Title: Cybersecurity and

the Logistics Professional

Date: 31 January 2018

Presenters: Roy Wilson and Vincent Lamolinara, Professors

of Acquisition Cybersecurity, Defense Acquisition

University, Mid-Atlantic Region

Moderator: Jim Davis, Logistics Department Chair, Defense

Acquisition University, Mid-Atlantic Region

Purpose

Webinar for DoD Logistics Professionals & Product Support

Managers (PSM), focused on enhancing success in fielding

and sustaining cyber secure ACAT I MDAP/MAIS, and/or

Major Weapon Systems

2

Cyber Threat to DoD systems

“The DoD should expect cyber attacks to

be part of all conflicts in the future, and

should not expect competitors to play by

our version of the rules” (p. 5)

3

The Rules Don’t Apply To Cyber

4

Think like

a hacker

Threat Vector

5

The Targets

• Information Systems• Defense Business Systems

• C3I

• System Development (government/contractor)

• T&E

• Logistics

• Weapon Systems

• Other Information Technology• Critical Infrastructure

• Industrial Control Systems

• SCADA

• Medical

6

Weapon System Targets

7

The cyber kill chain

8

Penetration Phase

9

MISSIO

N

PLA

N/O

PS

DIRECTCONNECT

Wheel of Access

A.K.A.

Wheel of Doom

Think like a hacker

Where does the

Logistician have a

role/responsibility?

Supply Chain Attack

10

Approved for public release

February 6, 2017

• The task force concluded that USD(AT&L): must

strengthen lifecycle protection policies, enterprise support,

and R&D programs so that weapons systems are

designed, fielded, and sustained to reduce risk of cyber

supply chain attacks.

• But How?

• Example Platform: 16K+ Components

• 50 Safety Critical

• 3K+ Mission Critical

• SW vs HW in Supply Chain

“Of particular concern are the weapons the

nation depends upon today; almost all were

developed, acquired, and fielded without formal

protection plans.”

Supply Chain Attack

11

PENTAGON RESPONSE Capitol Hill: Faced

with a torrent of counterfeit parts that pose a

serious risk to the lives of American

servicemen and to the performance of

sophisticated weapons

Counterfeit Parts Put Troops at Risk!

Cyber and the 12 IPS Elements

12

Now…Consider the IPS Elements

for any system--

What are potential Cyber risks &

Consequences?• Improper Labeling / Transport

• Maintenance Data Integrity

• Inadequate Tech Data Rights for

Cybersecurity Assessment

• False Supply Trends

• Incorrect Interface Documentation

• Faulty Tech Pubs

• Access to Classified Weapon Systems &

Critical Infrastructure

• Improper Maintenance Procedures

• Access to Personnel Data

• Inadequate Response to Cyber Incident

Cyber and the Logistician

13

All have responsibility…

“Every member of the acquisition workforce…through

the entire lifecycle…includes systems that reside on

networks and stand alone systems that are not

persistently connected to the networks during tactical

and strategic operation…(includes) fielding, sustainment,

and disposal…data…support data (e.g., training,

maintenance data) for the system…logistics, training,

maintenance…”

DODI 5000.02 – ENCLOSURE 14

Should the logisticians play a role in cyber security?

DoD’s Answer!

Breaking the Cyber Kill Chain

14

JROCM 009-17 System Survivability KPP

• Ensure (Joint) Mission Assurance

• KPP = Kinetic, EW and Cyber environments

• Key Efforts: Prevent, Mitigate, Recover

NDAA Section 1647

• Evaluation of Cyber Vulnerabilities

Major Weapon Systems

M

i

t

i

g

a

t

e

P

r

e

v

e

n

t

R

e

c

o

v

e

r

Balanced Survivability

System Security Working Group

15

SSWG

LOG

POPL

Cyber Team

ISSM

ISSO

ISSE

Security

Intel

T&E

SEAT

User

Ad Hoc

Ad Hoc includes as needed:

PM, BFM, CON, T&E, et. al.

Contractor

System Security Working Group

16

SSWGInputs Outputs

CDD

Acq Strat

DODAF

DoDI 5000.02

DoDI 8500.01(RMF)

DoDI 5200.44 (TSN)

NIST SP 800-53

DoD Cybersecurity T&E Guide

Program Protection Plan

Cybersecurity Strategy

Criticality Analysis

TEMP Appendix E

AT Plan

Security Engineering Inputs

SEP

Design

RFP

SCG

LCSP

DMSMS Plan

Budget

Life Cycle Sustainment Plan

17

• LCSP section 12 and/or 13 needs to address how the

product support package supports meeting the

statutory and regulatory requirements for cybersecurity

• 12.0 Product Support Package Implementation

• 13.0 Other: Describe any special topics that cut across functional

lines and not already addressed, at a minimum:

• RMF including describing any open risks and plans.

• Apply critical thinking to IPS elements

Logistics Documents with Cyber Implications

• Diminishing Manufacturing Sources/Materiel Shortages (DMSMS) Plan

• Counterfeit Parts Prevention Plan

• Reliability, Availability, Maintainability-Cost (RAM-C) Rationale Report

• Manpower Estimate Report (MER)

• Warranty Plan

• Condition Based Maintenance Plus (CBM+) Plan

• Technical Order/ Manual Validation, Verification, and Quality Assurance Plans

• Training System Requirements Analysis (TSRA)

• System Training Plan (STP)

18

Open Discussion

19

Cybersecurity in the Defense Acquisition System (DAS)

Overarching Tenets• Cybersecurity will be fully considered and implemented in

all aspects of acquisition programs across the life cycle

• Responsibility for cybersecurity extends to all members of the acquisition workforce

• Cybersecurity is a requirement for all DoD Programs

• Program Managers are responsible for the cybersecurity of their programs, systems and information

• Cybersecurity applies to systems that reside on networks and stand alone systems that are not persistently connected to networks during tactical and strategic operations

20

New Cybersecurity Enclosure 14 to DoDI 5000.02 Operation of the DAS

Effective 02 February, 2017

21

Integrating Cybersecurity into Systems Engineering

System

Authorization

Decision

Cyber Risk

Assessment

Secure Code

Practices

Continuous Monitoring

Cybersecurity

Stakeholders

Security

Architecture and

Design

Blue Team / Vulnerability

Assessments

System

Survivability KPP

Ref: ISO/IEC/IEEE 15288, Systems and Software Engineering- System Lifecycle Processes, 15 May 15

Red Team / Threat

Representative Testing

TSN/SCRM

Cyber in the

RFP

Cyber Table Top

Questions?

22

Contact Info

• Roy Wilson

240.895.7328

Roy.Wilson@dau.mil

• Vinny Lamolinara

240.895.7382

Vincent.Lamolinara@dau.mil

23