Minutes later, the ship’s tactical action officer (TAO) receives a report of multiple incoming ASCMs on multiple vectors. He immediately gives the order to launch a salvo of standard missiles. Several of the ASCMs are destroyed, but a few continue inbound, heading rapidly toward the destroyer. With the remaining ASCMs inside the minimum range of the standard missile, the TAO orders electronic countermeasures and engagement with the ship’s close-in weapon system (CIWS). In the seconds that follow, every ASCM is destroyed with the exception of a single leaker, which impacts the ship close to the waterline.
Once the impact subsides, damage-control teams immediately go into action. The compartment where the missile impacted was already segmented from the rest of the ship when material condition ZEBRA was set. Now damage-control team members locate and isolate the sources of flooding and fire. Then they begin the process of repairing systems to restore the ship’s maximum operational capability as quickly as possible. Then the 1MC sounds again: “Secure from General Quarters. Re-stow all damage control equipment. Drill monitors report to the crew’s mess for debrief.”
Similar events have played out thousands of times on Navy ships. While they provide invaluable training, they also demonstrate that a tactical unit can reasonably defend itself—and rapidly recover from overwhelmed defenses and restore as much warfighting capability as possible. In essence, drills demonstrate a tactical unit’s resiliency as a warfighting platform. However, while there have been significant efforts for decades to develop resiliency in air, surface, and subsurface warfare domains, the Navy only recently began efforts to develop cyber resiliency.
In the wake of penetrations into the Navy Marine Corps Intranet (NMCI), the Navy took prompt action under Operation Rolling Tide to counter cyber activity directed at its networks and command-and-control capabilities.1 Since then the scope has expanded beyond business systems to hull, mechanical, and electrical (HM&E), navigation, and weapon systems on board the Navy’s tactical platforms. As a result, in the fall of 2014 the Navy established Task Force Cyber Awakening (TFCA) to develop an executable strategy that implemented lessons learned from the operation to improve the cyber posture of the Navy’s tactical units.2 After intensive study, TFCA determined that a strategy strictly addressing cyber readiness failed to pace the threat posed by high-end adversaries. To ensure mission assurance for warfighting capabilities on board the Navy’s tactical platforms, TFCA developed a strategy that moves beyond cyber readiness to emphasize cyber resiliency.
Defining Readiness and Resiliency
U.S. Cyber Command’s current Command Cyber Readiness Inspection process examines a unit’s compliance with workforce training requirements, technological certifications, and maintenance documentation.3 The Navy’s Cybersecurity Inspection Program similarily focuses on a unit’s information-assurance policies, physical security defenses, and cybersecurity workforce personnel records.4 These views of cyber readiness, while embracing defense in depth, focus on vulnerability remediation and prevention. As a result, cyber readiness throughout the Department of Defense, including within the Navy, is currently largely viewed through the lens of information-assurance compliance. This approach to cyber readiness has resulted in the Navy’s present strategy, in which operator training and system architectures severely limit the operation of the network to mitigate exploits in near real-time. As a consequence, the network has become basically binary, secure, or compromised. Once compromised, the current strategy largely leaves the adversary free to maneuver at will.
While cyber readiness provides the Navy with a sound defensive foundation, cyber resiliency accepts that at some point adversaries will defeat the defensive cyber measures in place, and thus seeks to limit an adversary’s freedom of action to degrade capability. Resilience within the cyber domain is explicitly defined in the Defense Science Board report on “Resilient Military Systems and the Advanced Cyber Threat” as “the ability to provide acceptable operations despite disruption: natural or man-made, inadvertent or deliberate.”5
The Defense Science Board report confirms what the Navy learned in the wake of the penetrations into NMCI: Given the networked nature of warfighting platforms, degradation in cyber posture adversely affects overall war-fighting capability. In light of this reality, TFCA focused on developing a cyber-resiliency strategy, along with the mechanisms and organizational constructs necessary to realize it. In basic terms, this strategy achieves cyber resiliency through enhanced cyber readiness augmented by agile cyber-system design and dynamic cyber operations.
