Cybersecurity T&E and the National Cyber Range › images › pdf › conferences ›...

29
Cleared for Public Release 23 March 2017 Case # 17-S-1267 Cleared for Public Release 23 March 2017 Case # 17-S-1267 Cybersecurity T&E and the National Cyber Range Prepared for 2nd ITEA Cyber Security Workshop "Challenges Facing Test and Evaluation “ 24 March 2017 Prepared by National Cyber Range Team Peter H. Christensen Range Director, NCR

Transcript of Cybersecurity T&E and the National Cyber Range › images › pdf › conferences ›...

Cleared for Public Release 23 March 2017 Case # 17-S-1267

Cleared for Public Release 23 March 2017 Case # 17-S-1267

Cybersecurity T&E and

the National Cyber Range

Prepared for

2nd ITEA Cyber Security Workshop

"Challenges Facing Test and Evaluation “

24 March 2017

Prepared by

National Cyber Range Team

Peter H. Christensen

Range Director, NCR

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

What, Why, How?

• What do we want to accomplish?• Look back to where we were

• Provide insight into TRMC Cybersecurity Test and Evaluation

Infrastructure and the National Cyber Range

• Highlight Lessons learned and NCR successes

• Make some predictions about the future!

• Why is this important?• Cyberspace T&E is extremely challenging

• TRMC has “Operationalized” the NCR over six years of intense

operations

• NCR Team has delivered significant value added to DOD customers

• The future looks promising!

• How will we do it?• Look back to 2009 IA Policy Crosswalk and 2010 IT Acquisition

Reform

• Highlight TRMC/NCR progress and new T&E capabilities

• Look ahead to the future

2

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Looking Back

2009: Information Assurance (IA) Policy

Cross Walk

• Proposed by DISA T&E Exec

• Chartered by DOT&E and DASD DT&E

• Examine current IA related T&E policies, directives, instructions and guidance

• Provide findings and recommendations

3

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Key Findings from 2009

Information Assurance Policy Cross Walk

• Key Findings

• Focus on coordinating IA Test and Evaluation Activities

• Form Integrated Test Teams Early and enable “test by one, use by many”

• Promote Collaboration among Acquisition, Engineering and Test Teams

• Operationally Realistic IA Test Environment is Crucial to Successful Testing

• Threat Portrayal During Testing Must Reflect Current Threat Information

• Provide Adequate Resources & Expertise Essential for Testing

• Promote Acquisition-Related IA and Computer Network Defense (CND) T&E

as Critical to Ensure Secure DOD Systems

IA and CND testing in acquisition is a critical activity and can only be accomplished with

adequate resources and threat characterization!

4

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

2010 NDAA Section 804

IT Acquisition Reform

• Congress directed DoD to develop a new “IT Acquisition Process

• DCMO “Section 804” Task Force established

• T&E and Certification Government Lead

• Principal Deputy DASD DT&E

• Test Evaluation and Certification (TE&C) Process collaboratively

developed

• Supported an 18-month release goal, embraced both SE discipline

and Agile Methods

• Delivered to DCMO 01 Oct 2010

• Industry and DOD have embraced Agile

• DOD 5000 incorporates Incrementally Fielded Software Intensive

Programs

• Agile methods influenced “proposed” Cybersecurity T&E process

2010: “Strong Leadership is required to progress forward!”5

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Key Elements of 2010 Draft TE&C

Policy/Process

• Agile TE&C execution

• Tailored to the IT acquisition

• Responsive to evolving requirements

• Risk based and mission focused

• TE&C infrastructure and tools

• Provides “testing as a service”

• Development, deployment, and sustainment

• Verified, Validated, and Accredited

(VV&A) Infrastructure

• Replicates an operational/production

environment

• Provides repeatable and defensible test results6

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

March 2017 TRMC Organization

Chief Financial Officer

Mr. Derrick Hinton (Acting)

Dir, TRMC

DD, T&E Range Oversight *

Agency RO **

Army RO **

AF RO **

Navy RO **

PM, CTEIP DD, Major Initiatives and Technical Analyses *

Principal Deputy, TRMC

Mr. Paul Mann (Acting)

Under Secretary of Defense for Acquisition, Technology & Logistics

Mr. “Jimmy” MacStravic (Acting)

