MxD NATIONAL SECURITY CONTRACTORS

www.osti.gov/servlets/purl/1581185

https://www.osti.gov/servlets/purl/1581185

MxD NATIONAL SECURITY CONTRACTORS

FY2019 Final Report for Industrial Base Cybersecurity Initiative (IBCI) Project

Consolidated Nuclear Security, LLC October 1, 2019 | Revision 0

Y/PM-19-120

This page intentionally left blank.

Y/PM-19-120

2019 Final Report for

Industrial Base Cybersecurity Initiative (IBCI) Project

October 2019

Prepared by

Consolidated Nuclear Security, LLC Management & Operating Contractor

for the

Pantex Plant and Y-12 National Security Complex under Contract No. DE-NA0001942

with the

U.S. Department of Energy

National Nuclear Security Administration

i

Y/PM-19-120

This page intentionally left blank.

ii

Y/PM-19-120

TABLE OF CONTENTS

LIST OF FIGURES …………………………………………………………………………………………………………………….. 3 ABBREVIATIONS, ACRONYMS, AND INITIALISMS ……………………………………………………………….. 4 ABSTRACT……………………………………………………………………………………………………………………………….. 5 1. BACKGROUND …………………………………………………………………………………………………………………….. 5 2. APPROACH …………………………………………………………………………………………………………………………… 7 3. ACCOMPLISHMENTS …………………………………………………………………………………………………………… 9 4. CONCLUSIONS……………………………………………………………………………………………………………………. 13 5. FUTURE WORK……………………………………………………………………………………………………………………13 6. References…………………………………………………………………………………………………………………………….. 14

LIST OF FIGURES

Figure1. IndustrialBaseCybersecurityInitiativeTeam…………………………………………………………………..7 Figure2. IBCITechnologyFocus………………………………………………………………………………………………….8

3

Y/PM-19-120

ABBREVIATIONS, ACRONYMS, AND INITIALISMS

AMO Advanced Manufacturing Office

BOR Bureau of Reclamation

CNC Computer Numerical Control

CNS Consolidated Nuclear Security, LLC

CSET Cyber Security Evaluation Tool

DFARS Defense Federal Acquisition Regulation Supplement DHS Department of Homeland Security

DOE U.S. Department of Energy

DoD U.S. Department of Defense

DMDII Digital Manufacturing and Design Innovation Institute FCR Florida Cyber Range

FY Fiscal Year

IBCI Industrial Base Cybersecurity Initiative

INL Idaho National Laboratory

IT Information Technology

LANL Los Alamos National Laboratory

MEP Manufacturing Extension Partnership

MIB Manufacturing Industrial Base

MIBP Manufacturing Industrial Base Policy

MTEWS Manufacturing Threat Evaluation Wargaming System MxD Digital Manufacturing Institute

NIST National Institute of Science and Technology

NNSA National Nuclear Security Administration

PDRD Plant Directed Research Development and Demonstration PLC Programmable Logic Controller

SMM Small to Medium Manufacturer

SNL Sandia National Laboratory

SP Special Publication

UNC University of North Carolina

UWF University of West Florida

Y-12 Y-12 National Security Complex

4

Y/PM-19-120

ABSTRACT

Information security issues impact all manufacturing sectors and are particularly troublesome when designs for advanced weapons systems are lost via attacks that propagate through the relatively unprotected lower tiers of the nation’s supply chains. The US Manufacturing Industrial Base (MIB) consists of suppliers and distributors that range in size from large prime contractors with extensive cybersecurity resources to small shops with little or no in-house information technology capabilities. The acquisition and maintenance of the technologies, systems, and financial resources needed to assure secure collaborations can be an overwhelming challenge for many manufacturers yet the cost of poor cybersecurity practices can lead to the compromise of national security information worth hundreds of millions of dollars.