Enhanced Cyber Readiness
In the introductory air-defense scenario, the destroyer engaged the fictional ASCM threat with a barrage of Standard Missiles. Over time, newer versions of the Standard Missile have been developed with increasingly more advanced capabilities to counter more sophisticated threats, culminating in the current SM-6.6 Similarly, the cyber defenses protecting the Navy’s tactical platforms must evolve as potential adversaries develop more sophisticated cyber techniques and capabilities.
As a first step in advancing the cyber-defense posture on board the Navy’s tactical platforms, TFCA’s strategy continues the Navy’s Operation Rolling Tide investments in cyber defense-in-depth. These investments primarily address boundary defenses such as firewalls and host-based security suites as well as the development of the next generation of technology that will ensure advanced threat mitigation. Additionally, while these capabilities have typically been deployed to defend command, control, communications, computers, and intelligence (C4I) systems, the strategy also addresses defense of HM&E, navigation, and weapon systems. These cyber-defense efforts would be similar to increasing the number of standard missiles on board while simultaneously enhancing the missiles’ capability and adding additional electronic countermeasures and CIWS.
While introducing new technologies and capabilities is an important element of TFCA’s cyber-resiliency strategy, cyber readiness remains vital in reducing the vulnerable attack surface presented to the enemy. In the context of cyber resiliency, cyber readiness remains primarily focused on information assurance compliance; however, it is also frequently referred to as cyber hygiene. In either case, the objective is the use of focused tactics, techniques, and procedures (TTPs) and workforce training, joined with a balanced maintenance-and-modernization cycle to prevent the degradation or circumvention of higher-level security measures. The commander of Naval Information Dominance Forces (COMNAVIDFOR) has been instrumental in advancing a culture of cyber hygiene across the Navy, directing commanding officers to make cyber security part of their day-to-day routine and carefully tracking the status of fleet units. COMNAVIDFOR has also driven manning and training improvements for more focused cyber-hygiene efforts. In the context of the air-defense example, maintaining cyber hygiene is analogous to conducting regular preventive maintenance on the air-defense systems, which requires the right parts, tools, and trained personnel.
Agile Cyber-System Design
Before engaging an incoming ASCM, a TAO must be aware of and tracking the inbound missile. Similarly, within cyberspace, vulnerabilities cannot be mitigated or adversary exploits countered without operator awareness. As a result, one of the key elements of the TFCA resiliency strategy is near-real-time cyber situational awareness. In the air-defense scenario, the TAO first engages with Standard Missiles and then employs the ship’s CIWS. The TAO’s ability to respond to the ASCM threat quickly, repeatedly, and with the appropriate defensive option depends on his or her understanding of the operational environment. Once cyber situational awareness is established, a ship will be able to operate its network in a similar fashion, tailoring the response to the threat. Situational awareness is achieved by deploying and monitoring sensors throughout a ship’s network. While the destroyer example is concerned with an ASCM threat, the vessel also has sensors for detecting surface and subsurface threats. Similarly, ships’ networks cannot only be equipped with sensors to protect C4I networks, but must also have sensors deployed within the HM&E, navigation, and weapon systems. Once positioned, these sensors collect network-operations data that are aggregated and analyzed to provide near real-time understanding of the network environment, as well as automated alerts of suspicious activity.
Unlike other warfare areas, an individual cyber attack may last from days to months. As a result, both near-real-time understanding and the capability to reconstruct network events using archived data are key elements of cyber situational awareness. Network event reconstruction is also required to develop a complete understanding of adversary TTPs. This understanding is fundamental to enabling implementation of policies and mechanisms to protect a ship’s networks, in addition to requirements for the development of new signatures and algorithms for identifying future adversary actions.
