Trusted Systems - National Defense Industrial Association

Report
Trusted Defense Systems
Kristen Baldwin
Director, Systems Analysis
DDRE/Systems Engineering
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-1
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Trusted Defense Systems Strategy
Drivers/Enablers
• National
Cybersecurity
Strategies
• Congressional
Interest
• DoD Policy and
Directives
• Globalization
Challenges
Prioritize by
Mission
Dependence
Comprehensive
Program
Protection
Planning
Detect and
Respond to
Vulnerabilities
Partner with
Industry
Report on Trusted
Defense Systems
• Increasing System
Complexity
Delivering Trusted Systems
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-2
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
USD(AT&L)
ASD(NII)/DoD CIO
Elements of the Strategy
•
•
•
•
Focus on Mission
Critical Systems
Identify Critical
Components for
Trust
Protect Critical
Technology
CPI Identification
–
–
•
Prioritize by
Mission
Dependence
Comprehensive
Program
Protection
Planning
System Security
Engineering
–
–
•
–
Technology
Investment
Strategies
–
–
–
DARPA TRUST
NSA Center for
Assured SW, Air
Force Application
SW Assurance
CoE
IA/HW/SW
Assurance
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-3
Detect and
Respond to
Vulnerabilities
Partner with
Industry
•
•
•
Anti-Tamper, SPI
System Assurance
Supply Chain Risk
Mitigation
–
•
Critical
Components
Critical Technology
Trusted Foundry,
DMEA
Threat and
vulnerability
assessments
DIB Cyber Security
Standards for
Secure Products
and Networks
Damage
Assessments
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Increased Priority for Program
Protection
• Threats: Nation-state, terrorist, criminal, rogue developer who:
– Gain control of systems through supply chain opportunities
– Exploit vulnerabilities remotely
• Vulnerabilities: All systems, networks, applications
– Intentionally implanted logic (e.g., back doors, logic bombs,
spyware)
– Unintentional vulnerabilities maliciously exploited (e.g., poor
quality or fragile code)
• Consequences: Stolen critical data & technology; corruption,
denial of critical warfighting functionality
Today’s acquisition environment drives the increased emphasis:
Then
Standalone systems
>>>
Some software functions >>>
Known supply base
>>>
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-4
Now
Networked systems
Software-intensive
Prime Integrator, hundreds of suppliers
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Challenges Being Addressed
• Policy and guidance for security is not streamlined
• There is a lack of useful methods, processes and tools for
acquirers and developers
• Criticality is usually identified too late to budget and implement
protection
• Horizontal protection process is insufficiently defined
• Lack of consistent method for measuring cost and success of
“protection”
• Intelligence data is not available to programs for risk
awareness
• Security not typically identified as an operational requirement,
and is therefore lower priority
Data Source: GAO report, white papers, military service feedback
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-5
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Major Efforts being executed by
DDRE/SE
•
Implementing 5200.39 and 5000.02 Program Protection Policy
– Review/Coordination of PPPs for ACAT I programs
– Program protection assessment methodology
– Guidance and best practice countermeasures, education and training, industry
outreach, to assist programs with CPI identification and protection
•
Supply Chain Risk Management
– Procedures, capability to utilize threat information in acquisition
– Commercial standards for secure components (ISO/IEC, The Open Group)
•
Horizontal Protection Procedures
– Acquisition Security Database (ASDB) oversight and implementation
•
Advancing the practice: System Security Engineering
– SERC Research Topic – “Security Engineering”
– INCOSE Working Group on System Security Engineering
– DoD/NSA Criticality Analysis Working Group
•
DoD Anti-Tamper Executive Agent
– Anti-Tamper IPT, AT policy, guidance advocate
– Legislative Proposal – Defense Exportability Fund Pilot Program
•
Countering Counterfeits Tiger Team
– Lifecycle strategy to reduce counterfeits, esp microelectronics
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-6
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Program Protection Policy
• DoD Policy: DODI 5200.39 “Critical Program Information
Protection Within the DoD”
– Provide uncompromised and secure military systems to the warfighter
by
− performing comprehensive protection of CPI
− through the integrated and synchronized application of CI, Intelligence,
Security, systems engineering, and other defensive countermeasures to
mitigate risk…
– “CPI. Elements or components of an RDA program that, if
compromised, could cause significant degradation in mission
effectiveness;
− Includes information about applications, capabilities, processes, and
end-items.