The Department of Defense Manufacturing Industrial Base Policy organization and the Department of Energy, Energy Efficiency and Renewable Energy Advanced Manufacturing Office have chartered the Los Alamos National Laboratory (LANL) and the Oak Ridge Y-12 National Security Complex (Y-12) to design, develop, and demonstrate a Manufacturing Threat Evaluation Wargaming System (MTEWS). The MTEWS concept is based on the use of a virtual model of the computer networks and cybersecurity protocols used across the MIB that will be continuously updated to reflect the dynamic threat environment. The MTEWS cyber-physical test range will demonstrate a prototype wargaming system that analyzes the impact of new and existing cybersecurity threats while also providing the information needed to sustain the integrity of the MIB supply chains. A long-term goal is the establishment of an enduring national manufacturing operations center that proactively responds to the continuously changing attacks that threaten the MIB and US national security.

LANL and Y-12 have formed an Industrial Base Cybersecurity Initiative Team (IBCI), consisting of partners from the public, private and academic sectors, that is developing the MTEWS. To date, most of the project tasks have been centered on the technologies required to create a representative model of the MIB because this is a foundational element for the entire project. Modeling activities at the University of North Carolina at Charlotte (UNC Charlotte) have demonstrated a VMware-based prototype system that can accommodate a network model with up to 350 nodes and includes features such as the option to incorporate network scanning information when building the model and the ability to down select the elements of duplicative networks to a statistically significant subset that avoids redundantly duplicating network configurations. Broad Ordering Agreements have been established with UNC Charlotte and the University of West Florida (UWF) that support a variety of cybersecurity for manufacturing tasks and wide-spread endorsement has been received from government, industry and academia sectors concerning the IBCI goals and technical direction.

1. BACKGROUND

The IBCI Team has repeatedly stated that the number one national defense challenge facing the US is the

1 security of the nations’ information supply chain. In addition, an August 2018 Mitre Corporation report ,

“Deliver Uncompromised, A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War” endorses this view:

1 Commissioned by the Office of the Secretary of Defense and the Defense Security Service. 5

Y/PM-19-120

For the near term and beyond, the key operational imperative must be to obtain and maintain positive operational control over critical information and technology/ capabilities. This imperative extends the benefit of Deliver Uncompromised from the acquisition community to the operational community, because maintaining positive operational control is a key element of planning, command assurance, mission execution, and sustainment. Essentially, every element’s survival depends upon the ability to release, convey, or transfer information and/or technology under their own initiative and not the unapproved initiative of others. This key imperative may prove to be exceedingly difficult to achieve. DoD and its contractors will have to accept shared responsibility in which all participants take ownership of the challenge and assume a duty of continuing initiative. Absent such an approach, as a nation we risk dilution, or loss, of strategic and tactical advantages.

Information security issues impact all public and private sectors and are particularly troublesome when designs for advanced weapons systems (such as the F-35 and others) are lost to hackers via documented attacks that propagate through the relatively unprotected lower tiers of the nation’s manufacturing supply chain. The US Manufacturing Industrial Base (MIB) consists of suppliers and distributors that range in size from large prime contractors with extensive cybersecurity resources to small shops with little or no in-house information technology (IT) capabilities. The acquisition and maintenance of the technologies, systems, and financial resources needed to assure secure collaborations across the MIB can be an overwhelming challenge for many small to medium manufacturers (SMM’s) yet the cost of poor cybersecurity practices can lead to the compromise of sensitive business and national security information.

The Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is one attempt to address the MIB cybersecurity problem. This regulation requires government contractors to use the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 as a guide for establishing and maintaining information security protocols and infrastructures and to promptly report details of cybersecurity breaches to the Department of Defense (DoD); however, the SP 800-171 related material is also a valuable resource for non-government contractors because cybersecurity threats can severely impact all manufacturing operations.

The Office of the Secretary of Defense Manufacturing and Industrial Base Policy (MIBP) and the Department of Energy (DOE) Energy Efficiency and Renewable Energy Advanced Manufacturing Office (AMO) recognize that while the DFARS legislation is an important first step, it is also necessary to assess the impact and effectiveness of the DFARS requirements on the SMM’s that are the backbone of the MIB and to aid the MIB in shifting from a culture of seeking the minimum one-time expenditure that “achieves compliance” to a more proactive mindset that recognizes that maintaining a robust cybersecurity posture involves an on-going commitment to addressing a dynamic threat environment.