While a ship currently possesses several options for responding to unsophisticated cyber attacks such as malware or denial of service, the ability to respond to advanced persistent threats is extremely limited, especially when targeting non-C4I systems. As a result, the TFCA strategy proposes an architectural change to tactical platform networks, inserting control points at key locations within the network topology. The control-point concept envisions combinations of hardware and software that provide a choke point through which network traffic flows. This allows enhanced boundary defense for non-C4I systems and monitoring of the network for cyber situational awareness. Control points also serve as a location for the rapid technological insertion of updated security controls and as a means for segmenting the network. They are a key element of the cyber-resilient architecture proposed in the TFCA strategy and, when technologically mature, will themselves become systems that provide mission-critical capability.
The most critical element of TFCA’s cyber-resiliency strategy is the concept of CYBERSAFE, which seeks to improve overall mission assurance by improving cyber resiliency at key points within the network.7 Specifically, CYBERSAFE will accomplish this through a set of design, certification, and operational requirements that will be centrally managed through the CYBERSAFE Office and applied to cyber systems that affect mission assurance. This concept acknowledges that not all systems are as critical to assuring the safety of ship and warfighting capability as others. Control points, for example, will be one of the first sets of systems that will be part of CYBERSAFE, due to the capability they will provide to respond and recover from a cyber attack. In setting design and certification requirements, CYBERSAFE will also define common standards and protocols to guide acquisition programs during the procurement, implementation, and configuration of future systems. These common standards and protocols will be essential to designing agility and ensuring cyber resiliency of future systems.
Dynamic Cyber Operations
In the air-defense scenario, when General Quarters is set, the ship sets material condition ZEBRA in preparation for a potential adversary attack. Implementing CYBERSAFE provides a similar capability, allowing the ship to segment its network using control points, either proactively or reactively. In addition to addressing cyber-system design, CYBERSAFE also establishes requirements regarding operation of ship networks. The most significant of these is the establishment of CYBERSAFE conditions X-RAY, YOKE, and ZEBRA, which are analogous to the identically named ship-material conditions.
For a ship in CYBERSAFE condition X-RAY, all normal internal and external network connections are operational; in condition YOKE, only mission-essential and mission-critical connections are operational; and in ZEBRA, all external network connections are secured. While CYBERSAFE has developed specific guidance on the determination of mission-essential and mission-critical systems, these categories roughly align with ship-combat capability and ship safety respectively. Implementing the CYBERSAFE concept will ensure that those components throughout the ship that provide mission-critical capabilities can be protected, monitored, and restored with greater assurance.
For example, if a ship has a known vulnerability or indications and warnings that an adversary will target a specific system on the network, the ship will proactively set a CYBERSAFE condition and terminate all or a portion of network traffic flowing in or out of that segment. Similarly, if cyber situational-awareness capabilities indicate that a particular system is under attack, a CYBERSAFE condition can be set or that specific portion of the network can be segmented to disrupt the adversary’s actions. If it is assumed that an advanced persistent adversary will at some point be capable of penetrating a unit’s cyber defenses, in effect creating a cyber leaker, the ability to segment the network in near real–time is crucial to achieving cyber resiliency. Similar to shutting watertight doors when flooding occurs, segmenting the network limits the extent of damage and makes focused isolation efforts possible. In essence, segmentation preserves the warfighting capability throughout the remainder of the ship and is the capability that truly separates TFCA’s cyber-resiliency strategy from traditional cyber-readiness approaches.
Immediately following the ASCM impact discussed in the scenario, damage-control teams work to locate and then isolate the sources of fire and flooding. They then begin the process of repairing systems to restore the ship’s maximum operational capability as quickly as possible. Within the TFCA strategy, recovery efforts are designed to locate, isolate, and repair exploited systems or components. In parallel, once the exploited system or component is isolated, restoration of the remainder of the network segment can begin, leading to the re-enablement of the control-point connection to the ship’s full network. This is similar to isolating flooding, patching, and then restoring the system to operation.
