DHS S&T Cyber Security Division (CSD) Overview TCIPG Industry - - PowerPoint PPT Presentation

DHS S&T Cyber Security Division (CSD) Overview

TCIPG Industry Workshop UIUC November 8, 2011

• Dept. of Homeland Security Science & Technology Directorate

Greg Wigton Program Manager Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) Gregory.Wigton@dhs.gov 202-254-6140

2

Comprehensive National Cybersecurity Initiative (CNCI)

Reduce the Number

• f Trusted Internet

Connections Deploy Passive Sensors Across Federal Systems Pursue Deployment

• f Automated

Defense Systems Coordinate and Redirect R&D Efforts

Establish a front line of defense

Connect Current Centers to Enhance Situational Awareness Develop Gov’t-wide Counterintelligence Plan for Cyber Increase Security of the Classified Networks Expand Education

Resolve to secure cyberspace / set conditions for long-term success

Define and Develop Enduring Leap Ahead Technologies, Strategies & Programs Define and Develop Enduring Deterrence Strategies & Programs Manage Global Supply Chain Risk Cyber Security in Critical Infrastructure Domains

Shape future environment / secure U.S. advantage / address new threats

http://cybersecurity.whitehouse.gov

2

Federal Cybersecurity Research and Development Program: Strategic Plan

3

Federal Cybersecurity R&D Strategic Plan

 Research Themes

 Tailored Trustworthy Spaces  Moving Target Defense  Cyber Economics and Incentives  Designed-In Security (New for FY12)

 Science of Cyber Security  Transition to Practice

 Technology Discovery  Test & Evaluation / Experimental Deployment  Transition / Adoption / Commercialization

 Support for National Priorities

 Health IT, Smart Grid, NSTIC (Trusted Identity), NICE (Education),

Financial Services

4 28 October 2011

Quadrennial Homeland Security Review

5

The Core Missions

1. Preventing terrorism and enhancing security; 2. Securing and managing our borders; 3. Enforcing and administering our immigration laws; 4. Safeguarding and securing cyberspace; and 5. Ensuring resilience to disasters.

Mission 6: Maturing and Strengthening the Homeland Security Enterprise

Foster Innovative Solutions Through Science and Technology

• Ensure scientifically informed analyses and decisions are coupled to effective

technological solutions

• Conduct scientific assessments of threats and vulnerabilities
• Foster collaborative efforts involving government, academia, and the private sector to

create innovative approaches to key homeland security challenges

28 October 2011

DHS S&T Mission

Strengthen America’s security and resiliency by providing knowledge products and innovative technology solutions for the Homeland Security Enterprise

28 October 2011 6

28 October 2011 7

28 October 2011

Cyber Security Division (CSD) R&D Execution Model

8

29 October 2010 9

Cyber Security Program Areas

 Research Infrastructure to Support Cybersecurity

(RISC)

 Trustworthy Cyber Infrastructure (TCI)  Cyber Technology Evaluation and Transition (CTET)  Foundational Elements of Cyber Systems (FECS)  Cybersecurity User Protection and Education (CUPE)

Research Infrastructure (RISC)

 Experimental Research Testbed (DETER)

 Researcher and vendor-neutral experimental infrastructure  DETER - http://www.isi.edu/deter/

 Research Data Repository (PREDICT)

 Repository of network data for use by the U.S.- based

cyber security research community

 PREDICT – https://www.predict.org

 Software Quality Assurance (SWAMP)

 A software assurance testing and evaluation facility and the

associated research infrastructure services

28 October 2011 10

Trustworthy Cyber Infrastructure (TCI)

 Secure Protocols

 DNSSEC – Domain Name System Security  SPRI – Secure Protocols for Routing Infrastructure

 Process Control Systems

 LOGIIC – Linking Oil & Gas Industry to Improve

Cybersecurity

 TCIPG – Trustworthy Computing Infrastructure for the

Power Grid

 Internet Measurement and Attack Modeling

 Geographic mapping of Internet resources  Logically and/or physically connected maps of Internet

resources

 Monitoring and archiving of BGP route information

28 October 2011 11

Evaluation and Transition (CTET)

 Assessment and Evaluations

 Red Teaming of DHS S&T-funded technologies

 Experiments and Pilots

 Experimental Deployment of DHS S&T-funded

technologies into operational environments

 Transition to Practice (CNCI)