Deputy EA for Cyber Test Ranges

PM, REP

Deputy PM, CTEIP

Range Director, NCR

Dr. Robert N. Tamburello

Deputy Range Director, NCR

Chief Operating Officer **

Sr. Security Advisor Admin. Officer

PM, T&E/S&T

Deputy PM, T&E/S&T

PM, JMETC

Director, TENA SDA* Supervisor

** Team lead

Updated 12 Dec 2016

7

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

TRMC Team Includes Government,

FFRDC, SETA And Contractor

• Infrastructure and Services

Include:

– Test Bed Design Support

– Integration of Custom Assets

− Software

− Hardware

− Wired and Wireless

− Remote Red/Blue Team Support

– Cyber and Testing Expertise

– Threat Vector Development

– Custom Traffic Generation

– Custom Sensor and Visualization

Support

– Custom Data Analysis

– End-to-End Test Support

Customers Identify Cyber T&E Requirements

TRMC Provides Infrastructure And Services To Satisfy Them!8

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

TRMC Cybersecurity T&E Infrastructure Components:

JMETC MILS and Regional Service Delivery Points (RSDPs)

• JMETC MILS provides secure connectivity for Cybersecurity T&E

• MILS VPN hosted on Defense Research and Engineering Network

• Peers with Joint Information Operations range

• Regional Service Delivery Points (RSDP)

• Computing and Storage Assets that host virtual Cyberspace Environments

• TRMC provides tools and services and instrumentation for traffic generation,

visualization, integrated event management, collaboration

• Geographically dispersed to minimize latency

and maximize usability

• Modular/Flexible architecture evolves with requirements

• TRMC provides Support Staff

• Available to help plan, design and execute events

TRMC will provision the right Cyber T&E Infrastructure based upon your needs!

9

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

What Is The National Cyber Range?

10

NCR Provides Cybersecurity Testing And Training As A Service!

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

NCR Executed 140 Events in Six Years

NCR 2016 Aviation Week Program Excellence Winner!

Helping developing programs understand, mitigate cyber-attack and prepare people to

defend U.S. systems

Note: FY-16: NCR unavailable for 9 Weeks during A&A

11

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Cybersecurity Testing Lessons

Learned

1. Start Small and grow

2. Testing is an important Engineering and Design Tool that can be

used to refine requirements

3. Cyber Table Top is an effective tool to understand Mission Risks and

prioritize testing

4. Focus Cybersecurity Testing on the Mission!

5. Cybersecurity Testing must be executed with key IT Staff, Incident

Responders and Protection Teams

6. Customers need Cybersecurity T&E “As a Service”

7. Collaborative Approach to Coordinate Test Planning Critical

8. Effective Test Teams understand Cyber Offense and Defense

9. Automated Tool Suite creates efficiencies in event design,

development and deployment

10. Connectivity makes range location irrelevant

Lessons Learned from 140 + NCR Events

12

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Cyber Testing

Engineering and Design Tool

• Cybersecurity Testing is Systems Engineering Tool

• Reduces technical debt, Identifies exposed vulnerabilities and provides engineering

alternatives

• Identifies “New” Cyber Requirements, exposes “Residual” Vulnerabilities!

13

No System will ever be 100% Secure! What is the Mission Risk?

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

• Phases are iterative and incremental! • Initial Phases reduce Type 1 Debt!

• Complements System Security Engineering and Risk Management

Framework SE and RMF Activities

• Later Phases reduce Type 2 Debt!

• Promotes Understanding of Mission Risk!

Cybersecurity T&E Helps Manage “Mission”

Risk

14

RMF Manages Acquisition Program Risk….Cybersecurity T&E Manages Mission Risk

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Cyber Table Top (CTT) Effective Tool To

Prioritize Cybersecurity T&E

• What is a Cyber Table Top?

• Low technology, low cost, intellectually intensive wargame

• Introduces and explores Mission Effects of Offensive Cyber Ops

• Helps estimate “Mission Risk” to System, SoS or FoS

• Why is it used?

• Identifies Threat Vectors, Potential Vulnerabilities and Mission Risk

• Identifies new Functional and Non Functional Requirements

• Scopes the size and scale of Cybersecurity Testing

• Provides actionable recommendations

• What does it produce?