MIBP and the AMO have chartered the Los Alamos National Laboratory (LANL) and the Oak Ridge Y- 12 National Security Complex (Y-12) to apply their unique manufacturing perspectives, expertise in cybersecurity, and capabilities in securing networked manufacturing systems to the design, development, and demonstration of a Manufacturing Threat Evaluation Wargaming System (MTEWS). MTEWS will be based on a model of the computer networks and cybersecurity protocols used across the MIB and will be continuously updated to incorporate the dynamic threat environment. The MTEWS cyber-physical test range will address the ability of SMM’s to effectively comply with the DFARS cybersecurity provision, examine the benefits that are realized through compliance with the DFARS regulations, and demonstrate a prototype wargaming system that analyzes the impact of new and existing cybersecurity threats while also providing the information needed to sustain the integrity of the MIB supply chains. A long-term goal is the establishment of an enduring national manufacturing operations center that proactively responds to

6

Y/PM-19-120

the continuously changing attacks that threaten the MIB and US national security. This report covers the FY ’19 IBCI activities.

2. APPROACH

The approach taken by the IBCI Team has been to execute a collaborative venture with partners across the public, private, and academic sectors. As shown in figure 1 below, the IBCI project is sponsored by both DoD and DOE and involves partners from the technology, policy and workforce sectors in a deliberate effort to avoid stovepipes and “reinventing the wheel.”

To date, most of the project tasks have been centered on the technologies required to create a representative model of the MIB because this is a foundational element for the entire project. Activities are underway at UNC Charlotte, using Y-12 funding, to demonstrate a prototype modeling capability, and discussions are underway with a variety of partners concerning effective mechanisms for collecting the information that provides a composite view of the MIB networks and manufacturing cybersecurity protocols.

Figure 1. Industrial Base Cybersecurity Initiative Team

Figure 2 shows the overall technology focus of the IBCI project and the project elements that will lead to a wargaming capability that uses a dynamic virtual model of the MIB and continually updated

7

Y/PM-19-120

cybersecurity intelligence. The result will be a shift from a strictly reactive mode of operation to a proactive approach that assesses and predicts the potential impact of changes in the manufacturing threat environment and privately communicates risk information to the appropriate parties. While funding limitations have restricted current activities to the project areas shown on the left side of the figure, a fully-funding project plan has been developed to address the complete scope shown in figure 2. It should also be noted that this scope addresses a number of the recommended “courses of action” described in

2

Mitre’s “Deliver Uncompromised” report.

Y/PM-19-120

Figure 2. IBCI Technology Focus

2 While “Deliver Uncompromised” is largely concerned with a top-down perspective, and at least initially focused on embedded software and electronics, there are many aspects that are recognizable within IBCI’s manufacturing industrial base objectives. The recommendations concerning the Supply Chain Risk Management Threat Analysis Center align well with the IBCI MTEWS and development of the Manufacturing Operations Center (MOC) planned for Y-12; the need for a Whole-of-Government National Supply Chain Intelligence Center is a common element; the use of Independently Implemented Automated Assessment and Continuous Monitoring is a shared objective; the acknowledgement that information security is critical to the Nation’s security is a foundational tenet; the need for continual training and cybersecurity awareness is a mutual objective, etc.

8

3. ACCOMPLISHMENTS

This section discusses the FY 2019 IBCI project accomplishments in relation to the original statements of work and also includes a description of the IBCI activities at UNC Charlotte and UWF that are funded by Y-12’s Plant Directed Research Development and Demonstration (PDRD) program (funding source in parenthesis).

Task 1. Research methods and provide an evaluation of the infrastructure for characterizing SMMs using NIST &/or DHS resources (AMO):

As shown in Figure 2, an important goal of the IBCI project is the development and demonstration of a manufacturing threat evaluation wargaming system (MTEWS) that is capable of assessing the impact of cybersecurity threats on the manufacturing industrial base (MIB) and developing and disseminating best practice information that is based on an assessment of the vulnerability of the manufacturing supply chain to the changing threat environment. This will be accomplished by developing a virtual model of the manufacturing supply chain that contains representative network characteristics (as opposed to a redundant model that contains every individual network implementation in the supply chain) and enables accurate prediction of the impact of new cybersecurity exploits as well as the identification of the techniques that can be used to defeat these threats. However, in order to assure that the model contains the correct assortment of network configurations, it is necessary to map a large number of SMM networks. While it is expected that this will eventually become an automated process, for the foreseeable future it will be necessary to conduct manual and semi-automatic network characterization activities.

