Balancing cybersecurity and operational demands is an ongoing challenge for all of the armed services. At AFCEA WEST 2020, the Sea Services highlighted their strategies to balance those two seemingly competing needs. An essential component will be the Integrated Navy Operations Command and Control System (INOCCS), a “system of systems” for network operations that will allow warfighters to defend everything inside the network.
Speaking at AFCEA WEST on March 2, Manuel Hermosilla, executive director of 10th Fleet/Fleet Cyber Command, said that the long-planned INOCCS framework is now moving forward, adding, “We’re building out the architecture and design for the Navy digital platform transformation effort.” Improved network and systems management, zero trust security and SecDevOps are all parts of the Sea Services’ ongoing technology investment.
As Tim Smith, SolarWinds’s Senior Director – DoD, Civilian Government and Federal Systems Integrators, explained, the nation’s maritime services are looking for rich functionality and simplicity in execution. The transient nature of the enlisted sailors in the fleet E3s and E5s conducting network management means that it needs to be simple to use to reduce the time spent learning the system. Add to that the fact that “each ship is supported by anywhere from one up to 17 separate networks, each with different security classifications, and it becomes clear that consistency and simplicity are crucial to managing them effectively,” he said.
Smith’s colleague, Omar Rafik, Senior Manager, Federal Sales Engineering for SolarWinds, added that security can be an overwhelming task, due to the diversity of those networks. “You could have one router, one firewall on a ship could literally generate tens of thousands of events in one day,” he said. “That could be 30 or 40 firewalls and hundreds of network devices on a ship. A SIEM – a security event management tool – becomes extremely important to have, to identify all of the threats that can possibly happen.”
Trust, yet Verify
Rafik said the Navy in particular is moving to a zero trust approach as a solution, not just for external security but to help combat insider threats. “The concept is simple,” he explained. “The threat model no longer assumes that computers, users and admins inside your network are secure. It just says, ‘Let’s assume that not only every person but every machine that’s touching your network is a potential external threat.’ So, now you lock everything down with multiple layers of security, multi-factor authentication and things of that nature.”
To make zero trust work, identities must be authenticated and permissions must be managed, even as people move around the network or come in through an expanding array of endpoints. Rafik said the answer is to employ ‘least privileged access,’ where everybody gets the minimum level of access, and additional access is provided as an exception. “That’s achieved through tools for access rights management,” he said, adding, “There’s also the concept of segmenting your network, where segments can have privileged access versus the rest of the network, even on the inside.”
Rafik gave this analogy: “Imagine your network being your home. You lock the outside door, and some people have keys to get in. But you don’t lock the doors on the inside because you feel secure. Zero trust is more like an apartment building where the outside door is locked, and people have keys to get in. But you don’t know who’s running up and down the halls or in the elevators. So you lock the doors to the hallway.”
Smith said that speed is definitely a concern for the Sea Services. He referred to a panel at WEST 2020 with representatives from the Coast Guard, Marines and Navy as well as DISA where the issue of moving faster was discussed at length. In particular, these leaders were concerned with shortening development cycles to get new technology onto ships faster. “As opposed to the old waterfall approach (of software development), people are conducting SecDevOps – ‘let’s get it out there, let’s field it, and it we have to fix it and change it on the fly, we will do it.’ They need to get information to the warfighter quickly, and security still needs to be built in,” Smith said.
The challenges comes down to three areas, Smith explained: “They want to be secure, they want to comply with the INOCCS mandate, and they have to be fleet of feet.” The solutions can be found in tools that allow for consolidated management of multiple systems and applications, along with tools like SIEMs and access rights management. At the same time, despite the competing demands for speed and security, Rafik stressed that security always wins out. “They’d rather have it slow and secure than fast and not secure. They will never compromise security for speed.”