Mission Not Impossible: Defending IT Systems Through Mission AssuranceMay 2010
Topics: Computer Security, Information Security Risk Management, Critical Infrastructure Protection
As the use of commercial-off-the-shelf products has steadily increased in IT systems, so has the risk to the systems. "Open networks have access to our systems, and adversaries are taking advantage of that," says Scott Foote, a project lead in the Information and Computing Technology Division at MITRE. "We have incredible vulnerabilities."
The growing threat has led to increased focus on a strategy known as "mission assurance"—the ability to ensure that an organization's IT systems will support the mission in the face of different threats. "There are many threats to systems other than conventional hacker attacks, and so we're trying to broaden the definition," says Lou Montella, division engineer for mission assurance in MITRE's Information Security division.
Indeed, the threat can come in many forms: organized crime, nation states, hackers, and other offenders. In addition to developing mission assurance techniques that will defeat these adversaries, a new area of focus is on developing techniques to provide assurance that IT systems meet mission needs, even when they have been compromised.
A Realistic View
"Our job is to make things harder for our adversaries, but also to assume that we can't prevent every attack," Montella says. "That means we have to develop the ability to fight through an attack because we can't assume we can keep the enemy out. Mission assurance means ensuring that your systems will work in the face of a variety of different threats."
Montella is currently working with sponsors in the acquisition community to address a wider range of threats and to influence government policy at a higher level. "One thing we're discussing is how to incorporate that broader definition into the systems engineering activities we do," he says.
Foote reiterates the value of a systems engineering risk management approach. "MITRE is well known for systems engineering competencies in a wide range of technologies and engineering methodologies," he says. "If we approach mission assurance as a systems engineering set of challenges, we can bring it forward in that context. Most other organizations can't offer that."
This approach is nothing new, according to Foote. "We have a tendency to treat mission assurance as though it's a new topic or new set of challenges, when it's always been an objective of traditional systems engineering," he says. "Mission assurance is not in and of itself a deliverable."
Gary Hastings, associate department head in Operational C2 (Command and Control) Systems, is currently working on mission assurance for the Air Force and its multiple space-based systems, which support satellite communications capabilities, global positioning systems, and other critical operations. "For program managers, the advanced cyber threat is a pretty daunting concern, and it's easy to bury your head in the sand or to be so overwhelmed that you simply abandon any hope of improvement," he says.
Hastings recently pioneered a MITRE-developed process for assessing mission assurance for the Air Force's Air & Space Operations Center (AOC). As task leader for the Operations Without Space project, Hastings' job was to perform a "crown jewel analysis" by identifying the AOC's most mission-critical services, their vulnerabilities, and the potential mission impact of losing those capabilities. Ultimately, the team could use this information to identify mitigation strategies to enable the AOC to "operate through" adverse conditions such as cyber attacks.
"What this process does is bring awareness to the owners and leadership of these critical organizations and systems," Hastings says. "It gives them a risk management methodology for identifying critical assets and for prioritizing resources and investments so that they get the best value from a mission perspective."
Through extensive discussions with the 613th AOC leadership and staff, Hastings and his team prioritized the organization's mission objectives, narrowed down the IT assets most critical to supporting those objectives, and came up with a plan for mitigating cyber threats to the critical IT assets. The final briefing, including recommendations for mitigating threats to the AOC "crown jewels," was delivered to the deputy commander in August 2009.
As part of its mission assurance initiative, MITRE recently created a new Cyber Operations Center. "The concept of an operations center applied to cyberspace is one that's shared across all of the DoD, as well as the intelligence community and the Justice Department," Foote says. "However, all of those organizations have different ways of approaching that concept, different requirement sets for technology—in general, different tactics, techniques, and procedures on the command and control of cyberspace. So MITRE's effort is service-agnostic; it's not tailored to just one of the services."
The Cyber Operations Center has two primary goals: to develop and refine concepts of cyber command and control, and to prototype new technologies to make those concepts a reality. To meet the first goal, Foote and his team engage in direct discussion with the services, the intelligence community, the U.S. Strategic Command, and other organizations.
About the second goal, Foote says, "Assuming that CONOPS [concept of operations] continue to evolve, what would technology to support that look like? Our notion is that it would be a cyber command system, and we're prototyping that concept to see how it might work. The prototype has done two things—first, we've integrated a lot of existing technology, mostly from inside MITRE. But the second piece is innovation, as we extend the capabilities beyond those initial components."
The feedback, according to Foote, has been good. "All of the sponsors we've spoken with see their vision in the work we're doing," he says. "The feedback has been bilateral; we've learned from them what their vision is and what their most urgent needs are. We share with our sponsors the idea that the future is in much higher-level command and control, not just the next generation of network operations."
—by Tricia C. Bailey