Me

diu

m

Hig

h

X

Vulnerability in the face of Threat Capability yields Survivability Risk

Systemic VulnerabilityFactor Cyber Threat Actor

for the UAV System System Survivability Risk

The aggregation of the System Risk and the Threat Actor inform the level

of System Security Engineering & Controls applied and the Residual

Operational Risk assumed based on the purpose and intended

operational environment of the system

IL1, Risks Acceptable

for Meeting Military and

Organization Needs

STEP 5: System Survivability Risk

*NOTIONAL SCORING

UNCLASSIFIED

UNCLASSIFIED

Ex

am

ple

10

Cybersecurity Framework IntegrationUNCLASSIFIED

UNCLASSIFIED 11

• Prevent – Design requirements that protect weapon system’s functions from most likely and

greatest risk cyber threats.

• Mitigate – Design requirements that detect and respond to cyber-attacks; enabling weapon

systems functions resiliency to complete the mission.

• Recover – Design requirements that ensure minimum cyber capability available to recover

from cyber attack and enable weapon system quickly restore full functionality

Cyber Survivability Attributes to Tailor in the CDD/CPD

SS KPP Pillars(Mandatory)

Cyber Survivability Attributes (CSA)(All are considered, select those applicable)

Prevent

CSA 01 - Control Access

CSA 02 - Reduce Cyber Detectability

CSA 03 - Secure Transmissions and Communications

CSA 04 - Protect Information and Exploitation

CSA 05 - Partition and Ensure Critical Functions at Mission Completion Performance Levels

CSA 06 - Minimize and Harden Cyber Attack Surfaces

Mitigate CSA 07 – Baseline & Monitor Systems, and Detect Anomalies

CSA 08 - Manage System Performance if Degraded by Cyber Events

Recover CSA 09 - Recover System Capabilities

All 3 Pillars CSA 10 – Actively Manage System’s Configuration to Counter Vulnerabilities

Fundamental to the CSE construct is enabling sponsor to select and articulate CSA choices to achieve each SS KKP Pillar

UNCLASSIFIED

UNCLASSIFIED 12

CSE Scorecard is a management tool to help guide requirements development, andstreamline review process to ensure CSAs are logically considered and articulated

CSE Scorecard Assessment Process

• Requirement Sponsors use the Cyber Survivability Scorecard to document that appropriate CSAs have been considered, and where they are articulated within requirement’s documents.

• CSE analysts use the Cyber Survivability Scorecard to review ICDs, and assess CDDs and CPDs entered into KM/DS with JROC Interest, JCB Interest, or qualify as Joint Integration.

• CSE assessment occurs during the 21 day Document Review and commenting stage within the JCIDS deliberate staffing process.

UNCLASSIFIED

UNCLASSIFIED 13

Systemic Ability to Adapt to New Cyber Threats

• Systems must be capable of quickly adapting to new cyber threats

• Sustaining a system’s cyber survivability requires elements in the resourcing, design, Life Cycle Sustainment Plans, and Ops & Maintenance procedures

UNCLASSIFIED

UNCLASSIFIED

Cyber threats will continue to increase in capability for the foreseeable future14

IPT Approach

• Terms of Reference: Identify exemplars of cyber survivability and cybersecurity capability requirements, which can be utilized in requirements documentation and associated CONOPS use cases and operational architecture information.

• Action Groups: Overall CSE Integrated Product Team led by JS-J6o Requirements Action Group: Co-Led by JS-J6 and DoD CIOo Intelligence Action Group: Led by OUSD(I)o Acquisition Action Group: Led by AT&Lo Testing Action Group: Led by DASD(DT&E)

• Scope: Review capability requirements documentation to ensure traceability and consistency of Cyber requirements throughout the programs’ development, testing and sustainment activities.