Currently, there are two US government organizations that are involved in nation-wide cybersecurity activities that could be expanded to include the collection of network information (if funding were available to support the activity). The National Institute of Standards and Technology (NIST) Manufacturing Extension Partnership (MEP) works with manufacturing companies on the local level to assist SMM’s in improving their manufacturing and cybersecurity capabilities (using the NIST MEP Cybersecurity Self-Assessment Handbook for Assessing NIST SP 800-171 requirements) and could expand their portfolio to include the collection of network information that would be used in the MTEWS model. Dave Stieren, MEP Director, supports the IBCI goals and is willing to assist in characterizing the supply chain networks if additional funding is available to expand the MEP charter. Similarly, the Department of Homeland Security (DHS) assists companies who are dealing with cybersecurity attacks and could easily collect network configuration information as part of their post attack remediation activities if additional funding was available. In addition, DHS and Idaho National Laboratory (INL) have developed a network/operational protocol characterization tool called CSET (Cyber Security Evaluation Tool) that assists companies in the evaluation of their compliance with the NIST SP 800-171 Security Requirements and Y-12 has collaborated with INL to develop a pilot capability for automatically collecting network information during the self-assessment process; however, additional funding would be required to deploy this system in an on-line configuration.

Task 2. Functional testing of one of several identified security applications for use in the Cyber-physical infrastructure (AMO):

This task has been rescheduled for FY 2020. It will be performed at LANL and will involve the testing and evaluation of a network sensor system that has been developed by Idaho National Laboratory (INL) for the Bureau of Reclamation (BOR). Initial review of the system indicates that it has a high potential of being directly applicable to manufacturing supply chain applications.

9

Y/PM-19-120

Task 3. Support of H4Di student project focused on firmware verification (AMO):

Students at the University of West Florida were given the challenge of developing a technique for verifying that the part program that is stored in a computer numerical control (CNC) system memory matches the source program stored in a remote location, i.e. the information was not corrupted in transit or after it was loaded into the CNC memory. Y-12 personnel mentored the students and provided insight into the operational cybersecurity needs of small to medium size manufacturing companies. The students developed an operational protocol using a cell phone to compare hashes of the reference and target machining part program files, demonstrated its use in a simulated machine shop environment, and planned to submit a proposal for small-business startup funding to continue the project.

Task 4. Participation with DMDII and DOE AMO on SNL anomaly detection technology demonstration (AMO):

The initial scope of this task involved using equipment at DMDII (the Digital Manufacturing and Design Innovation Institute, now called MxD – the Digital Manufacturing Institute) to determine if a technique developed by Sandia National Laboratory (SNL) for detecting anomalous behavior in programmable logic control (PLC) systems was applicable to CNC systems. However, it became apparent that the SNL approach wasn’t well suited to an operation environment in which the process parameters vary over a wide range under normal operating conditions and the focus was shifted to examining the CNC problem without attempting to apply the PLC methods. A SNL intern was recruited for the project and Y-12 personnel provided information on the additional challenges faced in the CNC machining environment. The project was also re-scoped to examining techniques for verifying the integrity of the machining part program that has been loaded into the CNC memory. The SNL intern has contacted a small machining company in Albuquerque to get their perspective on the issue and will continue working on the task in FY20.

Task 5. Continuous development of collaborative partnerships with stakeholders to leverage existing technology, subject matter expertise, and programmatic overlap (AMO):

On-going discussions with the Department of Homeland Security (DHS) National Cybersecurity Assessment & Technical Services personnel led to the establishment of a partnership with BOR which is allowing the IBCI Team to evaluate and potentially use a network sensor system that has been developed by INL for BOR for use across the small to medium size companies that operate and manage the US water supply – a direct analogy with the manufacturing industrial base companies that are the IBCI focus.

