The Marine Corps has recently launched an innovative initiative known as the Marine Corps Enterprise Network (MCEN) Planning Yard (MPY). The MCEN is the Marine Corps network of networks and approved interconnected network segments. It's comprised of the logical and physical infrastructure necessary to provide end to end communications from the supporting establishment to the forward deployed forces. The MPY implements a structured approach that facilitates the maintenance of the MCEN through rigorous configuration management while enabling a technical evaluation process of all proposed hardware and software changes to determine the impact of those changes to the MCEN.
A series of increasing complexity events are planned in order to validate the processes, provide baseline performance characteristics and conduct an adversarial cyber vulnerability assessment of a system of systems architecture. The first of these events was performed in the 4th quarter of FY16 at the Marine Corps Tactical Systems Support Activity, a is a subordinate command to Marine Corps Systems Command, located in Camp Pendleton, California. Designated MPY 16-1, this event focused on Marine Corps Fires and Command and Control network representing a Battalion Landing Team (BLT) ashore Battalion level fires missions.
Historically, systems undergo an Information Assurance (IA) process that involves "scans" that result in a list of vulnerabilities. This process, while having merit, lacks the breadth necessary to effectively understand a system or system of systems (SoS) holistic cyber resiliency and the associated exposure to adversarial cyber-attack. MPY 16-1 introduced a revolutionary approach to addressing this shortfall, which steps beyond the traditional scanning approach and fills a critical cyber security gap in current system's acquisition process.
The MPY 16-1 cyber assessment approach involved 'destructive' or penetration testing. Destructive testing in this context refers to adversarial actions resulting in varying degrees of interruption to environment operations. While Red Teams are normally associated with penetration testing, they are governed by specific guidelines that prevent them from employing destructive actions to the operational systems and networks they are assessing.
Whereas, the MPY environment allowed for such attacks to be fully exploited due to the controlled testing environment in which the assessment was conducted, including the ability to shut down individual devices and the network. The cyber team's focus during MPY 16-1 was to attempt to deny, degrade, or corrupt the BLTs' ability to accomplish their various missions. This effort also included a triage of the list of vulnerabilities that were identified through the IA process to determine the severity of those vulnerabilities and incorporate them into the assessment process.
The design of the cyber assessment involved a detailed characterization of the systems and network being tested, the team had complete knowledge of the deployed architecture in order to identify the full range of attack vectors and potential vulnerabilities, this enabled a comprehensive set of exploits to be developed and executed. A key enabler in the process was the ability to conduct a "dry run" assessment of the virtualized architecture SoS environment before moving to the formal test environment involving the actual hardware in the loop (HWIL). This approach contributed to maximizing the number of vulnerabilities identified. As a result of this approach, numerous vulnerabilities, beyond those identified by the IA scans, were identified.
The set of vulnerabilities included a 'zero day' attack, which is an attack that was previously unknown and unmitigated. The team also identified a vulnerability associated with the username and password requirements of a web interface, generally this is readily detectable by the normal IA scans if present on the OS, however, since the web interface was part of the proprietary software, the scans failed to identify the vulnerability, which had lethal implications once exploited by the team.
The team performed an analysis of each exploited vulnerability using a standardized and widely accepted vulnerability scoring system. This scoring system provided an objective score that accounts for the attack complexity, the environment it was used in, as well as remediation steps; resulting in a mature assessment of the associated risk for that specific environment. This method of scoring and categorizing enables the program manager to better understand the impact and risk of each respective vulnerability, thus supporting the allocation of already limited resources to remedy the most critical vulnerabilities.
As MPY 16-1 and follow on events focus on assessing fielded and non-fielded HWIL architectures in an operationally representative environment, the adversarial cyber assessment approach provides unique and significant value to both the Program Managers, who with the recent release of DoDI 5000.02 have a greater responsibility for cyber security, and the Marine Corps Operating Forces, who are employing the systems. The knowledge extracted from the MPY events will enable PMs to make better, more informed decisions, and heighten an operational Commander's awareness to system vulnerabilities promoting increased cyber defense measures, a defense in depth strategy, or modification to existing tactics, techniques, and procedures.
The MPY process, through the collaborative efforts of MCSC, MCTSSA, MARFORCYBER, and HQMC C4 promises to be the catalyst to improving MCEN interoperability, performance, and overall cyber resiliency in an ever challenging and complex warfighting environment.
Team Members include: Maj Scott Fortner, Mr. Jay Chance, Mr. Darren Spies, Maj Paul Keener, Capt Ryan Richter, Capt Brian Greunke, Sgt Collin Graff, Mr. Robert Bartnicki, Ms. Samantha Bean, Mr. Chim Yee, Mr. Andrew Sharp, Mr. Alex Garrigan-Timm, Mr. Chris Sikes, Mr. Michael Lowe, Ms. Debra Suminski, Mr. Jerry MacCormack, Mr. Jay Rodriguez, Mr. Hai Mai, Mr. Mike Williams, Mr. Chris Karandang, Mr. Bryan Nguyen, Mr. Mark Nguyen, Mr. Richard Domondon, GySgt Jonathan Morris, Mr. Al Vasquez, Mr. George Scott, Mr. Jacob Thrasher-Watson, Mr. Jerry Mansfield, Mr. Monty Martinez, Mr. Jeremy Rose, Mr. Omar El Naggar, and Mr. Ed Chumpitz.
The MCEN Planning Yard 16-1 Test Team was recognized with honorable mention for the 2016 Secretary of the Navy (SECNAV) Innovation Award in the Innovation Catalyst category.
The SECNAV Innovation Awards recognize the top innovators within the Department of the Navy (DON). Their accomplishments are remarkable and serve as inspiration for the Navy and Marine Corps to think boldly and solve the fleet and force’s most challenging problems.
Join DON Innovation on https://www.facebook.com/NavalInnovation or https://twitter.com/NavalInnovation, or visit the DON Innovation website at http://www.secnav.navy.mil/innovation/Pages/Home.aspx. Email DON Innovation: DON_Innovation@navy.mil