− Includes elements or components critical to a military system or network
mission effectiveness.
− Includes technology that would reduce the US technological advantage if
it came under foreign control…”
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-7
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-8
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
DoD 5000 Lifecycle Approach to
Early, Designed-In Program Protection
• Milestone Decision Authority
approves PPP in addition to PM
• Acquisition Strategy, RFP, SEP, and
TEMP reflect PPP relevant information
• Identify candidate CPI in TDS,
and potential countermeasures
MS A
S&T Programs
MS B
Materiel
Technology
MDD Solution Development CDD
Analysis
• Obtain threat assessments from
Intel/CI, assess supplier risks
• Develop design strategy for CPI
protection
• Submit PPP to Acquisition
Security Database (ASDB)
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-9
Streamlined Program Protection Plan
• One-stop shopping for documentation
of acquisition program security (ISP, IA,
AT appendices)
• Living document, data driven, easy to
update, maintain
MS C
Engineering and
Manufacturing
Development
CPD
• Contractor adds detail to
Program Protection Plan
• Preliminary verification and
validation that design meets
assurance plans
Full Rate
Prod DR
Production &
Deployment
O&S
• Enhance countermeasure
information in Program
Protection Plan (PPP)
• Evaluate that CPI Protection,
RFP requirements have been
met
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Multifaceted Approach to Program
Protection
SCRM
Key
Practices
DoDI
DoDM
5200.39
DoDM 5200.39
Requires use of
 Supply Chain Risk
Management
(SCRM) and
 System Security
Engineering
Best Practice
Countermeasures
to protect
Critical Program
Information (CPI)
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-10
Systems Security
Engineering
(risk mitigation)
Specific tools
and practices
(e.g.
Malicious
code checks,
software
assurance
techniques)
Best
Practices
Other
countermeasures
(INFOSEC, IA,
ITAR, FMS, etc.)
Use to contract
for security in
Map to CPI being
protected & location in
Requests for
Proposals
(RFP)
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Program
Protection
Plan (PPP)
Systems Security Engineering (SSE):
Early Engineering Emphasis
• Identify components that need protection
– Perform criticality analysis based on mission context and system function
− Evaluate CONOPS, threat information, notional system architecture to identify critical
components (hardware, software and firmware)
− Identify rationale for inclusion or exclusion from candidate CPI list
– Perform trade-offs of design concepts and potential countermeasures to
minimize vulnerabilities, weaknesses, and implementation costs
• Establish System Security Engineering Criteria
– Ensure preferred concept has preliminary level security requirements
derived from candidate CPI countermeasures
– Ensure system security is addressed as part of Systems Engineering
Technical Reviews
• We have begun to apply these practices with major acquisition
programs
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-11
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Systems Security Engineering
• Systems Security Engineering Definition:
– An element of system engineering that applies scientific and
engineering principles to identify security vulnerabilities and minimize or
contain risks associated with these vulnerabilities
(MIL-HDBK-1785: Systems Security Engineering Program Management Requirements)
• Codify guidance and best practice
– To identify software, hardware vulnerabilities
– To support program protection planning
– To support secure systems design
• Work is needed to fully expand this discipline
– Foundational science and engineering, competencies (as compared to
other SE Specialties: reliability, safety, etc)
– Methods and tools: V&V, architecting for security
– Community and design team recognition of SSE as a key design
consideration
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-12
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Systems Security Engineering
Research Roadmap
• Joint DDRE/SE and NSA funded SE Research Center task
– Goal: Develop a research roadmap to grow Systems Security Engineering as a
key discipline of SE
• Workshop in March 2010 to collect input
– 50 attendees from industry, government, and academia
• Proposed research modules in key areas:
– Definitions: What is the scope of Systems Security Engineering?
– Metrics: How much security is enough? How do we compare?
– Frameworks: What is the trade space for making security engineering
decisions? Are there architectural commonalities to leverage?
