TITLE: Network Traffic
Analysis for Cybersecurity for Navy Industrial Control Systems
ACQUISITION PROGRAM: PEO
Ships AM, Acquisition Management
The technology within this
topic is restricted under the International Traffic in Arms Regulation (ITAR),
22 CFR Parts 120-130, which controls the export and import of defense-related
material and services, including export of sensitive technical data, or the
Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls
dual use items. Offerors must disclose any proposed use of foreign nationals
(FNs), their country(ies) of origin, the type of visa or work permit possessed,
and the statement of work (SOW) tasks intended for accomplishment by the FN(s)
in accordance with section 5.4.c.(8) of the Announcement. Offerors are advised
foreign nationals proposed to perform on this topic may be restricted due to
the technical data under US Export Control Laws.
OBJECTIVE: Develop a
capability to monitor industrial controls system (ICS) communication networks
and identify abnormal traffic that may indicate the presence of a cybersecurity
threat or unusual system behavior that may indicate that maintenance is
DESCRIPTION: The U.S. Navy is
expending significant effort to secure its computer-based systems, both its
business and management information systems (IS) and its ICS, which operate
platforms such as ships, aircraft, and shore-based facilities such as
shipyards, manufacturing facilities, and power plants. Although there are many
similarities between information technology (IT) systems and ICS, the
differences in hardware, software, and operating environment and requirements
make securing ICS more difficult. The Government and private industry have
made significant investment in and implementation of cybersecurity tools and
applications for IS. Although initial research and proposed solutions
associated with cybersecurity of ICS has occurred, little has been accomplished
concerning prototyping and productionizing, and much less in operating such
tools on deployed ICS.
A fundamental way to portray the difference is by looking at the priority of
three basic characteristics of computer-based systems: integrity,
confidentiality, and availability. IT systems stress confidentiality,
integrity, and then availability in that order, or CIA. The order for ICS is
the opposite, stressing availability, integrity, and then confidentiality, or
AIC. For example, if an IT system encounters a problem, a typical solution is
to restart it. The operator can perform another task while waiting several
minutes for the system to become operational again. If a problem occurs in the
steering system of a ship, one cannot interrupt operation for even a few
seconds. The operator must troubleshoot the problem and rectify it while the
system is running. Significant investment has been made to develop cybersecurity
applications for IS; however, because of the differences between IS and ICS,
the tools developed for IS need to be modified to work on ICS.
Comparison of IS and ICS:
• Information System = Non-real time, High throughput is demanded, High delay
and jitter may be acceptable. Industrial Control System = Real-time, Response
is time-critical, Modest throughput is acceptable, High delay and/or jitter is
• Information System = Responses such as rebooting are acceptable, Availability
deficiencies can often be tolerated, depending on the system’s operational
• Industrial Control System = Responses such as rebooting may not be
acceptable because of process availability requirements, Availability
requirements may necessitate redundant systems, Outages must be planned and
scheduled days/weeks in advance, High availability requires exhaustive
Risk Management Requirements:
• Information System = Data confidentiality and integrity is paramount, Fault
tolerance is less important – momentary downtime is not a major risk, Major
risk impact is delay of business operations;
• Industrial Control System = Human safety is paramount, followed by protection
of the process, Fault tolerance is essential, even momentary downtime may not
be acceptable, Major risk impacts are regulatory non-compliance, environmental
impacts, loss of life, equipment, or production.
• Information System = Standard communications protocols, Primarily wired
networks with some localized wireless capabilities, Typical IT networking
• Industrial Control System = Many proprietary and standard communication
protocols, Several types of communications media used including dedicated wire
and wireless (radio and satellite), ICS networks are complex and sometimes
require the expertise of control engineers who have specialized knowledge
compared to IT engineers.
• Information System = Software changes are applied in a timely fashion in the
presence of good security policy and procedures. The procedures are often
• Industrial Control System = Software changes must be thoroughly tested and
deployed incrementally throughout a system to ensure that the integrity of the
control system is maintained. ICS outages often must be planned and scheduled
days/weeks in advance. ICS may use operating systems (OSs) that are no longer
• Information System = Allow for diversified support styles;
• Industrial Control System = Service support is usually via a single vendor.
• Information System = Lifetime on the order of 3-5 years;
• Industrial Control System = Lifetime on the order of 15-20 years.
Access to Components:
• Information System = Components are usually local and easy to access;
• Industrial Control System = Components can be isolated, remote, and require
extensive physical effort to gain access to them.
The application to be developed under this effort will ideally work in
real-time; however, during development it can analyze prerecorded data.