 New FY12 Initiative

28 October 2011 12

Foundational Elements (FECS)

 Enterprise Level Security Metrics and Usability  Homeland Open Security Technology (HOST)  Software Quality Assurance  Cyber Economic Incentives (CNCI)

 New FY12 Initiative

 Leap Ahead Technologies (CNCI)  Moving Target Defense (CNCI)

 New FY12 Initiative

 Tailored Trustworthy Spaces (CNCI)

 New FY12 Initiative

28 October 2011 13

Cybersecurity Users (CUPE)

 Cyber Security Competitions

 National Initiative for Cybersecurity Education (NICE)  NCCDC (Collegiate); U.S. Cyber Challenge (High School)

 Cyber Security Forensics

 More later

 Identity Management

 National Strategy for Trusted Identities

in Cyberspace (NSTIC)

 Data Privacy Technologies

 New Start in FY13

28 October 2011 14

DHS S&T Cybersecurity Program

28 October 2011 15

PEOPLE SYSTEMS INFRASTRUCTURE RESEARCH INFRASTRUCTURE

Secure Protocols Identity Management Enterprise Level Security Metrics & Usability Data Privacy Cyber Forensics Competitions Process Control Systems Internet Measurement & Attack Modeling Experimental Research Testbed (DETER) Research Data Repository (PREDICT) Software Quality Assurance (SWAMP) Software Quality Assurance Homeland Open Security Technology Experiments & Pilots Assessments & Evaluations Cyber Economic Incentives Moving Target Defense Tailored Trustworthy Spaces Leap Ahead Technologies Transition To Practice

Critical Infrastructure / Key Resources

 DECIDE (Distributed Environment for Critical Infrastructure Decision-

making Exercises)

 Provide a dedicated exercise capability to foster an effective, practiced business

continuity effort to deal with increasingly sophisticated cyber threats

 Enterprises initiate their own exercises, define their own scenarios, protect their

proprietary data, and learn vital lessons to enhance business continuity

 The Financial Services Sector Coordinating Council R&D Committee has

• rganized a user-group of subject matter experts paid by their respective

financial institutions to support the project over the next two years.

 LOGIIC – Linking the Oil & Gas Industry to Improve Cybersecurity

 A collaboration of oil and natural gas companies and DHS S&T to facilitate

cooperative research, development, testing, and evaluation procedures to improve cyber security in Industrial Automation and Control Systems

 Consortium under the Automation Federation

 TCIPG – Trustworthy Computing Infrastructure for the Power Grid

 Partnership with DOE funded at UIUC with several partner universities and

industry participation

 Drive the design of an adaptive, resilient, and trustworthy cyber infrastructure

for transmission & distribution of electric power, including new resilient “smart” power grid

16

17

DECIDE (Distributed Environment for Critical

Infrastructure Decision-making Exercises)



Enable enterprise decision-makers to think through responses to operational disruptions

• f market-based transactions across networks

 Sector(s), Market(s), Institution(s)



Provide a dedicated exercise capability for several critical infrastructures in the U.S.

 Beginning with Banking and Finance



Foster an effective, practiced business continuity effort to deal with increasingly sophisticated cyber threats



Enterprises will be able to initiate their own large-scale exercises, define their own scenarios, protect their proprietary data, and learn vital lessons to enhance business continuity, all from their desktops



Think through sector impacts of the National Planning Scenarios



Enhance coordination during a large-scale disruption to key infrastructures



The concept has been reviewed by and developed with input from experts at ChicagoFIRST, the Options Clearing Corporation, ABN-AMRO, Eurex, Archipelago, Bank of New York, and CitiBank.



The Financial Services Sector Coordinating Council R&D Committee is organizing a user-group of subject matter experts paid by their respective financial institutions to support the project over the next two years.