– Workforce: How do we train researchers, developers, and acquisition
professionals to do this? What do they need to know?
– Methods, Processes, and Tools: How might practitioners actually do this?
What can we learn from related disciplines (e.g. Safety, Reliability, Surety)?
• Final report in September 2010
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-13
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Standardization Efforts
• Buying with Confidence
–
–
–
–
–
–
Open Group engagement to develop secure commercial product standards
Technology supply chain security standard through ISO
Supply Chain Risk Mitigation
Countering Counterfeits Tiger Team
DFAR for safeguarding unclassified DoD information on DIB networks
Object Management Group software assurance frameworks
• Building with Integrity
– NDIA System Assurance Guidebook, adopted by NATO Standardization
Agency
– ISO 15026: Standard for Systems and Software Assurance
– Criticality Analysis Working Group
– Systems Security Engineering research roadmap
– DHS Software Assurance
• Horizontal Protection
– DoD-wide Critical Program Information identification process
– Acquisition Security Database adoption and implementation
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-14
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
In Summary
• Holistic approach to assurance is critical
– To focus attention on the threat
– To avoid risk exposure from gaps and seams
• Program Protection Policy provides overarching framework
for trusted systems
– Common implementation processes are beneficial
• Stakeholder integration is key to success
– Acquisition, Intelligence, Engineering, Industry, Research Communities are
all stakeholders
• Systems engineering brings these stakeholders, risk
trades, policy, and design decisions together
– Informing leadership early; providing programs with risk-based options
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-15
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Backup Slides
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-16
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Key Enablers of the Strategy
Vision of Success
Prioritization
Supplier
Assurance
• The requirement for assurance is allocated
among the right systems and their critical
components
• DoD understands its supply chain risks
EngineeringIn-Depth
• DoD systems are designed and sustained
at a known level of assurance
Industry
Outreach
• Commercial sector shares ownership and
builds assured products
Technology
Investment
Assured Systems
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-17
• Technology investment transforms the
ability to detect and mitigate system
vulnerabilities
*Reference: DoD System Assurance CONOPS, 2004
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Desired Outcome
Program Benefit
•
•
•
•
Coherent direction and
integrated policy framework to
respond to security
requirements
Risk-based approach to
implementing security
Provision of expert
engineering and intelligence
support to our programs
Streamline process to remove
redundancy; focus on
protection countermeasures
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-18
DoD Benefit
•
•
•
•
Reduced risk exposure to
gaps/seams in policy and
protection activity
Improved oversight and focus
on system assurance
throughout the lifecycle
Ability to capitalize on
common methods, instruction
and technology transition
opportunities
Cost effective approach to
“building security in” where
most appropriate
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
SE PPP and Assessment Criteria
• Program Criticality Analysis uses a collection of techniques
to identify the critical functions / capabilities that need
protection
–
–
–
–
–
Mission thread analysis
Vulnerability analysis
WBS analysis (What are the major cost elements)
Domain specific knowledge
COTS design vulnerabilities and supply chain
• Design and assurance techniques
–
–
–
–
Defense in Depth
Draft PDR Exit Criteria
Draft CDR Exit Criteria
Configuration management access control
• SW Development assurance techniques
– Static code analyzers
– Design and code walkthroughs / inspections for assurance
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-19
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
Systems Security Engineering:
Integration of Security Resources
20
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-20
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
CPI Formats and
Example Protections
• Information Systems
– Information Assurance (controls
for applications, networks, IT
processes and platform IT
interconnections)
– Communications Security
(Encryption, decryption)
• Hard Copy Documents
– Information Security (Document
markings, handling instructions)
– Foreign Disclosure
(restrict/regulate foreign access)
– Physical Security (gates,
guards, guns)
NDIA SE Div Mtg: Trusted System Overview
8/18/10 Page-21
• End Items
– Anti-Tamper (deter, prevent,
detect, respond)
– Information Assurance
– Supply Chain Risk Management
(assessing supplier risk)
– Software Assurance (tools,
processes to ensure SW function)
– System Security Engineering
– Trusted Foundry (integrated circuit
providers)
• Ideas/Knowledge
– Personnel Security (trustworthy,
reliable people)
– Access Controls
DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.

similar documents