Measures of effectiveness of the application include the time and amount of
data required to identify normal operation of a system, time from start of an
anomaly to notification of the anomaly, accurate identification of the anomaly,
and the ratio of correct versus false indications, to name a few. Examples of
anomalies that could be associated to cybersecurity threats are traffic from a
newly introduced piece of equipment, inappropriate commands coming from a
component not normally expected to direct other components, and a component
flooding the network with traffic meant to overwhelm and slow the system. When
provided with system data, the application would be able to make predictions on
system failures. Examples of anomalies that may indicate maintenance is
required are the unusually frequent cycling of a cooling pump, indicating a
problem with the system or a loss in efficiency of the pump.
Current cybersecurity of commercial ICS is inadequate despite incidents that
are regularly reported in the press, such as the shutdown of an electric
distribution grid described in Reference .
Work produced in Phase II may become classified. Note: The prospective
contractor(s) must be U.S. Owned and Operated with no Foreign Influence as
defined by DOD 5220.22-M, National Industrial Security Program Operating
Manual, unless acceptable mitigating procedures can and have been implemented
and approved by the Defense Security Service (DSS). The selected contractor
and/or subcontractor must be able to acquire and maintain a secret level
facility and Personnel Security Clearances, in order to perform on advanced
phases of this contract as set forth by DSS and NAVSEA in order to gain access
to classified information pertaining to the national defense of the United
States and its allies; this will be an inherent requirement. The selected
company will be required to safeguard classified material IAW DoD 5220.22-M
during the advance phases of this contract.
PHASE I: Develop an initial
design specifications and capabilities document with particular attention paid
to the hardware and software requirements for the technology to run on Navy
ICS. Develop a Plan of Action, Milestones (POA&M) to design, develop, test,
and integrate the proposed technology concept into Navy ICS environments. The
Phase I Option, if awarded, will include the initial design specifications and
capabilities description to build a prototype solution in Phase II. Develop a Phase
PHASE II: Based on the
results of Phase I and the Phase II Statement of Work (SOW), refine the design
specification and develop a prototype. The prototype will, at a minimum,
analyze pre-recorded network traffic data but will ideally run with real time
data collection. Demonstrate the prototype on the company’s own real or
virtual ICS. Provide requirements, test plans, and procedures to demonstrate
that the product meets the attributes in the Description section of this
document without interfering with the normal operation of the ICS. Prepare a
Phase III development plan to transition the technology for Navy and potential
It is probable that the work under this effort will be classified under Phase
II (see Description section for details).
PHASE III DUAL USE
APPLICATIONS: Support the Navy in transitioning the technology to Navy use.
Transition the prototype to operate on a land-based or virtual Navy test
facility. The prototype will operate using real-time collection of network data
and not interfere with the normal operation of the ICS. The company will
develop a transition plan to describe how the technology will be installed on a
Navy asset to be determined during Phase III, most likely a Navy surface ship.
Navy and commercial ICS hardware and software have much in common. Since
cybersecurity of ICS is a nationwide defense issue, it is in the Government’s
best interest to make cybersecurity technologies developed by this topic
available in generic unclassified form to U.S. companies. The current
cybersecurity of commercial ICS is inadequate despite incidents that are
regularly reported in the press, such as the shutdown of an electric
distribution grid described in Reference . Therefore, there is a large
potential to transition this technology to private sector manufacturing,
processing, transportation, and other concerns that use ICS.
1. “Guide to Industrial
Control Systems (ICS) Security.” National Institute of Standards and Technology
(NIST) Special Publication 800-82 Rev. 2, May 2013. http://dx.doi.org/10.6028/NIST.SP.800-82r1
2. Miller, Charlie and
Valasek, Chris. “Remote Exploitation of an Unaltered Passenger Vehicle.” 2015. http://illmatics.com/Remote%20Car%20Hacking.pdf
3. Luallen, Matthew E.
“Critical Control System Vulnerabilities Demonstrated - And What to Do About
Them.” 2011 SANS Institute InfoSec Reading Room. https://www.technologyreview.com/s/517731/hacking-industrial-systems-turns-out-to-be-easy/
4. Walters, Riley. “Russian
Hackers Shut Down Ukraine’s Power Grid.” Newsweek, January 14, 2016. http://www.newsweek.com/russian-hackers-shut-ukraine-power-grid-415751
KEYWORDS: Industrial control systems; cybersecurity; computer network traffic analysis; anomalous network traffic detection; network traffic maintenance indications; network intrusion detection
** TOPIC NOTICE **
These Navy Topics are part of the overall DoD 2018.1 SBIR BAA. The DoD issued its 2018.1 BAA SBIR pre-release on November 29, 2017, which opens to receive proposals on January 8, 2018, and closes February 7, 2018 at 8:00 PM ET.
Between November 29, 2017 and January 7, 2018 you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2018 when DoD begins accepting proposals for this BAA.
However, until January 24, 2018, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.
Topics Search Engine: Visit the DoD Topic Search Tool at sbir.defensebusiness.org/topics/ to find topics by keyword across all DoD Components participating in this BAA.
Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.
Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at firstname.lastname@example.org