Trusted Systems - National Defense Industrial Association
advertisement
Trusted Defense Systems Kristen Baldwin Director, Systems Analysis DDRE/Systems Engineering NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-1 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Trusted Defense Systems Strategy Drivers/Enablers • National Cybersecurity Strategies • Congressional Interest • DoD Policy and Directives • Globalization Challenges Prioritize by Mission Dependence Comprehensive Program Protection Planning Detect and Respond to Vulnerabilities Partner with Industry Report on Trusted Defense Systems • Increasing System Complexity Delivering Trusted Systems NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-2 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. USD(AT&L) ASD(NII)/DoD CIO Elements of the Strategy • • • • Focus on Mission Critical Systems Identify Critical Components for Trust Protect Critical Technology CPI Identification – – • Prioritize by Mission Dependence Comprehensive Program Protection Planning System Security Engineering – – • – Technology Investment Strategies – – – DARPA TRUST NSA Center for Assured SW, Air Force Application SW Assurance CoE IA/HW/SW Assurance NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-3 Detect and Respond to Vulnerabilities Partner with Industry • • • Anti-Tamper, SPI System Assurance Supply Chain Risk Mitigation – • Critical Components Critical Technology Trusted Foundry, DMEA Threat and vulnerability assessments DIB Cyber Security Standards for Secure Products and Networks Damage Assessments DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Increased Priority for Program Protection • Threats: Nation-state, terrorist, criminal, rogue developer who: – Gain control of systems through supply chain opportunities – Exploit vulnerabilities remotely • Vulnerabilities: All systems, networks, applications – Intentionally implanted logic (e.g., back doors, logic bombs, spyware) – Unintentional vulnerabilities maliciously exploited (e.g., poor quality or fragile code) • Consequences: Stolen critical data & technology; corruption, denial of critical warfighting functionality Today’s acquisition environment drives the increased emphasis: Then Standalone systems >>> Some software functions >>> Known supply base >>> NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-4 Now Networked systems Software-intensive Prime Integrator, hundreds of suppliers DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Challenges Being Addressed • Policy and guidance for security is not streamlined • There is a lack of useful methods, processes and tools for acquirers and developers • Criticality is usually identified too late to budget and implement protection • Horizontal protection process is insufficiently defined • Lack of consistent method for measuring cost and success of “protection” • Intelligence data is not available to programs for risk awareness • Security not typically identified as an operational requirement, and is therefore lower priority Data Source: GAO report, white papers, military service feedback NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-5 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Major Efforts being executed by DDRE/SE • Implementing 5200.39 and 5000.02 Program Protection Policy – Review/Coordination of PPPs for ACAT I programs – Program protection assessment methodology – Guidance and best practice countermeasures, education and training, industry outreach, to assist programs with CPI identification and protection • Supply Chain Risk Management – Procedures, capability to utilize threat information in acquisition – Commercial standards for secure components (ISO/IEC, The Open Group) • Horizontal Protection Procedures – Acquisition Security Database (ASDB) oversight and implementation • Advancing the practice: System Security Engineering – SERC Research Topic – “Security Engineering” – INCOSE Working Group on System Security Engineering – DoD/NSA Criticality Analysis Working Group • DoD Anti-Tamper Executive Agent – Anti-Tamper IPT, AT policy, guidance advocate – Legislative Proposal – Defense Exportability Fund Pilot Program • Countering Counterfeits Tiger Team – Lifecycle strategy to reduce counterfeits, esp microelectronics NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-6 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Program Protection Policy • DoD Policy: DODI 5200.39 “Critical Program Information Protection Within the DoD” – Provide uncompromised and secure military systems to the warfighter by − performing comprehensive protection of CPI − through the integrated and synchronized application of CI, Intelligence, Security, systems engineering, and other defensive countermeasures to mitigate risk… – “CPI. Elements or components of an RDA program that, if compromised, could cause significant degradation in mission effectiveness; − Includes information about applications, capabilities, processes, and end-items. − Includes elements or components critical to a military system or network mission effectiveness. − Includes technology that would reduce the US technological advantage if it came under foreign control…” NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-7 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-8 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. DoD 5000 Lifecycle Approach to Early, Designed-In Program Protection • Milestone Decision Authority approves PPP in addition to PM • Acquisition Strategy, RFP, SEP, and TEMP reflect PPP relevant information • Identify candidate CPI in TDS, and potential countermeasures MS A S&T Programs MS B Materiel Technology MDD Solution Development CDD Analysis • Obtain threat assessments from Intel/CI, assess supplier risks • Develop design strategy for CPI protection • Submit PPP to Acquisition Security Database (ASDB) NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-9 Streamlined Program Protection Plan • One-stop shopping for documentation of acquisition program security (ISP, IA, AT appendices) • Living document, data driven, easy to update, maintain MS C Engineering and Manufacturing Development CPD • Contractor adds detail to Program Protection Plan • Preliminary verification and validation that design meets assurance plans Full Rate Prod DR Production & Deployment O&S • Enhance countermeasure information in Program Protection Plan (PPP) • Evaluate that CPI Protection, RFP requirements have been met DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Multifaceted Approach to Program Protection SCRM Key Practices DoDI DoDM 5200.39 DoDM 5200.39 Requires use of Supply Chain Risk Management (SCRM) and System Security Engineering Best Practice Countermeasures to protect Critical Program Information (CPI) NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-10 Systems Security Engineering (risk mitigation) Specific tools and practices (e.g. Malicious code checks, software assurance techniques) Best Practices Other countermeasures (INFOSEC, IA, ITAR, FMS, etc.) Use to contract for security in Map to CPI being protected & location in Requests for Proposals (RFP) DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Program Protection Plan (PPP) Systems Security Engineering (SSE): Early Engineering Emphasis • Identify components that need protection – Perform criticality analysis based on mission context and system function − Evaluate CONOPS, threat information, notional system architecture to identify critical components (hardware, software