All recovery efforts are dependent on the availability and quality of cyber situational-awareness information. Locating a specific exploit within a network segment requires an understanding of both current and known good baseline conditions. The quality of cyber situational-awareness capability is crucial to quickly determining, down to the smallest network component possible, the location of an adversary’s exploit. When restoring systems following isolation of an exploit, cyber situational awareness is also necessary to ensure that all exploits have been contained, similar to ensuring isolations are holding when restoring a seawater system post-flooding.
The Future of Cyber Resiliency
The TFCA cyber-resiliency strategy is the starting point for a great deal of work that must be done to enact the cultural, organizational, and architectural changes required. Additionally, the Navy’s current cyber-security inspections are focused on cyber readiness and work must be done to evolve these metrics to the point where they capture a unit’s cyber resiliency. Only then will the following hypothetical scenario possibly occur on board U.S. Navy warships:
The 1MC comes alive with an intelligence report that Country Orange is conducting widespread attacks on DOD networks throughout the theater. Simultaneously, high-speed patrol boats from the enemy nation, armed with ASCMs, are closing the unit. Indications are that heightened tension may lead Country Orange to attack U.S. naval vessels in the region. General Quarters is sounded immediately after the 1MC and the ship sets material condition ZEBRA and CYBERSAFE condition YOKE.
Minutes later, the ship’s network operators receive an alert indicating that a system within the navigation portion of the ship’s network is attempting to establish a connection with an unidentified endpoint external to the ship. When advised, the TAO immediately orders execution of the appropriate network-casualty procedure. Based on this order, network operators segment the navigation portion of the ship’s network. Using the network monitoring and forensics tools at their disposal, the operators follow their supplemental procedures to replay the event that triggered the alert.
Determining that the suspicious connection attempt is coming from a specific display terminal, the operators isolate the display terminal by removing it from the network. Once the component is isolated, the ship’s network operators request permission from the TAO to restore the navigation portion of the ship’s network. Simultaneously, a technician goes to the exploited navigation display terminal and begins work to restore the device to a known secure configuration. Upon TAO concurrence, network operators reconnect the navigation segment of the network to the ship’s larger network while monitoring for the original suspicious connection activity. Then the 1MC sounds again, “Secure from General Quarters. Drill monitors report to the crew’s mess for debrief.”
While the Navy is many years from realizing this capability, the cyber-resiliency strategy developed by Task Force Cyber Awakening advances the Navy toward this reality—where instead of advanced cyber threats crippling a ship’s mission capability, the captain can fight through the cyber barrage, saying, “Don’t give up the ship.”
1. U.S. Department of the Navy, U.S. Fleet Cyber Command/U.S. 10th Fleet Navy Unit Commendation, November 2014.
2. U.S. Department of the Navy, NAVADMIN 094/15, “CYBERSAFE Program Initial Operational Capability Message,” 15 April 2015, www.public.navy.mil/bupers-npc/reference/messages/Documents/NAVADMINS/NAV2015/NAV15094.txt.
3. U.S. Department of the Navy, “Commander’s Cyber Security and Information Assurance Handbook,” 26 February 2013, https://www.cool.navy.mil/usn/ia_documents/5239_NCF_Cybersecurity_IA_HANDBOOK.pdfChapter 3, 1–4.
4. Ibid.
5. Department of Defense, Defense Science Board, “Task Force Report: Resilient Military Systems and the Advanced Cyber Threat,” January 2013, www.acq.osd.mil/dsb/reports/ResilientMilitarySystems.CyberThreat.pdf, 20.
6. “US Navy deploys Standard Missile-6 for first time,” PRNewswire, 2 December 2013, www.prnewswire.com/news-releases/us-navy-deploys-standard-missile-6-for-first-time-234057231.html.
7. U.S. Department of the Navy, NAVADMIN 094/15, “CYBERSAFE Program Initial Operational Capability Message.”