• Prioritization of vulnerabilities based upon likelihood of exploitation

and consequences to the mission

• High Risk Vulnerabilities must be evaluated first

• Medium Risk Vulnerabilities can be evaluated subsequently

• Low Risk Vulnerabilities may be deferred for later

• Cybersecurity Risk Matrices and Recommendations for

Cybersecurity Testing and Vulnerability Mitigation

15

CTTs Informed Several Events At The NCR!

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Cyber Testing and Training Demand is for

Customer Centric Services (predominantly)

Customers come to the TRMC/NCR for Higher Tier “Live Cyber Environments,” Cyber

T&E expertise, and event support

Customers Need Cybersecurity T&E

“As A Service”

16

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Automated Tools Simplify Event Design,

Development, Deployment/Redeployment!

• Reusable Content Includes:

• ADNS Emulation

• Round-robin NTP

• Full DNS infrastructure

• Whois

• Various Exchange Server

versions and architectures

• DNS registrar

• Webmail

• eCommerce sites

• Content Management

Systems (CMS)

17

Model Reuse Is Creating Efficiencies!

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Connectivity Makes Range Location

Irrelevant!

• NCR demonstrated ability to

support Major Training Exercises!

• Remotely supported 1000’s of Users

• Connected numerous Logical Ranges

• 100’s of Enclaves & Subnets

• Thousands of Nodes

• NCR demonstrated ability to

support remote Testing

• NCR has both JMN and JIOR

Connectivity!

• Used remotely for multiple customers

Realistic Mission

Environments

JMNRSDPs

PSDPs

18

Connectivity Enables Customers To Create A “Virtual Enterprise”

For Testing And Training!

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Pathfinder Event:

Avionics Bus Architectures

• NCR Objective

• Emulate Non IP Based Networks, Bus

Architectures: MIL Std 1553, ARINC 429 for

Cyberspace T&E

• Relevance

• Cyber Threats demonstrated ability to exploit

vulnerabilities in systems, subsystems and

components

• Some testing cannot/should not be conducted w/

actual aircraft, particularly in-flight

• Outcomes

• TRMC/NCR collaborated with NAVAIR to conduct a

Cyber Table Top to understand Cyber Risks

• NCR built-out Avionics Management System to

execute “Risk Reduction Event”

• Collaborated with Aircraft Cyber Threat Working

Group

19

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Pathfinder Event:

Control Systems Cyber Security (CS2) Challenge

• NCR Objective

• Demonstrate ability to emulate representative

Industrial Control Systems Architecture

• Relevance

• Internet of Things makes Control Systems

connected and exploitable

• Developers fail to consider Cybersecurity

• Control Systems need to be tested in real-world

environments

• Outcome

• OSD Energy, Installations and Environment (E&EI)

requested NCR implement a representative DOD

Building Environmental Control System

• NCR successfully developed environment

• Follow on demonstrations will evaluate commercial

products

20

The “Internet of Everything” Exposes Control Systems to Attacks Not Previously Considered!

Image Source: Mario Morales (IDC)

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

What Does the Future Look Like

for Infrastructure?• Demand for Cybersecurity T&E Infrastructure will continue to increase

• NCR/RSDP/JMN Complex being provisioned to satisfy increasing demand

• Way Ahead: Leverage TRMC Investment

• Ensure future investments in automation tools are

Interoperable/Compatible/Un-encumbered

• Move Legacy SILs HW&SW, ICS/SCADA Labs, etc. to JMN

21

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

What Does the Future Look Like

for Workforce?

• Demand for Cybersecurity T&E Workforce will continue to increase

• People are the most valuable and limited resource

• Workforce must have Acquisition and Cyberspace Skills

• Capabilities Development, Program Management, Contracting,

Systems Security Engineering, Risk Management Framework and

Cybersecurity T&E, Cyber Defense and Offense

• Way Ahead: Invest in “Wet Ware”

• Enhance Government Cybersecurity T&E Workforce

• Enable them with robust FFRDC, SETA and Industry Personnel

22

Procuring Cybersecurity T&E Infrastructure Is Easy

Greater Challenge: Developing The Cybersecurity T&E Workforce!

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

What Does the Future Look Like

In Practice?