Addition partnership activities have involved cybersecurity discussions with Auburn University and the Federal Bureau of Investigation Huntsville Office, participation in relevant conferences (FlowCon 2019, the DOE Cybersecurity Conference, the Defense Manufacturing Conference, and the UNC Charlotte Cybersecurity Symposium), and participation on the team that developed the Texas A&M University’s Clean Energy Manufacturing Innovation Institute proposal.

Task 6. Evaluate applicability of INL network monitoring system for real-time monitoring of SMM networks (AMO):

This task was successfully completed and is the basis for the activities in Task 2.

Task 7. Establish baseline definition of available part program verification technologies

10

Y/PM-19-120

(IBAS):

Adversaries seek to damage the US manufacturing infrastructure by either exfiltrating information or by corrupting product quality. IBCI has initiated activities, using leveraged funding, to address the exfiltration problem; this milestone is concerned with techniques for verifying the integrity of the information that is used to direct manufacturing processes and thereby influence quality and safety elements of manufacturing processes.

While the integrity of a manufacturing process can be influenced by configuration control issues, the focus of this milestone excludes configuration control problems and instead deals with the cybersecurity aspects of assuring that the correct information is used to control a manufacturing operation. This information consists of two general categories: the industrial control system (ICS) operational commands (called a part program in machining operations) and the ICS firmware (the definition of basic system functions, calibration factors, etc.). IBCI is addressing the part program integrity issue through small projects funded by IBAS and AMO (the SNL and H4Di projects discussed above); the firmware integrity issue is being addressed through projects funded by the Y-12 Plant Directed Research and Development program.

The IBCI Team’s research into the technologies available for shop floor part program validation indicates that limited capabilities are available in the private sector for part program verification. Identify3D offers a product that has been integrated with Siemens machine tool controls and allows manufacturing information to flow in an encrypted form from the point of creation to the CNC. The final decryption occurs as the information is used to direct the machining process. The Identify3D product warrants further investigation as to its effectiveness and broader applicability. Y-12 uses Siemens 840-D CNCs and plans to work with the Identify3D Lexington, KY office for further evaluation of their product.

Task 8. Initiate machine tool sensor system activities on UWF test bed machine (IBAS):

This task was initially slated to be supported through IBAS funding; however, it was deemed more appropriate to consolidate all UWF activities under leveraged Y-12 PDRD funding which enabled the IBAS resources to be directed towards another closely related task. The new task will be called “Evaluation and testing of Agingo, Inc. blockchain application,” is scheduled for completion in FY20, and involves the evaluation and testing of the Agingo “Not-Only-One-Block-Chain” enterprise platform for information transfer.

Information transfer in manufacturing generally involves both IT (information technology) and OT (operational technology) applications. IT data transfers occur between a variety of computer “endpoints,” have historically received the most attention, and while a variety of encryption techniques are available, there is concern that quantum computing technologies will be disruptive to this

approach. In contrast, OT transfers frequently involve equipment controllers which typically do not support conventional encryption procedures.

This task will leverage PDRD funding and involve testing Agingo’s Not-Only-One-Blockchain approach to secure data transmission in two application areas: (1) use as a communications link to a secure collaboration environment that is being developed in conjunction with the PDRD-funded Tennessee Valley Corridor-Advanced Manufacturing Initiative (TVC-AMI), and (2) use as a communications link between a host computer and shop floor control systems. Initial testing will be conducted in conjunction with IBCI activities at the UNC Charlotte. If those results are promising, activities will be extended to the TVC-AMI secure collaboration environment project which will serve as a pilot activity that also

11

Y/PM-19-120

addresses IBAS-related needs for secure communications.

Task 9. Demonstrate use of sensor system for independent validation of machine tool firmware integrity (PDRD).

UWF is developing hardware and software for verifying the integrity of firmware on CNC machine tool controls through the use of independent sensors and analysis software that is able to validate the positioning functionality and accuracy of the CNC linear axes. UWF has designed and demonstrated a prototype system, using a UWF robotic testbed. The next step is to validate the system operation on CNC machine testbeds at UWF and the University of California – Fullerton.

