Defense Industrial Base (DIB)

A Pragmatic Approach Towards Zero Trust Security Model.

Hello, Everyone so today I’m here to share with you a glimpse of the defense industries in cyber security. I was thinking to write something about the SCADA hacking. But then decided that I should start from the basics. In this blog, I will be only talking about the defense sector, the mighty challenges, and the approach to securing them.

So, Let’s get started…

Photo By: Air National Guard Tech. Sgt. Andria Allmond, Air National Guard

— — — — — — — — — — — — — — — — — — — — — — — — — — — —

<< Introduction >>

The postulation of Critical Infrastructure is constantly evolving in order to reflect current concerns and to respond to new challenges, especially in terms of security and resilience. At the same time, over the last decades, the number and variety of Critical Infrastructure have increased significantly, whereas their protection against numerous threats and the safeguarding of their uninterrupted operation have developed into a high priority at the national level.

Cyber attacks against defense industrial base (DIB) firms designed to steal sensitive data, trade secrets, and intellectual property (IP) are growing in sophistication and severity. The defense industrial base (DIB) is under attack. Foreign actors are stealing large amounts of sensitive data, trade secrets, and intellectual property every day from DIB firms — contributing to the erosion of the DIB and potentially harming military capabilities and future military operations.

<< What Is the DIB? >>

The DIB is the set of private and public firms (from small to large companies) that provide defense industrial capabilities. Defense industrial capabilities are “the skills and knowledge, processes, facilities, and equipment needed to design, develop, manufacture, repair, and support DoD products and their necessary subsystems and components.

<< Methodology >>

The defense industries are the most important area which every security professional must be looking forward to securing from untrusted or malicious users.

According to CISA:- The Defense Industrial Base Sector is the worldwide industrial complex that enables research and development, as well as design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts, to meet U.S. military requirements.

The Defense Industrial Base partnership consists of Department of Defense components, more than 100,000 Defense Industrial Base companies and their subcontractors who perform under contract to the Department of Defense, companies providing incidental materials and services to the Department of Defense, and government-owned, contractor-operated, and government-owned, government-operated facilities.

Cyber attacks against defense industrial firms mainly take place to steal sensitive information and data records. When it comes to hacking this sector the most prominent way hackers find is by sending phishing emails. Although, now such tricks have been less because the military servants are also be trained in cyber security. Admiral Mike Rogers (National Security Agency Director) has also stated that Today, we face threats that have increased in sophistication, magnitude, intensity, volume, and velocity.

According to the US Defense Department, the information network is now targeted by nearly 40 million malicious e-mails every day. Now from these numbers, you can think that how important it is to secure the defense sector. Not only this is the reason behind it but we have seen in the Russia-Ukraine wars also how the security infrastructure was destroyed which makes people’s life dangerous.

The teams of the US department which defend the network from these top-secret operations are Joint Special Operations Command (JSOC) which is a sub-unified command of the US Special Operations Command (USSOCOM). They not only look into this but they also have a role as a deep reconnaissance, intelligence-gathering special mission unit.

<< Cyber Deterrence Challenges >>

(a) Classification of War:

The biggest challenge that the military faces today is to identify “an act of war”. Here we define ACT OF WAR as an indecisive cyber attack i.e. In some cases we cannot come to conclusion if the attack is surely been done by a nation-state or any individual person or group. And if any of the attacks is been inaugurated then should they consider it a cyber war? Can attacks on critical infrastructure owned by the private sector, which also supports humanitarian activities, be used to achieve military objectives and recognized as aggression? Legitimate cyber soldiers are indistinguishable from script kiddies. Therefore, should they be treated as non-combatants? Again, how does one know if third parties are acting on behalf of a nation-state? All these questions pose a major challenge to the military, which has to effectively defend the nation’s sovereignty in cyberspace.

(b) Attributability:

Whenever we see any attacks on big IT firms. We get to know the reason behind this attack. Most probably we see the attack as a Ransomware attack and the attacker also mentioned the group name or we can say attributes behind those attacks. This attribution might be normal people or state actors. So, attribution to a state is easy but, it is more difficult to pinpoint responsibility in the case of non-state actors. Often, the country of origin of the attack turns out to be a neutral player, and the hostile actor is never identified to facilitate a conviction. Even in the case of DDoS against various countries and the recent Stuxnet attack, the act of warfare in the cyber domain could not be clearly attributed. Thus attribution problem marks an important distinction between cyber warfare and traditional warfare regarding intent and identity, which are not revealed clearly.