• Investments in T&E Infrastructure reduce

“Technical Debt” : PMs realizing

schedule/performance improvements

• Way Ahead:

• Provision infrastructure to support full

spectrum testing

• Not just one Program of Record

• Use incremental/iterative T&E to evaluate

System Functional and Non Functional

Requirements

• Autonomous Systems could adopt a

similar approach

• Adversarial Assessments should be Mission

Based Events

• Fully exercise Systems of Systems

• Include Cybersecurity Defense Providers

23

TRMC Is making Essential Investments!

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

What Does the Future Look Like

For The Adversary?• Adversaries are sophisticated, persistent and getting better

• Conduct extended and sophisticated Cyber Campaigns

• Speed and agility enables them to get inside the

Acquisition Lifecycle

• DOD Acquisition systems and approaches lack agility

to keep up with the threat

• Industry has adopted Agile Methods/DEVOPS!

• Robust DEV/Test Infrastructure essential to support

continuous innovation

• Increases efficiency and “Delivery Velocity” enhances

Cybersecurity Posture and reduces ownership costs

• Enables Industry to evolve at the same pace as the

adversary

24

Infrastructure Investments Enable Agile Methods/DEVOPS!

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

What Does the Future Look Like

For The Adversary? (cont.)• Way Ahead:

• Investment in Cybersecurity T&E

Infrastructure is having positive impact

• TRMC S&T and CTEIP Programs enablers

to help disrupt the Adversary Lifecycle

• Enable Agile Methods and DEVOPS with

“High Fidelity” reusable emulations/models of

Systems and Enterprise

• Exploit virtualization, Software Containers

• Consider provisioning “Digital Twins”

• Evolve with system as it matures

• Promote closer community engagement

• Development Community, Cybersecurity

Defense Providers and Cyber Mission

Forces

25

Effort Needed To Bring Together Development, Testing And Training Communities!

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

Summary

• Since 2009: DOD T&E Community has significantly advanced the practice of Cybersecurity T&E

• Past approaches to address Cybersecurity have created Technical Debt!

• Shift Left is Helping Programs improve Cybersecurity Posture

• Other Federal Agencies are adopting similar approaches!

• TRMC and the NCR are helping Testing and Training Customers!

• Deliver unique cybersecurity test, evaluation, and training capabilities

• Enable DOD to conduct focused cybersecurity test and evaluation

• Events are tailored to meet program requirements throughout the systems acquisition lifecycle

• TRMC is investing in the future!

• Workforce and Infrastructure investments are key enablers

• Without them advances in practice process cannot be achieved!

26

TRMC/NCR Team Are Making It Harder For The Adversary!

Cleared for Public Release 23 March 2017 Case # 17-S-1267

Cleared for Public Release 23 March 2017 Case # 17-S-1267

Superb effort organizing this workshop!

PROGRAM CHAIR - Ms. Chris Susman

SURVICE Engineering Company

PROGRAM TECHNICAL CHAIRS

Mr. Robert Laughman, US Army Evaluation Center

Duane Wilson, Ph.D., Wilson Innovative Solutions LLC

EXHIBITS & SPONSORSHIPS

Ms. Cathy Pritts and Mr. Jim Myers

Special Thanks!

27

Use or disclosure of data contained on this sheet is subject to the restrictions on the title page of this document.

The 2017 CG Classic

In Honor of Seaman Aaron N. Redd,

USCG• Please join the Chief Petty

Officers Association

Alexandria Chapter and the

family & friends of

• Aaron N. Redd, on Friday,

June 16th, as we host a

fun filled day of golf at the

Potomac Shores Golf

Club.

• All proceeds will be

donated to the Coast

Guard Enlisted Memorial

Foundation.

• http://www.cgclassic.com

28

Cleared for Public Release 23 March 2017 Case # 17-S-1267

Cleared for Public Release 23 March 2017 Case # 17-S-1267

Peter H. Christensen

Range Director, National Cyber Range

TRMC Office Phone: 571-372-2699

TRMC Email: [email protected]

Dr. Robert N. Tamburello

Deputy Range Director, National Cyber Range

TRMC Email: [email protected]

Address:

4800 Mark Center Drive

Suite 07J22

Alexandria, Va. 22350

Questions?