TECHNOLOGY AREA(S): Information Systems

ACQUISITION PROGRAM: PEO IWS 5, AN/SQQ-89A(V)15 and related Undersea Warfare AxB Programs Program Office

OBJECTIVE: Develop a unified logging architecture that supports collection, aggregation, storage, and analysis of system performance and cybersecurity logs, events, and alerts produced by Naval Control Systems (NCS).

DESCRIPTION: Naval Control Systems (NCSs) are comprised of systems of systems divided into enclaves (e.g., Hull Mechanical and Electrical, Combat System, etc.). Existing NCS architectures do not support the aggregation of logs, events, and alerts from individual system nodes into a centralized repository for storage and analysis of the performance and cybersecurity status of the entire NCS. Current analysis of performance and cybersecurity monitoring is typically conducted at the system or sub-system level, resulting in implementation differences, incompatibility between monitoring systems, and failure to produce a full view of the NCS status. Operators and maintainers of NCS need an architecture that supports collection of all logs, events, and alerts from nodes within the NCS into a single repository for analysis, monitoring, and alerting. There is currently nothing available commercially with respect to complex systems of systems. While there may be some logging capability for more simplistic systems, these simplistic approaches are not extensible to complex federated combat systems.

A unified logging architecture will incorporate performance and cybersecurity monitoring capabilities at the host and network level, based on standards, guidelines, and best practices documented in the National Institute of Standards and Technology (NIST) Cybersecurity Framework and Department of the Navy Chief Information Officer (DONCIO) cybersecurity policy and guidance. At the node level, the performance monitoring capability will provide telemetry metrics (e.g., memory usage, central processing unit usage, disk usage, etc.) while the cybersecurity monitoring capability will provide information relevant to the cybersecurity status of the node (e.g., logged in users, connected devices, running processes, network port status, file integrity, etc.). Network performance and security monitoring will be provided by appropriately located network taps and/or switch monitoring ports that provide system network traffic to a network intrusion detection system (NIDS) platform and a network security monitoring (NSM) platform. This will permit the computer network traffic to be analyzed and monitored; and alerts generated as needed.

Within the architecture, the node and network-based monitoring capabilities will send real-time logs, events, and alerts to a centralized data pipeline for storage and consumption by analytic and reporting tools. The central storage capability will serve as a distributed streaming platform that provides for publishing and subscribing to streams of data, storage of data in a fault-tolerant manner, and processing of streams of data as they occur. The use of open-source software (OSS) and commercial off-the-shelf (COTS) hardware and software will provide industry proven capabilities for integration into NCS. While the COTS/OSS capabilities (e.g., RedHat Linux and servers) are currently deployed in traditional networks across industry sectors, research and development to support the selection and integration of the capabilities into existing and future NCS will be required to fully implement the desired architecture.

The architecture should support production and consumption of data streams through a secure and modular interface by employing open standards such as transport layer security (TLS) for secure transmission and JavaScript Object Notation (JSON) for data exchange. This architecture will allow for the addition of new producers and consumers of data streams without perturbing the underlying logging system. For example, a new sub-system added to the NCS should be able to include the performance and cybersecurity monitoring capabilities during installation with the associated events, logs, and alerts being provided to the centralized storage pipeline for consumption without requiring modification of the unified logging architecture. Additionally, new consumers of data streams such as a security incident and event manager (SIEM) should be able to analyze existing data streams without requiring modification of the unified logging architecture.

The resulting architecture and data producer capabilities will be operating system agnostic and will provide centralized aggregation and storage of all relevant performance and cybersecurity data, allowing for modular analysis of data streams by analytic and alerting capabilities to provide a unified status of the entire NCS in real time.

PHASE I: Define and develop a concept for the architecture and software that enable the unified collection, production and consumption of log, event, and alert data streams for all components of the NCS. Ensure that the concept will feasibly address the requirements discussed in the Description for meeting centralized performance and cybersecurity monitoring within the NCS. Develop a Phase II plan. The Phase I Option, if exercised, will include the initial design specifications and capabilities description to build a prototype solution in Phase II, as well as determining an appropriate unclassified NCS.

PHASE II: Develop and deliver a prototype of the architecture and software for unified logging of performance and cybersecurity related data streams based on the results of Phase I and the Phase II Statement of Work (SOW). Create a unified logging architecture model for any Navy-specified NCS that incorporates the key attributes defined in the Description. Demonstrate that it can meet the parameters described in the Description to utilize existing Navy-specified system and sub-system components to provide performance- and cybersecurity-related data streams to a centralized aggregation and storage framework for consumption by analytic and monitoring systems to support visibility of full NCS status. Provide a facility for the initial demonstration with final testing and certification occurring at a Government-provided facility. Prepare a Phase III development plan to transition the technology for Navy use.

PHASE III DUAL USE APPLICATIONS: Assist the Navy in transitioning the demonstrated technologies to the Navy. The architecture should be suitable for Navy specified NCSs and the awardee must support associated system engineering activities of NCS Program offices, with Integrated Warfare Systems (IWS) 5.0 serving as the initial planned transition target.

The architecture developed can easily be adapted to non-Navy systems that require centralized visibility of system of systems performance and cybersecurity status in complex, critical environments. Centralized logging for performance and cybersecurity monitoring is of high interest to both the DoD and private industry in understanding and protecting their networks. Any industry that uses a complicated network or system of systems architecture such as healthcare systems (e.g., hospitals, clinics, nursing homes, rehabilitation units, and patient homes) could use this technology.

REFERENCES:

1. "Risk Management Framework (RMF) Overview.� National Institute of Standards and Technology (NIST), 30 Jan. 2017. http://csrc.nist.gov/groups/SMA/fisma/framework.html

2. �Guide to Computer Security Log Management.� National Institute of Standards and Technology (NIST), Sep. 2006. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf

3. "Fluentd | Open Source Data Collector.� Fluentd 2018, 12 January 2018. https://www.fluentd.org/

4. �Apache Kafka.� Apache Project, 2018. 12 January 2018. https://kafka.apache.org/

5. Mahmood, T. and Afzal, U. "Security Analytics: Big Data Analytics for cybersecurity: A review of trends, techniques and tools." 2013 2nd National Conference on Information Assurance (NCIA), Rawalpindi, 2013, pp. 129-134. https://ieeexplore.ieee.org/document/6725337/

KEYWORDS: Cybersecurity; Computer Network Traffic Analysis; Centralized Logging; Network Intrusion Detection; Naval Control Systems; System of Systems