Application Level Cybersecurity Threat Detection
Navy SBIR 2019.2 - Topic N192-118
NAVSEA - Mr. Dean Putnam - [email protected]
Opens: May 31, 2019 - Closes: July 1, 2019 (8:00 PM ET)
TECHNOLOGY AREA(S): Information Systems
ACQUISITION PROGRAM: Unmanned Maritime Systems Program Office (PMS 406); Expeditionary Missions Program Office (PMS 408)
The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), 22 CFR Parts 120-130, which controls the export and import of defense-related material and services, including export of sensitive technical data, or the Export Administration Regulation (EAR), 15 CFR Parts 730-774, which controls dual use items. Offerors must disclose any proposed use of foreign nationals (FNs), their country(ies) of origin, the type of visa or work permit possessed, and the statement of work (SOW) tasks intended for accomplishment by the FN(s) in accordance with section 3.5 of the Announcement. Offerors are advised foreign nationals proposed to perform on this topic may be restricted due to the technical data under US Export Control Laws.
OBJECTIVE: Develop and validate an adaptive approach to detect and react to external and embedded cybersecurity attacks at the application layer in order to secure and maintain maritime-based information communication operations involving autonomous submerged vehicles. Consider adaptive approaches that strive for achieving no impact to the hardware and software/firmware used during real-time operations.
DESCRIPTION: The frequency and sophistication of cyberattacks on Navy systems, as well as the number and types of Navy platforms (e.g., unmanned systems) that need enhanced protection, are rapidly increasing. Legacy systems in the fleet today consist of system-of-systems architectures that may or may not have cyber defenses baked into their architectures and components. Firewalls, intrusion detection and prevention systems (IDPS), anti-virus, and anti-malware security solutions have been traditionally used in systems to provide a multilayered defense against cyberattacks. These general-purpose solutions typically detect a wide array of common vulnerabilities and intrusions.
With the Navy’s focus on the development and fielding of Unmanned Underwater Vehicles (UUVs), there is a heightened need for securing and maintaining communications for UUV deployments. However, UUVs face special challenges in this regard, having limited windows of access to external communications, which restricts their access to current software patches and cyberattack vector refreshes.
In a layered defense-in-depth security model, vulnerabilities at the application layer are not always easily detectable by existing cybersecurity tools. Software applications cannot rely solely on existing defensive security solutions to be protected from an ongoing attack. An approach is needed that: (1) takes a proactive approach to identification simulation to verify and resolve cyberattacks; (2) complements rather than replaces existing security tools that complement existing security tools and assist with validation of the systems overall software assurance (3) can detect ongoing and previously unknown cyberattacks in real time; (4) provides tailorable solutions to address security risks specific to key software applications; and (5) ensures that software applications not only protect themselves but also respond to and mitigate the impact of a cyberattack on the infrastructure.
The application layer is of critical importance in that it focuses mostly on the business logic and encapsulates data critical to the system. Software development process improvements that have been introduced reduce potential security vulnerabilities by enforcing secure coding standards through the use of static code vulnerabilities analysis tools, security design reviews, and so forth. However, this isn’t sufficient to detect and prevent attacks at the application or business logic layer. Nor is it sufficient to detect and mitigate the impact of previously unknown
cyberattacks. Cyberattacks focusing on business logic are especially problematic in that these attacks are specific and unique to each application. Arguably, the best place to detect these attacks is within applications. For example, cyberattacks often probe applications repeatedly using correct, well-formed messages to uncover vulnerabilities.
Most likely, this behavior will go undetected at the upper layers of the security model since the messages are, in fact, correct. In this case, the application is best able to recognize that the activity associated with this message is suspicious and symptomatic of a potential in-water UUV cyberattack.
The National Institute of Standards and Technology (NIST) framework identifies a core set of functions (i.e., identify, protect, detect, respond, and recover) that aid in the management of cybersecurity risk to systems, assets, data, and capabilities. This topic focuses on the management of cybersecurity risk with respect to this framework and further focuses on cybersecurity approaches/solutions that do not require modification of the design or code of existing applications but provide real-time detection, prevention, and recovery from cyberattacks on standard operating systems (Windows/Linux) and Real Time Operating Systems (RTOS). The proposed approach should provide tailored solutions that are based on industry standards and security best practices; be operating system agnostic; minimally impact hardware and software system resource utilization during UUV operations; be easy to integrate into existing environments and infrastructure; and be reliable and not require changes to existing application software residing on the unmanned system. The approach should have the ability to support long duration unattended operations over 180 days. The approach should be able to operate on existing hardware such as Commercial-Off the Shelf (COTS) embedded controllers.