DECIDE



Began as a gleam in the eye of a BNY Risk Manager in 2004

 Seen as a logical follow-on the the 2003 Livewire Cyber Exercise Simulation  Designed to stress the massive interdependencies of critical infrastructures and

help them prepare for low probability / high consequence disruptions



Prototyped in 2005 / 2006 with some Homeland Security funding



Gained FSSCC Support in 2006

 Meets a priority FSCCC R&D Need 

Transitioned to a $15 million full-scale R&D effort funded by the Department

• f Homeland Security in 2008



R&D team led by Norwich University Applied Research Institutes

18

• Goal: Create a Finance-sector requested, software-based simulation

environment for sector-risk exercises

19

Partnership

 Project LOGIIC is a model for

government-industry technology integration and demonstration efforts to address critical R&D needs

 Industry contributes

 Requirements and operational expertise  Project management  Product vendor channels

 DHS S&T contributes

 National Security Perspective on threats  Access to long term security research  Independent researchers with technical expertise  Testing facilities

20

Overview

 Opportunity: Reduce vulnerabilities

• f oil & gas process control

environments by correlating and analyzing abnormal events to identify and prevent cyber security threats

 Approach:

 Identify new types of security

sensors for process control networks

 Adapt a best-of-breed correlation

engine to this environment

 Integrate in testbed and

demonstrate

 Transfer technology to industry

• Business

Network

• Process

Control Network

• LOGIIC

Correlation Engine

• External

Events

• Attack

Indications and

• Warnings

21

Consortium

• Oil & Gas Sector
• Participating Companies
• Project #1
• Project #2
• Project #3
• Project #4
• Project #N
• Researchers
• Vendors
• Labs
• DHS S&T
• ISA Automation

Federation (AF)

• DHS PCII

SIS Project

 Security of Safety Instrumented Systems  SIS Objective: bring a process plant to a safe state when an excursion

• utside pre-established operating parameters occurs

 SIS increasingly integrated with PCS – is the integrity of production

facilities jeopardized?

 LOGIIC SIS will result in

• Security improvements
• Characterization of residual risk
• Architectural recommendations
• Confidence in the architectural integrity of SIS

–

Final summary report provides architectural recommendations for PCS/SIS integration

–

Outreach to standards bodies and the sector is underway

Trustworthy Cyber Infrastructure for the Power Grid

 Current TCIPG Effort

• $18.5 M over 5 years

 Jointly funded with Department Of Energy

• 5 universities, 20 senior investigators

 University of Illinois at Urbana-Champaign  Washington State University  Cornell University  Dartmouth University  University of California at Davis

 Over 40 Graduate and Undergraduate Students  External Advisory Board (8 members)  Industry interaction board (75 members)

23

Industrial Control Systems Joint Working Group (ICSJWG)

 Administered by the Dept. of Homeland Security’s Control Systems

Security Program.

 Provides a vehicle for collaboration between government and private

sector control systems stakeholders

 Government Coordinating Council  Sector Coordinating Council  Subject Matter Experts

 Meets twice a year in conference as a plenary session, sub groups

meet as needed.

 Includes 5 subgroups plus 1 Pending

 ICS Roadmap Development  International  Research and Development  Standards and Metrics (pending)  Vendor / Public Coordination  Workforce Development

24

ICSJWG Research & Development Subgroup

• The Research and Development Subgroup will identify existing and

planned research and development needs and priorities as they relate to industrial control systems

• Objectives
• Identify existing and planned R&D needs and priorities as they

relate to ICS

• Identify desired areas of ICS research not currently under way
• Evaluate if a more secure process or mechanism is needed for

sharing sensitive R&D information

• DHS S&T co-chairs the R&D subgroup
• For more information, visit:
• http://www.us-cert.gov/control_systems/icsjwg

25

HSARPA Cyber Security R&D Broad Agency Announcement (BAA) 11-02

 Delivers both near-term and medium-term solutions

 To develop new and enhanced technologies for the detection of, prevention

• f, and response to cyber attacks on the nation’s critical information

infrastructure, based on customer requirements

 To perform research and development (R&D) aimed at improving the security

• f existing deployed technologies and to ensure the security of new emerging

cybersecurity systems;

 To facilitate the transfer of these technologies into operational environments.

 Proposals Received According to 3 Levels of Technology Maturity

28 October 2011 26

Type I (New Technologies)  Applied Research Phase  Development Phase  Demo in Op Environ.  Funding ≤ $3M & 36 mos. Type II (Prototype Technologies)  More Mature Prototypes  Development Phase  Demo in Op Environ.  Funding ≤ $2M & 24 mos. Type III (Mature Technologies)  Mature Technology  Demo Only in Op Environ.  Funding ≤ $750K & 12 mos.

