title: cybersecurity and the logistics professional...2018/01/31 · the logistics professional...
TRANSCRIPT
Title: Cybersecurity and
the Logistics Professional
Date: 31 January 2018
Presenters: Roy Wilson and Vincent Lamolinara, Professors
of Acquisition Cybersecurity, Defense Acquisition
University, Mid-Atlantic Region
Moderator: Jim Davis, Logistics Department Chair, Defense
Acquisition University, Mid-Atlantic Region
Purpose
Webinar for DoD Logistics Professionals & Product Support
Managers (PSM), focused on enhancing success in fielding
and sustaining cyber secure ACAT I MDAP/MAIS, and/or
Major Weapon Systems
2
Cyber Threat to DoD systems
“The DoD should expect cyber attacks to
be part of all conflicts in the future, and
should not expect competitors to play by
our version of the rules” (p. 5)
3
The Rules Don’t Apply To Cyber
4
Think like
a hacker
Threat Vector
5
The Targets
• Information Systems• Defense Business Systems
• C3I
• System Development (government/contractor)
• T&E
• Logistics
• Weapon Systems
• Other Information Technology• Critical Infrastructure
• Industrial Control Systems
• SCADA
• Medical
6
Weapon System Targets
7
The cyber kill chain
8
Penetration Phase
9
MISSIO
N
PLA
N/O
PS
DIRECTCONNECT
Wheel of Access
A.K.A.
Wheel of Doom
Think like a hacker
Where does the
Logistician have a
role/responsibility?
Supply Chain Attack
10
Approved for public release
February 6, 2017
• The task force concluded that USD(AT&L): must
strengthen lifecycle protection policies, enterprise support,
and R&D programs so that weapons systems are
designed, fielded, and sustained to reduce risk of cyber
supply chain attacks.
• But How?
• Example Platform: 16K+ Components
• 50 Safety Critical
• 3K+ Mission Critical
• SW vs HW in Supply Chain
“Of particular concern are the weapons the
nation depends upon today; almost all were
developed, acquired, and fielded without formal
protection plans.”
Supply Chain Attack
11
PENTAGON RESPONSE Capitol Hill: Faced
with a torrent of counterfeit parts that pose a
serious risk to the lives of American
servicemen and to the performance of
sophisticated weapons
Counterfeit Parts Put Troops at Risk!
Cyber and the 12 IPS Elements
12
Now…Consider the IPS Elements
for any system--
What are potential Cyber risks &
Consequences?• Improper Labeling / Transport
• Maintenance Data Integrity
• Inadequate Tech Data Rights for
Cybersecurity Assessment
• False Supply Trends
• Incorrect Interface Documentation
• Faulty Tech Pubs
• Access to Classified Weapon Systems &
Critical Infrastructure
• Improper Maintenance Procedures
• Access to Personnel Data
• Inadequate Response to Cyber Incident
Cyber and the Logistician
13
All have responsibility…
“Every member of the acquisition workforce…through
the entire lifecycle…includes systems that reside on
networks and stand alone systems that are not
persistently connected to the networks during tactical
and strategic operation…(includes) fielding, sustainment,
and disposal…data…support data (e.g., training,
maintenance data) for the system…logistics, training,
maintenance…”
DODI 5000.02 – ENCLOSURE 14
Should the logisticians play a role in cyber security?
DoD’s Answer!
Breaking the Cyber Kill Chain
14
JROCM 009-17 System Survivability KPP
• Ensure (Joint) Mission Assurance
• KPP = Kinetic, EW and Cyber environments
• Key Efforts: Prevent, Mitigate, Recover
NDAA Section 1647
• Evaluation of Cyber Vulnerabilities
Major Weapon Systems
M
i
t
i
g
a
t
e
P
r
e
v
e
n
t
R
e
c
o
v
e
r
Balanced Survivability
System Security Working Group
15
SSWG
LOG
POPL
Cyber Team
ISSM
ISSO
ISSE
Security
Intel
T&E
SEAT
User
Ad Hoc
Ad Hoc includes as needed:
PM, BFM, CON, T&E, et. al.
Contractor
System Security Working Group
16
SSWGInputs Outputs
CDD
Acq Strat
DODAF
DoDI 5000.02
DoDI 8500.01(RMF)
DoDI 5200.44 (TSN)
NIST SP 800-53
DoD Cybersecurity T&E Guide
Program Protection Plan
Cybersecurity Strategy
Criticality Analysis
TEMP Appendix E
AT Plan
Security Engineering Inputs
SEP
Design
RFP
SCG
LCSP
DMSMS Plan
Budget
Life Cycle Sustainment Plan
17
• LCSP section 12 and/or 13 needs to address how the
product support package supports meeting the
statutory and regulatory requirements for cybersecurity
• 12.0 Product Support Package Implementation
• 13.0 Other: Describe any special topics that cut across functional
lines and not already addressed, at a minimum:
• RMF including describing any open risks and plans.
• Apply critical thinking to IPS elements
Logistics Documents with Cyber Implications
• Diminishing Manufacturing Sources/Materiel Shortages (DMSMS) Plan
• Counterfeit Parts Prevention Plan
• Reliability, Availability, Maintainability-Cost (RAM-C) Rationale Report
• Manpower Estimate Report (MER)
• Warranty Plan
• Condition Based Maintenance Plus (CBM+) Plan
• Technical Order/ Manual Validation, Verification, and Quality Assurance Plans
• Training System Requirements Analysis (TSRA)
• System Training Plan (STP)
18
Open Discussion
19
Cybersecurity in the Defense Acquisition System (DAS)
Overarching Tenets• Cybersecurity will be fully considered and implemented in
all aspects of acquisition programs across the life cycle
• Responsibility for cybersecurity extends to all members of the acquisition workforce
• Cybersecurity is a requirement for all DoD Programs
• Program Managers are responsible for the cybersecurity of their programs, systems and information
• Cybersecurity applies to systems that reside on networks and stand alone systems that are not persistently connected to networks during tactical and strategic operations
20
New Cybersecurity Enclosure 14 to DoDI 5000.02 Operation of the DAS
Effective 02 February, 2017
21
Integrating Cybersecurity into Systems Engineering
System
Authorization
Decision
Cyber Risk
Assessment
Secure Code
Practices
Continuous Monitoring
Cybersecurity
Stakeholders
Security
Architecture and
Design
Blue Team / Vulnerability
Assessments
System
Survivability KPP
Ref: ISO/IEC/IEEE 15288, Systems and Software Engineering- System Lifecycle Processes, 15 May 15
Red Team / Threat
Representative Testing
TSN/SCRM
Cyber in the
RFP
Cyber Table Top
Questions?
22
Contact Info
• Roy Wilson
240.895.7328
• Vinny Lamolinara
240.895.7382
23