Furthermore, the proposed approach should use open source solutions to the greatest extent possible. Ideally, the approach should be demonstrated on UUVs to show the ability to detect attacks that exploit previous unknown weaknesses or vulnerabilities such as zero-day exploits.
The approach should provide an initial concept design and model key elements of a cyberattack defense concept for UUVs that can autonomously detect, thwart, and recover from a cyber-quarantine attack. Applications need to be active participants in multilayered security architecture to protect critical systems resources, namely data. The approach should provide an Automated Protocol Translator tool capable of auto generating code required for enforcing cybersecurity rules on UUV sensors. Additionally, the proposed solutions should be able to demonstrate enhanced system resiliency by ensuring applications are cyber-aware and have the ability to identify, protect, detect, respond to vectors independent of access to external communication channels, perform modeling, and recover from cyberattacks, thereby mitigating their impact on the system infrastructure.
The Phase II effort will likely require secure access, and NAVSEA will process the DD254 to support the contractor for personnel and facility certification for secure access. The Phase I effort will not require access to classified information. If need be, data of the same level of complexity as secured data will be provided to support Phase I work.
Work produced in Phase II may become classified. Note: The prospective contractor(s) must be U.S. Owned and Operated with no Foreign Influence as defined by DoD 5220.22-M, National Industrial Security Program Operating Manual, unless acceptable mitigating procedures can and have been be implemented and approved by the Defense Security Service (DSS). The selected contractor and/or subcontractor must be able to acquire and maintain a secret level facility and Personnel Security Clearances, in order to perform on advanced phases of this contract as set forth by DSS and NAVSEA in order to gain access to classified information pertaining to the national defense of the United States and its allies; this will be an inherent requirement. The selected company will be required to safeguard classified material IAW DoD 5220.22-M during the advance phases of this contract.
PHASE I: Develop a concept to support cyber-aware applications for use in Navy UUV systems that require the ability to support unattended operations over 180 days and meet the requirements described in the Description. Demonstrate the feasibility of the concept by generating and documenting the top-level design of software components associated with the proposed solution. Describe the test approach to be used to demonstrate that the proposed solution identifies a zero-day cyber-attack and develops metrics to be collected during these tests that quantify the efficacy of the proposed approach. Develop a Phase II plan. The Phase I Option, if exercised, will include the detailed design to support the development and test of the prototype solution in Phase II.
PHASE II: Develop and deliver prototype software that can protect the vulnerabilities at the application layer and integrate into a UUV. Describe a detailed approach to be used to emulate a cyber-attack(s). Develop a test plan and procedures and instantiate the test environment; conduct tests; collect metrics defined in the test plan; and document results in a test report. Document the analysis of the test results, lessons learned, and recommendations. Refine the application for transition to the Navy. Prepare a Phase III development plan to transition the technology to Navy use.
It is probable that the work under this effort will be classified under Phase II (see Description section for details).
PHASE III DUAL USE APPLICATIONS: Support the Navy in transitioning the methodology, software, and processes for use in Snakehead or other UUV systems. This technology would also benefit other DoD services and commands as well as other federal, state, and local government agencies where controlling and preventing exposure of data is essential to maintaining public trust.
The proposed solution has applicability in a wide variety of commercial applications: organizations such as healthcare that are regulated and must comply with standards; industries concerned with protecting Personally Identifiable information (PII) such as financial services; or those that need to protect critical sectors of our infrastructure such as utilities. Furthermore, emergency services, transportation, communications, and manufacturing organizations can benefit from this technology. There are significant advantages to the DoD in transitioning this technology to other DoD agencies, government, and private sector to improve the resiliency of critical systems.
1. “Framework for Improving Critical Infrastructure Cybersecurity.” National Institute of Standards and Technology, February 12, 2014. https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity- framework-021214.pdf
2. “Computer Security Resource Center.” NIST-800 series publications. https://csrc.nist.gov/publications/sp800
3. Shenk, Jerry. “Layered Security: Why It Works.” SANS Institute InfoSec Reading Room. https://www.sans.org/webcasts/layered-security-works-97440
KEYWORDS: Cybersecurity; UUV; Surface Unmanned Systems; Autonomy; Intrusion Detection and Prevention Systems; Zero-day Cyber-attack; Software Applications Attacks