• Deliverable: Implementation Guide to support articulating and assessing Cyber Survivability within Capability Requirements Documentation

UNCLASSIFIED

UNCLASSIFIED 15

Wrap Up

• Problem: System survivability requirements not sufficiently articulated for cyber-attack prevention, mitigation and recovery, within requirements documents

• CSE Implementation Guide: Joint Staff led effort, with active participation from DOD-CIO, OUSD(AT&L), OUSD(I), DOT&E, DIA, and NSA

o Includes high level cybersecurity threat exemplar statements … prior to availability of DIA or Service developed system specific threat assessments

o Defines Cyber Survivability Risk Category (CSRC) … to enable a consistent approach to cybersecurity requirements, development and testing

o Outlines Cyber Survivability Attributes (CSAs) … to be considered by the requirement sponsor, which can be consistently applied, implemented by system security engineers and tested by DT&E/OT&E

o Provides Exemplar Requirements and Scorecard … supports development, assessment and management of requirements

CSE Enables System Survivability KPP Endorsement

UNCLASSIFIED

UNCLASSIFIED 16

NDAA Section 1647: Evaluation of

Cyber Vulnerabilities of Major

Weapon Systems of the DoD

UNCLASSIFIED

UNCLASSIFIED

17

NDAA Section 1647

25 Nov 2015: Congress enacted FY16 NDAA S.1647 to evaluate the impact of cyber vulnerabilities on major weapon systems.

• Create a plan based on the criticality of major weapon systems, as determined by the Chairman of the Joint Chiefs of Staff.

• FY16-17 funding available for evaluations (cyber vulnerability assessments and non-recurring engineering design for remediation)

17 May 2016: JROCM endorsed CJCS prioritization required to release funds

29 Jun 2016: Briefed 4 Star- Cyber Investment Management Board

• Funding profile and execution strategy

22 Aug 2016: Develop the plan for conducting evaluations in FY16-19

• Submit quarterly findings to HASC and SASC

31 Dec 2019: “The Secretary of Defense shall, …complete an evaluation of the cyber vulnerabilities of each major weapon system of the Department of Defense…”

UNCLASSIFIED

UNCLASSIFIED 18

Weapon System Prioritization Approach

• Step 1: Services identified major weapon systems to include:

– A subset of OUSD (AT&L)’s Major Defense Acquisition Programs (MDAP) and Major Automated Information Systems (MAIS)

– Including major weapon systems and associated C2 systems essential to accomplishing the QDR missions

– Weapon systems must have reached Milestone B on or before 31 Dec 2015 to be included

• Step 2: Services prioritized Mission Areas (MAs)

– Service methodology for prioritizing major weapon systems

– Service MAs – Self-identified, Mission Capabilities, Core Service Functionality

• Step 3: Services binned major WS within their MAs

• Step 4: Services characterized WS’ Intrinsic Cyber Vulnerabilities (ICV)

– Specific design, technical, programmatic and operational characteristics of a weapon system which “may” increase its vulnerability to cyber attack from a threat actor

– Define cyber vulnerability assessment levels

• Step 5: Joint Staff prioritized WS by binning it to its highest QDR priority and highest ICV score

– Mission priorities identified in the 2014 Quadrennial Defense Review (QDR)

UNCLASSIFIED

UNCLASSIFIED 19

Services Prioritized Mission Areas

2014 QDR Priorities1. Maintain a secure and effective

nuclear deterrent

2. Provide for military defense of the homeland

3. Defeat an adversary

4. Provide a global, stabilizing presence

5. Combat terrorism

6. Counter weapons of mass destruction

7. Deny an adversary’s objectives

8. Respond to crisis and conduct limited contingency operations

9. Conduct military engagement and security cooperation

10.Conduct stability and counterinsurgency operations

11.Provide support to civil authorities

12.Conduct humanitarian assistance and disaster response

JCA• Force Support

• Battlespace Awareness

• Force Application

• Logistics

• Command and Control

• Communications and Computers

• Protection

• Building Partnerships

• Corporate Mgt. and Support

Army• Strategic Mission

Command

• Strategic Weapon System

• Tactical Mission Command

• Tactical Weapon System

• Enablers

USMC• Military Engagement,

Security Cooperation and Deterrence

• Crisis Response and Limited Contingency Operations

• Major Operations and Campaigns

Navy • Decision Superiority

• Power Projection

• Maritime Security

• Sea Control

• Force Generation

Air Force• Nuclear Deterrence

Operations

• ISR

• Command and Control

• Air Superiority

• Space Superiority

• Cyber Superiority

• Global Precision Attack

• Special Operations

• Personnel Recovery

• Rapid Global Mobility

Service Mission Areas

UNCLASSIFIED

UNCLASSIFIED 20

Step 4: Intrinsic Cyber Vulnerability (ICV) Scoring

UNCLASSIFIED

System Name / Service/ MA Hermes / Navy / Combat Terrorism

ICVCumulative

Score63

Range Score Comments Range Score Comments

1. Technical Exposure:a. Origin of technologyb. Export of technology

1 to 81 to 8

54

4. Remaining System Life Expectancy 1 to 3 3

Overall Technical Exposure 9 Overall Remaining Life Expectancy 3

2. Degree of Connectivity or Isolation:

a. Type of networks required for WSb. Level of connectivity required for

WS data flowsc. Type of COMSEC: strength of

encryption

1 to 171 to 15

1 to 4

49

3

5. Vulnerability Assessments:a. Level of Assessmentb. Currency of Assessment

0 to 40 to 3

11

Overall Degree of Connectivity 16 Overall Vulnerability Assessment 2

3. Intrinsic Cyber Dependencya. Type of remote access requiredb. Critical components/functions

exposed to cyber threatsc. Cyber capabilities required

throughout the operations cycle

1 to 51 to 17

1 to 7

514

7

6. System Owner Insights:a. Cyber Mitigation to

Vulnerabilitiesb. Cyber Resilience

1 to 91 to 9

52

Overall Intrinsic Cyber Dependence 26 Overall Owner Insight 7

ICV Cumulative Score 63

“Intrinsic” Cyber Vulnerability: Specific design, technical, programmatic and operational characteristics of a weapon system, which are

indicators of vulnerability to cyber attack21

No

tio

na

l E

xa

mp

le

Evaluation Process

Step 1: Target List - Provides a list of systems to Evaluated by FY, by Event

Step 2: Threat Folders/Cyber Table Top - Outlines Key Cyber Terrain; informs planners, operators, and system owners

Step 3: Test Design - Describes the purpose, scope and objectives of the event to include: Design of Experiments w/ MOP’s, and MOE’s and Mission Thread Analysis

Step 4: Detailed/Operational Test Plan – Developed with event /range planners details MEL, scenarios, and rules of the road

Step 5: Test Execution - Operational/ Laboratory event designed to stress the system and or the operators in a cyber contested environment

Step 6: Green Book Mitigation - cost, performance, and schedule implications of the vulnerabilities discovered. Includes a Senior Level Review and approval of Risk (Operational and Acquisition)

Step 7: Validation – Confirmation of implementation of Corrective Actions

Step 8: Quarterly Report to Congress – Co Authored summary of findings and path forward

Step 9: Waiver Candidates – Determine if any systems qualify for assessment exclusion

22

This 9-step process follows the DoDI 5000.02 and the DOT&E TEMP Guidebook.

UNCLASSIFIED

UNCLASSIFIED 22

FY17 Goals & Objectives

• Conduct cyber vulnerability assessments

• Develop a knowledge sharing capability

• Service Chiefs present risk assessments and mitigation plans to

SECDEF

• Initiating effort to better understand what cyber SA for mission

systems

• Investment buys down risk for military operations in FY19 and

beyond

UNCLASSIFIED

UNCLASSIFIED

23