Note: Technology Demonstrations = Test, Evaluation, and Pilot deployment in DHS “customer” environments

28 October 2011 27

Technical Topic Areas (TTAs)

 TTA-1

Software Assurance DHS, FSSCC

 TTA-2

Enterprise-level Security Metrics DHS, FSSCC

 TTA-3

Usable Security DHS, FSSCC

 TTA-4

Insider Threat DHS, FSSCC

 TTA-5

Resilient Systems and Networks DHS, FSSCC

 TTA-6

Modeling of Internet Attacks DHS

 TTA-7

Network Mapping and Measurement DHS

 TTA-8

Incident Response Communities DHS

 TTA-9

Cyber Economics CNCI

 TTA-10

Digital Provenance CNCI

 TTA-11

Hardware-enabled Trust CNCI

 TTA-12

Moving Target Defense CNCI

 TTA-13

Nature-inspired Cyber Health CNCI

 TTA-14

Software Assurance MarketPlace S&T (SWAMP)

28 October 2011 28

Small Business Innovative Research (SBIR)

 Important program for creating new innovation and

accelerating transition into the marketplace

 Since 2004, DHS S&T Cyber Security has had:

 60 Phase I efforts  27 Phase II efforts  4 Phase II efforts currently in progress  9 commercial/open source products available  Three acquisitions

 Komoku, Inc. (MD) acquired by Microsoft in March 2008  Endeavor Systems (VA) acquired by McAfee in January 2009  Solidcore (CA) acquired by McAfee in June 2009

28 October 2011 29

 Initial requirements working group held November 2008

 Attendees from USSS, CBP, ICE, FLETC, FBI, NIJ, TSWG,

NIST, Miami-Dade PD, Albany NY PD

 Initial list of project requirements -

 Mobile device and GPS forensic tools  LE First responder “field analysis kit”  High-speed data capture and deep packet inspection  Live stream capture for gaming systems  Memory analysis and malware tools  Info Clearing House

Cyber Forensics

SBIR Solicitation 2011.2

 Mobile Device Forensics NAND/NOR Chip Forensics (Lab Tool)

 Reading the data stored on the chip  Reverse engineering of the wear-leveling algorithm  Mounting the file system

Bypassing PIN/PUK Codes

 Tool to extract PIN / PUK codes from locked SIM cards

Disposable Cell Phone Analysis

 Demonstration and development of methods and tools

that will allow an investigator to acquire all: call logs, contacts, pictures, videos, and text messages stored within all disposable cell phones.

28 October 2011 30

28 October 2011 31

Timeline of Past Research Reports

1997 1998 2000 2001 2003 2004 2005 2006 1999 2002 2007 President’s Commission on CIP (PCCIP) NRC CSTB Trust in Cyberspace I3P R&D Agenda National Strategy to Secure Cyberspace Computing Research Association – 4 Challenges NIAC Hardening the Internet PITAC - Cyber Security: A Crisis of Prioritization IRC Hard Problems List NSTC Federal Plan for CSIA R&D NRC CSTB Toward a Safer and More Secure Cyberspace All documents available at http://www.cyber.st.dhs.gov

28 October 2011 32

A Roadmap for Cybersecurity Research

 http://www.cyber.st.dhs.gov

 Scalable Trustrworthy Systems  Enterprise Level Metrics  System Evaluation Lifecycle  Combatting Insider Threats  Combatting Malware and Botnets  Global-Scale Identity Management  Survivability of Time-Critical

Systems

 Situational Understanding and Attack

Attribution

 Information Provenance  Privacy-Aware Security  Usable Security

Summary

 Cybersecurity research is a key area of innovation

needed to support our future

 DHS S&T continues with an aggressive cyber

security research agenda

 Working to solve the cyber security problems of our

current (and future) infrastructure and systems

 Working with academe and industry to improve research

tools and datasets

 Looking at future R&D agendas with the most impact for

the nation, including education

 Need to continue strong emphasis on technology

transfer and experimental deployments

28 October 2011 33

28 October 2011 34

For more information, visit http://www.cyber.st.dhs.gov

Greg Wigton Program Manager Cyber Security Division Homeland Security Advanced Research Projects Agency (HSARPA) Gregory.Wigton@dhs.gov 202-254-6140