and firmware) − Identify rationale for inclusion or exclusion from candidate CPI list – Perform trade-offs of design concepts and potential countermeasures to minimize vulnerabilities, weaknesses, and implementation costs • Establish System Security Engineering Criteria – Ensure preferred concept has preliminary level security requirements derived from candidate CPI countermeasures – Ensure system security is addressed as part of Systems Engineering Technical Reviews • We have begun to apply these practices with major acquisition programs NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-11 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering • Systems Security Engineering Definition: – An element of system engineering that applies scientific and engineering principles to identify security vulnerabilities and minimize or contain risks associated with these vulnerabilities (MIL-HDBK-1785: Systems Security Engineering Program Management Requirements) • Codify guidance and best practice – To identify software, hardware vulnerabilities – To support program protection planning – To support secure systems design • Work is needed to fully expand this discipline – Foundational science and engineering, competencies (as compared to other SE Specialties: reliability, safety, etc) – Methods and tools: V&V, architecting for security – Community and design team recognition of SSE as a key design consideration NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-12 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering Research Roadmap • Joint DDRE/SE and NSA funded SE Research Center task – Goal: Develop a research roadmap to grow Systems Security Engineering as a key discipline of SE • Workshop in March 2010 to collect input – 50 attendees from industry, government, and academia • Proposed research modules in key areas: – Definitions: What is the scope of Systems Security Engineering? – Metrics: How much security is enough? How do we compare? – Frameworks: What is the trade space for making security engineering decisions? Are there architectural commonalities to leverage? – Workforce: How do we train researchers, developers, and acquisition professionals to do this? What do they need to know? – Methods, Processes, and Tools: How might practitioners actually do this? What can we learn from related disciplines (e.g. Safety, Reliability, Surety)? • Final report in September 2010 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-13 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Standardization Efforts • Buying with Confidence – – – – – – Open Group engagement to develop secure commercial product standards Technology supply chain security standard through ISO Supply Chain Risk Mitigation Countering Counterfeits Tiger Team DFAR for safeguarding unclassified DoD information on DIB networks Object Management Group software assurance frameworks • Building with Integrity – NDIA System Assurance Guidebook, adopted by NATO Standardization Agency – ISO 15026: Standard for Systems and Software Assurance – Criticality Analysis Working Group – Systems Security Engineering research roadmap – DHS Software Assurance • Horizontal Protection – DoD-wide Critical Program Information identification process – Acquisition Security Database adoption and implementation NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-14 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. In Summary • Holistic approach to assurance is critical – To focus attention on the threat – To avoid risk exposure from gaps and seams • Program Protection Policy provides overarching framework for trusted systems – Common implementation processes are beneficial • Stakeholder integration is key to success – Acquisition, Intelligence, Engineering, Industry, Research Communities are all stakeholders • Systems engineering brings these stakeholders, risk trades, policy, and design decisions together – Informing leadership early; providing programs with risk-based options NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-15 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Backup Slides NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-16 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Key Enablers of the Strategy Vision of Success Prioritization Supplier Assurance • The requirement for assurance is allocated among the right systems and their critical components • DoD understands its supply chain risks EngineeringIn-Depth • DoD systems are designed and sustained at a known level of assurance Industry Outreach • Commercial sector shares ownership and builds assured products Technology Investment Assured Systems NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-17 • Technology investment transforms the ability to detect and mitigate system vulnerabilities *Reference: DoD System Assurance CONOPS, 2004 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Desired Outcome Program Benefit • • • • Coherent direction and integrated policy framework to respond to security requirements Risk-based approach to implementing security Provision of expert engineering and intelligence support to our programs Streamline process to remove redundancy; focus on protection countermeasures NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-18 DoD Benefit • • • • Reduced risk exposure to gaps/seams in policy and protection activity Improved oversight and focus on system assurance throughout the lifecycle Ability to capitalize on common methods, instruction and technology transition opportunities Cost effective approach to “building security in” where most appropriate DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. SE PPP and Assessment Criteria • Program Criticality Analysis uses a collection of techniques to identify the critical functions / capabilities that need protection – – – – – Mission thread analysis Vulnerability analysis WBS analysis (What are the major cost elements) Domain specific knowledge COTS design vulnerabilities and supply chain • Design and assurance techniques – – – – Defense in Depth Draft PDR Exit Criteria Draft CDR Exit Criteria Configuration management access control • SW Development assurance techniques – Static code analyzers – Design and code walkthroughs / inspections for assurance NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-19 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. Systems Security Engineering: Integration of Security Resources 20 NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-20 DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies. CPI Formats and Example Protections • Information Systems – Information Assurance (controls for applications, networks, IT processes and platform IT interconnections) – Communications Security (Encryption, decryption) • Hard Copy Documents – Information Security (Document markings, handling instructions) – Foreign Disclosure (restrict/regulate foreign access) – Physical Security (gates, guards, guns) NDIA SE Div Mtg: Trusted System Overview 8/18/10 Page-21 • End Items – Anti-Tamper (deter, prevent, detect, respond) – Information Assurance – Supply Chain Risk Management (assessing supplier risk) – Software Assurance (tools, processes to ensure SW function) – System Security Engineering – Trusted Foundry (integrated circuit providers) • Ideas/Knowledge – Personnel Security (trustworthy, reliable people) – Access Controls DISTRIBUTION STATEMENT A -- Cleared for public release by OSR on 11 August 2010; SR Case # 10-S-2984 applies.
