Network Traffic Analysis for Cybersecurity for Navy Industrial Control Systems
Navy SBIR 2018.1 - Topic N181-035
NAVSEA - Mr. Dean Putnam - dean.r.putnam@navy.mil
Opens: January 8, 2018 - Closes: February 7, 2018 (8:00 PM ET)

N181-035

TITLE: Network Traffic Analysis for Cybersecurity for Navy Industrial Control Systems

 

TECHNOLOGY AREA(S): Information Systems

ACQUISITION PROGRAM: PEO Ships AM, Acquisition Management

The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with section 5.4.c.(8) of the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.

OBJECTIVE: Develop a capability to monitor industrial controls system (ICS) communication networks and identify abnormal traffic that may indicate the presence of a cybersecurity threat or unusual system behavior that may indicate that maintenance is required.

DESCRIPTION: The U.S. Navy is expending significant effort to secure its computer-based systems, both its business and management information systems (IS) and its ICS, which operate platforms such as ships, aircraft, and shore-based facilities such as shipyards, manufacturing facilities, and power plants. Although there are many similarities between information technology (IT) systems and ICS, the differences in hardware, software, and operating environment and requirements make securing ICS more difficult.  The Government and private industry have made significant investment in and implementation of cybersecurity tools and applications for IS.  Although initial research and proposed solutions associated with cybersecurity of ICS has occurred, little has been accomplished concerning prototyping and productionizing, and much less in operating such tools on deployed ICS.

A fundamental way to portray the difference is by looking at the priority of three basic characteristics of computer-based systems: integrity, confidentiality, and availability. IT systems stress confidentiality, integrity, and then availability in that order, or CIA.  The order for ICS is the opposite, stressing availability, integrity, and then confidentiality, or AIC. For example, if an IT system encounters a problem, a typical solution is to restart it.  The operator can perform another task while waiting several minutes for the system to become operational again.  If a problem occurs in the steering system of a ship, one cannot interrupt operation for even a few seconds.  The operator must troubleshoot the problem and rectify it while the system is running.  Significant investment has been made to develop cybersecurity applications for IS; however, because of the differences between IS and ICS, the tools developed for IS need to be modified to work on ICS.

Comparison of IS and ICS:

Performance Requirements:
• Information System = Non-real time, High throughput is demanded, High delay and jitter may be acceptable. Industrial Control System = Real-time, Response is time-critical, Modest throughput is acceptable, High delay and/or jitter is not acceptable.

Availability Requirements:
• Information System = Responses such as rebooting are acceptable, Availability deficiencies can often be tolerated, depending on the system’s operational requirements;
• Industrial Control System =  Responses such as rebooting may not be acceptable because of process availability requirements, Availability requirements may necessitate redundant systems, Outages must be planned and scheduled days/weeks in advance, High availability requires exhaustive pre-deployment testing.
Risk Management Requirements:
• Information System = Data confidentiality and integrity is paramount, Fault tolerance is less important – momentary downtime is not a major risk, Major risk impact is delay of business operations;
• Industrial Control System = Human safety is paramount, followed by protection of the process, Fault tolerance is essential, even momentary downtime may not be acceptable, Major risk impacts are regulatory non-compliance, environmental impacts, loss of life, equipment, or production.

Communications:
• Information System = Standard communications protocols, Primarily wired networks with some localized wireless capabilities, Typical IT networking practices;
• Industrial Control System = Many proprietary and standard communication protocols, Several types of communications media used including dedicated wire and wireless (radio and satellite), ICS networks are complex and sometimes require the expertise of control engineers who have specialized knowledge compared to IT engineers.

Change Management:
• Information System = Software changes are applied in a timely fashion in the presence of good security policy and procedures. The procedures are often automated;
• Industrial Control System = Software changes must be thoroughly tested and deployed incrementally throughout a system to ensure that the integrity of the control system is maintained. ICS outages often must be planned and scheduled days/weeks in advance. ICS may use operating systems (OSs) that are no longer supported.

Managed Support:
• Information System = Allow for diversified support styles;
• Industrial Control System = Service support is usually via a single vendor.

Component Lifetime:
• Information System = Lifetime on the order of 3-5 years;
• Industrial Control System = Lifetime on the order of 15-20 years.

Access to Components:
• Information System = Components are usually local and easy to access;
• Industrial Control System = Components can be isolated, remote, and require extensive physical effort to gain access to them.

The application to be developed under this effort will ideally work in real-time; however, during development it can analyze prerecorded data.  Measures of effectiveness of the application include the time and amount of data required to identify normal operation of a system, time from start of an anomaly to notification of the anomaly, accurate identification of the anomaly, and the ratio of correct versus false indications, to name a few.  Examples of anomalies that could be associated to cybersecurity threats are traffic from a newly introduced piece of equipment, inappropriate commands coming from a component not normally expected to direct other components, and a component flooding the network with traffic meant to overwhelm and slow the system.  When provided with system data, the application would be able to make predictions on system failures.  Examples of anomalies that may indicate maintenance is required are the unusually frequent cycling of a cooling pump, indicating a problem with the system or a loss in efficiency of the pump.

Current cybersecurity of commercial ICS is inadequate despite incidents that are regularly reported in the press, such as the shutdown of an electric distribution grid described in Reference [4].

Work produced in Phase II may become classified. Note: The prospective contractor(s) must be U.S. Owned and Operated with no Foreign Influence as defined by DOD 5220.22-M, National Industrial Security Program Operating Manual, unless acceptable mitigating procedures can and have been implemented and approved by the Defense Security Service (DSS). The selected contractor and/or subcontractor must be able to acquire and maintain a secret level facility and Personnel Security Clearances, in order to perform on advanced phases of this contract as set forth by DSS and NAVSEA in order to gain access to classified information pertaining to the national defense of the United States and its allies; this will be an inherent requirement. The selected company will be required to safeguard classified material IAW DoD 5220.22-M during the advance phases of this contract.

PHASE I: Develop an initial design specifications and capabilities document with particular attention paid to the hardware and software requirements for the technology to run on Navy ICS. Develop a Plan of Action, Milestones (POA&M) to design, develop, test, and integrate the proposed technology concept into Navy ICS environments. The Phase I Option, if awarded, will include the initial design specifications and capabilities description to build a prototype solution in Phase II. Develop a Phase II plan.

PHASE II: Based on the results of Phase I and the Phase II Statement of Work (SOW), refine the design specification and develop a prototype.  The prototype will, at a minimum, analyze pre-recorded network traffic data but will ideally run with real time data collection.  Demonstrate the prototype on the company’s own real or virtual ICS.  Provide requirements, test plans, and procedures to demonstrate that the product meets the attributes in the Description section of this document without interfering with the normal operation of the ICS.  Prepare a Phase III development plan to transition the technology for Navy and potential commercial use.

It is probable that the work under this effort will be classified under Phase II (see Description section for details).

PHASE III DUAL USE APPLICATIONS: Support the Navy in transitioning the technology to Navy use. Transition the prototype to operate on a land-based or virtual Navy test facility. The prototype will operate using real-time collection of network data and not interfere with the normal operation of the ICS. The company will develop a transition plan to describe how the technology will be installed on a Navy asset to be determined during Phase III, most likely a Navy surface ship.

Navy and commercial ICS hardware and software have much in common. Since cybersecurity of ICS is a nationwide defense issue, it is in the Government’s best interest to make cybersecurity technologies developed by this topic available in generic unclassified form to U.S. companies.  The current cybersecurity of commercial ICS is inadequate despite incidents that are regularly reported in the press, such as the shutdown of an electric distribution grid described in Reference [4].  Therefore, there is a large potential to transition this technology to private sector manufacturing, processing, transportation, and other concerns that use ICS.

REFERENCES:

1. “Guide to Industrial Control Systems (ICS) Security.” National Institute of Standards and Technology (NIST) Special Publication 800-82 Rev. 2, May 2013. http://dx.doi.org/10.6028/NIST.SP.800-82r1

2. Miller, Charlie and Valasek, Chris. “Remote Exploitation of an Unaltered Passenger Vehicle.” 2015. http://illmatics.com/Remote%20Car%20Hacking.pdf

3. Luallen, Matthew E. “Critical Control System Vulnerabilities Demonstrated - And What to Do About Them.” 2011 SANS Institute InfoSec Reading Room. https://www.technologyreview.com/s/517731/hacking-industrial-systems-turns-out-to-be-easy/

4. Walters, Riley. “Russian Hackers Shut Down Ukraine’s Power Grid.” Newsweek, January 14, 2016. http://www.newsweek.com/russian-hackers-shut-ukraine-power-grid-415751

KEYWORDS: Industrial control systems; cybersecurity; computer network traffic analysis; anomalous network traffic detection; network traffic maintenance indications; network intrusion detection

** TOPIC NOTICE **

These Navy Topics are part of the overall DoD 2018.1 SBIR BAA. The DoD issued its 2018.1 BAA SBIR pre-release on November 29, 2017, which opens to receive proposals on January 8, 2018, and closes February 7, 2018 at 8:00 PM ET.

Between November 29, 2017 and January 7, 2018 you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2018
when DoD begins accepting proposals for this BAA.
However, until January 24, 2018, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.

Topics Search Engine: Visit the DoD Topic Search Tool at sbir.defensebusiness.org/topics/ to find topics by keyword across all DoD Components participating in this BAA.

Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.

Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at sbirhelp@bytecubed.com