Task 10. Dark Cubed Evaluation (PDRD):

Dark Cubed offers a cybersecurity software as a service platform that is being evaluated by UWF on the Florida Cyber Range (FCR). The testing is underway in a sandbox – a system that is isolated for security against malicious code and also can be restored to a “known good” baseline state between test events. Individual test cases are being derived from real-world malicious software for which the operational profile includes outbound network traffic to a specific IP address or URL. (The presence of live malware necessitates the use of dedicated, isolated server range hardware and a network traffic generator is being used within the FCR in order to produce more realistic network traffic for the Dark Cubed analyze.

Task 11. UNC Charlotte Activities (PDRD):

UNC Charlotte is continuing the development of technologies in support of the wargaming system. The specific activities include:

1. The design, prototyping, and implementation of increasingly complex autonomous agents for the cyber-physical range that simulate representative human behavior in a manufacturing facility.

This supports the goal of automating the analysis of vulnerabilities within a virtual model of the manufacturing industrial base.

2. Developing a prototype Risk Scoring Algorithm that will create a Manufacturing Network Risk Index for use in automatic network assessment activities.

The goal of this task is to create a tool that can be used to automatically compare the vitality of different network configurations and support automatic network assessment activities that do not require a high degree of sophistication on the part of the SMM’s.

3. Conduct a survey of typical exploits and/or vulnerabilities of manufacturing equipment and systems.

This provides a definition of the current threat vectors that are associated with manufacturing

12

Y/PM-19-120

operations.

4. Designing and building a Man-portable Cyber-Physical Range demonstration unit that can be used at manufacturing companies to collect network information and perform modeling activities’

This task is developing a portable cyber-range that can be used for remote network analysis and modeling activities, allowing SMM’s to receive immediate feedback on the condition of their networks.

5. Perform a series of penetration tests on representative networks within the cyber-physical range and on the original networks to validate the results.

This task demonstrates that the results obtained through a network assessment on the cyber- physical range match the results obtained through an on-site penetration test and identifies opportunities for enhancing system fidelity.

Task 12. Project Management & Coordination (AMO & IBAS)

This activity was performed by Y-12 staff to manage and coordinate project activities and interact as needed with project sponsors.

4. CONCLUSIONS

The MTEWS facility is envisioned as an enduring asset for the discovery, assessment, and remediation of exploits and other malicious actions. It will take advantage of a knowledge base of MIB vulnerabilities and remediation tactics to move away from the “wait for an attack” posture to a more proactive mode of operations that can be deployed across all tiers of the supply chain. This will provide game-changing information security technologies that enable effective collaboration across MIB without requiring SMM’s to deploy and maintain an extensive cybersecurity infrastructure.

Significant progress has been achieved in establishing a pilot capability for the MTEWS. The activities at UNC Charlotte have demonstrated a foundational virtual modeling capability that can be expanded to represent the supply chain of manufacturing enterprises that comprise the manufacturing industrial base, and the AMO and IBAS-supported activities provide a solid beginning for the development of the technologies needed to complete the MTEWS. While only incremental progress has been made toward the overall project goals, due to a lack of funding, the IBCI team expects to work with the Clean Energy Manufacturing Innovation Institute to continue the development of the MTEWS. Unfortunately, due to the lack of “continuation funding” to bridge the gap until the Institute begins operations, it is likely that the IBCI activities will be significantly curtailed in 2020.

5. FUTURE WORK

FY2020 work is planned to continue the PDRD-funded tasks associated with the virtual modeling aspects of MTEWS, an IBAS-funded assessment of a new technique for secure information transmission, and an AMO-funded assessment of an INL network sensor system, designed for use by BOR, that appears to be directly applicable to SMM’s. Limited activities will also be conducted to continue building the IBCI

13

Y/PM-19-120

team in anticipation of future funding.

6. REFERENCES

1. C. Nissen et. al., August 2018, Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, MITRE Corporation.

Y/PM-19-120

14

MXD

Published by lslolo

I am a targeted Individual in the county of KANKAKEE Illinois since 2015- current. I became a victim via my employer which is the state of Illinois Department of Human Services.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: