Cybersecurity System Modeling of Naval Control Systems
ACQUISITION PROGRAM: PEO IWS
1.0, AEGIS and Ship Self Defense System (SSDS)
The technology within this
topic is restricted under the International Traffic in Arms Regulation (ITAR),
22 CFR Parts 120-130, which controls the export and import of defense-related
material and services, including export of sensitive technical data, or the
Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls
dual use items. Offerors must disclose any proposed use of foreign nationals
(FNs), their country(ies) of origin, the type of visa or work permit possessed,
and the statement of work (SOW) tasks intended for accomplishment by the FN(s)
in accordance with section 5.4.c.(8) of the Announcement. Offerors are advised
foreign nationals proposed to perform on this topic may be restricted due to
the technical data under US Export Control Laws.
OBJECTIVE: Develop a tool
that creates a unified model for complex system of systems to enable
cybersecurity analysis of Naval Control Systems (NCS).
DESCRIPTION: Naval Control
Systems (NCSs) are comprised of systems of systems divided into enclaves (Hull
Mechanical and Electrical, Combat System, etc.). Existing tools allow systems
engineers to document and model individual or multiple attributes of an NCS
(architecture, physical connections, enclaves, mission threads, cybersecurity
threats, etc.) but require system engineers to work across models and other
artifacts since they are not connected. Conducting systems of systems analysis
across non-connected models and artifacts makes it very difficult to conduct
cybersecurity analysis of a system. Currently, systems focus more on modelling
of the systems and less on their cybersecurity aspect. Currently, no tools
exist that can provide this type of analysis. System engineers need a tool to
develop a unified cybersecurity system model that provides the capability to
conduct cybersecurity analysis of an NCS.
A tool to create a unified cybersecurity system model will incorporate the key
system attributes required for cybersecurity analysis of any NCS. This will
require portability to any NCS. Attributes include the physical architecture
(including both computing hardware and networks), data flows and their
performance requirements, and deployed software components and operating
environments (including product IDs, versions, etc.). It will also include
mission threads executed by the system, mission thread to system component
dependencies, system component partitioning (enclaves), system states and
modes, system cybersecurity protections, vulnerabilities, posture (CYBERSAFE
condition), threats, and penetration pathways. The tool must support the
ability to make changes to key system attributes so “what-if” scenarios can be
explored in near real time. For example, the model would be able to help a
system engineer answer questions like “how do penetration pathways change in
the system when the cybersecurity posture is changed” or “how could an emergent
vulnerability affect a particular set of hosts within an NCS?” Understanding
the potential impact of existing and emergent cybersecurity vulnerabilities and
the impact to Navy missions if exploited will result in better system
architectures and designs. Optimization of architectures will contribute to
reductions in cyber related acquisition and maintenance costs because the
overall system contains more efficient cyber functionality and cyber-resilient
system designs. Fielding of better cyber capabilities can reduce operational
impacts due to cyber attack and improved warfighter workloads system
architectures and designs reduce the amount of re-work and maintenance needed
after systems are deployed. Tool attributes for leveraging (importing)
existing NCS artifacts (system architecture diagrams, vulnerability scan
results, Ports, Protocols, Services documentation, network switch
configurations, etc.) must be provided to simplify the effort required to
create a unified cybersecurity system model for an existing system. Unified
cybersecurity systems models created must be scalable to the size of typical
combat systems (AEGIS and/or Ship Self Defense System [SSDS]). The models
developed should incorporate potential reductions in system lifecycle costs
through impact analysis for cybersecurity vulnerabilities, threats, etc., for
effective resource prioritization. They should facilitate optimization of the
cybersecurity architecture of a system prior to its development to create
required Risk Management Framework artifacts. This would enable assessing the
potential impact of new vulnerabilities identified.
The Phase II effort will likely require secure access, and NAVSEA will process
the DD254 to support the contractor for personnel and facility certification
for secure access. The Phase I effort will not require access to classified
information. If need be, data of the same level of complexity as secured data
will be provided to support Phase I work.
Work produced in Phase II may become classified. Note: The prospective
contractor(s) must be U.S. Owned and Operated with no Foreign Influence as
defined by DOD 5220.22-M, National Industrial Security Program Operating
Manual, unless acceptable mitigating procedures can and have been implemented
and approved by the Defense Security Service (DSS). The selected contractor
and/or subcontractor must be able to acquire and maintain a secret level
facility and Personnel Security Clearances, in order to perform on advanced
phases of this contract as set forth by DSS and NAVSEA in order to gain access
to classified information pertaining to the national defense of the United
States and its allies; this will be an inherent requirement. The selected company
will be required to safeguard classified material IAW DoD 5220.22-M during the
advance phases of this contract.
PHASE I: Define and develop a
concept for a software tool that enables the creation of a unified
cybersecurity model for complex system of systems that incorporates key system
aspects critical to NCS cybersecurity. The concept will show that it can
feasibly address the requirements discussed in the description for meeting
cybersecurity needs. Feasibility will be established through analysis and
modeling. The Phase I Option, if awarded, will include the initial design
specifications and capabilities description to build a prototype in Phase II.
Develop a Phase II plan.
PHASE II: Based on the
results of Phase I and the Phase II Statement of Work (SOW), develop and
deliver a prototype of the software tool for creating a unified cybersecurity
system model that enables the cybersecurity analysis of a NCS. The prototype
must demonstrate the creation of a unified cybersecurity model for any Navy-specified
NCS (such as an AEGIS or SSDS combat system) that incorporates the key
cybersecurity-related system attributes defined in the Description section. The
prototype must demonstrate that it can utilize existing Navy-specified NCS
artifacts to simplify the creation of the model and that system attributes can
be modified in the model to answer “what-if” questions. The demonstration will
occur at a Government- or company-provided facility. Prepare a Phase III
development plan to transition the technology for Navy use.
It is probable that the work under this effort will be classified under Phase
II (see Description section for details).
PHASE III DUAL USE
APPLICATIONS: Assist the Navy in transitioning the demonstrated technologies to
allow further experimentation and refinement. The cybersecurity model should
provide support for AEGIS or SSDS NCSs and the associated system engineering
activities of the Program.
The technology developed has a high potential for dual use because it should be
easily adapted to non-Navy Control Systems such as industrial controls system
used for factory automation, power grid control, chemical process control,
etc. System modeling for cybersecurity assessment is of high interest to both
the DoD and private industry in protecting their networks. Any industry that
uses a complicated network can use this technology.
1. Freedberg, Jr., Sydney.
"Navy Rolls Out CYBERSAFE: ‘Our Operational Network Is Under Fire’.”
breakingdefense.com, 20 APR 2015. http://breakingdefense.com/2015/04/navy-rolls-out-cybersafe/
2. "Risk Management
Framework (RMF) Overview.” National Institute of Standards and Technology
(NIST), 30 Jan. 2017. http://csrc.nist.gov/groups/SMA/fisma/framework.html
McDonald, Michael J. and Richardson, Bryan T. “Position Paper: Modeling and
Simulation for Process Control System Cyber.” Sandia National Laboratories, 2009.
Analysis of an AEGIS NCS; Risk Management Framework Artifacts; System of
Systems Cybersecurity; Unified Cybersecurity System Model; Impact Analysis for
Cybersecurity Vulnerabilities; CYBERSAFE Condition
** TOPIC NOTICE **
These Navy Topics are part of the overall DoD 2018.1 SBIR BAA. The DoD issued its 2018.1 BAA SBIR pre-release on November 29, 2017, which opens to receive proposals on January 8, 2018, and closes February 7, 2018 at 8:00 PM ET.
Between November 29, 2017 and January 7, 2018 you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2018 when DoD begins accepting proposals for this BAA.
However, until January 24, 2018, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.
Topics Search Engine: Visit the DoD Topic Search Tool at sbir.defensebusiness.org/topics/ to find topics by keyword across all DoD Components participating in this BAA.
Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.
Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at firstname.lastname@example.org