Naval Sea Systems Command (NAVSEA) and the Navy as a whole are working on several documents to spread cybersecurity awareness to the acquisition community and the fleet.
NAVSEA chief engineer Rear Adm. Bryant Fuller said Thursday at an American Society for Naval Engineers event that a Navy Information Assurance/Information Technology Technical Advisory Board (IA/IT TAB) has already approved eight technical standards for cyber security in Navy systems, and is set to have about 24 by the end of the fiscal year.
“Part of the job of the TAB is to go figure out technically what is it we want to do, and one of the things that we’re working on is specs and standards,” Fuller said in his presentation of the TAB, which was stood up a couple years ago and includes the chief engineers of all the Navy and Marine Corps system commands, as well as representation from U.S. Cyber Command and the information dominance directorate (OPNAV N2/N6).
NAVSEA is now taking those standards and specifications and determining how to apply them to ships and ship-based systems. Fuller said his NAVSEA engineering directorate (SEA 05) spent most of Fiscal Year 2015 surveying the cyber developments at the Navy warfare centers, in academia and at national labs to understand what cyber tools are available. Now, SEA 05 and the Navy must decide, “what is it that we really need? We focused real hard on going and looking at what kind of tools and stuff do we have out there for situational awareness, intrusion protection systems, intrusion detection systems, anomalous behavior, tools to recognize anomalous behaviors, resiliency, concepts of operations, operating systems,” but no decisions have been made yet on what the ideal cybersecurity tool actually looks like.
Fuller does know some qualities he wants to see in the eventual cybersecurity tool. It should be common between the warfare systems and the machinery control systems, he said. The tool will have to not only monitor the boundaries of each Navy control system, but also monitor inside the system for anomalous behaviors. The tool should also be scalable to give each system the amount of protection it needs, and it should be software-based and upgradeable to keep pace with the threat environment.
Human behavior will also have to be adjusted to help the cybersecurity system. Hull, mechanical and electric (HM&E) systems do not have to be connected to the network at all times, and should only be connected when the crew needs to send data off the ship, Fuller said – though even a part-time connection to a network means the systems will need robust cyber monitoring.
Ideally, he said, “if we can get the 80-percent solution, get it scalable and upgradeable, then we can put it out there, work on the human behaviors, we’ll be way way better off – and then get disconnected where we don’t need to be – we’ll be better off than we are right now. And then as we learn more, better tools come out, threats evolve, then we’ll just upgrade.”
To help get to that ideal, SEA 05 is taking the TAB’s standards and specifications and turning them into a functional requirements document for ship-based systems specifically. Fuller said he expects that document to be complete by the end of the year, and an objective architecture will then be developed based on the FRD. Those documents will guide the cybersecurity architecture of future ships, including the Arleigh Burke-class guided missile destroyer Flight III upgrade, the LHA-8 amphibious assault ship, the LX(R) dock landing ship replacement and more. And a series of ship change documents (SCDs) will go out to describe how to backfit existing ships to include cybersecurity tools.
Several other lines of effort are taking place as well, Fuller said. Two years ago CYBERCOM put out a Cyber Best Practices Manual that Fuller thought focused on information systems, so SEA 05 in July released an appendix to the manual to include best practices for control systems.
Fuller’s team has visited a destroyer in the fleet to watch how sailors actually operate control systems, and plans to visit two more ships in the coming weeks. Those observations will inform future updates to the manual’s appendix.
Also affecting the operational fleet is a more robust pre-deployment cyber certification. Previously the Navy only certified that warfare systems were hardened against cyber threats, but machinery control systems will now be added to the certification as well, creating a “more holistic certification” before heading overseas, Fuller said.