(c) Maintenance and Protection of System:

When there is networks and system used the most important is how would you protect them from defacing people and further how would you maintain them for the long run. If a software up-gradation and transfer of data is not secured between the networks then it might be an invitation to attacks. There is a huge system installed in defense that carries an enormous amount of data and it operates on a different machine to machine and which works all day long. So here the challenge is how you can gonna maintain it properly without making it unavailable.

<< Rules and Regulations >>

There is some regulation of a legal framework in cyber security with respect to critical infrastructures. It depends from country to country how they make laws in their country. Following are some regulations that are defined in European Parliament. The long-awaited Decree-Law no. 65/2021 came into force on the 9th of August 2021, regulating the Cyberspace Security Legal Framework and defining cybersecurity certification obligations, in the implementation of Regulation (EU) 2019/881 of the European Parliament and of the Council.

This Decree-Law addresses several questions that were unsolved by Law no. 46/2018, establishing, for the covered entities, demanding obligations regarding:

Security requirements of networks and information systems; and requirements for reporting incidents affecting the security of network and information systems. Critical infrastructure operators (public or private entities operating a critical infrastructure), operators of essential services (in the energy, transport, banking and finance, health, water, and digital infrastructure sectors), digital service providers (e-commerce, online search engines, and cloud computing) and Public Administration entities must meet the established requirements. In particular, the security requirements applicable to digital service providers are defined by an implementing regulation of the European Commission.

Non-compliance with the established obligations is punishable as follows:

→ Very serious infringements à fines ranging, for legal persons, from €25.000 to €50.000 (in the event of failure to comply with obligations relating to security requirements)

→ Serious infringements à fines ranging, for legal persons, from €9.000 to €3.000 (in the event of failure to comply with notification obligations)

The Decree-Law also allows the implementation of a national cybersecurity certification framework by the CNCS (National Cybersecurity Centre), which will act as the National Cybersecurity Certification Authority. The CNCS will establish the necessary provisions for the development and implementation of specific cybersecurity certification schemes for information and communication technology products, services, and processes.

The requirements set out in Decree-Law 65/2021 constitute a minimum to be ensured by the entities covered, without prejudice to the rules that, depending on the nature of the entities and the sectors in which they operate, may be established by other authorities, nor provisions resulting from other legislations (as is the case of the obligations applicable to digital service providers). The CNCS may also issue complementary technical instructions regarding security requirements and incident notification. The densification of cybersecurity obligations, which is presented on the next page of this Flash, seeks to ensure a high level of security of the networks and information systems that support the use of increasingly disruptive technologies (such as Artificial Intelligence or the Internet of Things) so that it takes place in an environment of trust.

It is undeniable that the fulfillment of cybersecurity obligations will not only enable legal compliance by organizations but will also provide them with significant reputational and behavioral benefits. It is therefore imperative that organizations start preparing their systems and teams as soon as possible for the implementation of this new regime, becoming more resilient to the internal and external threats affecting cyberspace and avoiding the application of severe fines.

<< Solution Architecture >>

From, the department of defense (DoD) we got the architecture which is based on 7 pillars as said David McKeown, DOD’s chief information security officer, and deputy chief information officer.

He further stated that “The priority of all of the pillars working together, or in harmony, is that we’re able to detect advanced persistent threats trying to attack our network, advanced persistent threats that have successfully hacked our networks and their lateral movements inside of our networks,”

These pillars are “Zero Trust Security “ which is an emerging initiative that DOD CIO is exploring in concert with DISA, US Cyber Command (USCYBERCOM), and the National Security Agency (NSA). Zero Trust is a cybersecurity strategy developing an architecture that requires authentication or verification before granting access to sensitive data or protected resources at a financial cost by reducing data loss and preventing data breaches. This security model eliminates the idea of trusted networks, devices, personas, or processes, and shifts to multi-attribute and multi-checkpoint-based confidence levels that enable authentication and authorization policies under the concept of least privileged access. Implementing Zero Trust requires rethinking how we utilize existing infrastructure to implement security by design in a simpler and more efficient way while enabling unimpeded operations.

Apart from the advantages of securing our architecture in general, there are additional cross-functional benefits of Zero Trust regarding cloud deployments, Security Orchestration and Automation (SOAR), cryptographic modernization, and cybersecurity analytics. The Seven Zero Trust pillars assist with the categorization of capabilities and technologies that can perform Zero Trust functions in an environment. The seven pillars in the DOD Zero Trust Architecture include:

(1) User.

(2) Device.

(3) Network/Environment.

(4) Application and Workloads.

(5) Data.

(6) Visibility and Analytics.

(7) Automation and Orchestration.

The schema of Zero Trust Pillars.

(1) USER:

Here, we need to define those special attributes or factors which will authenticate a user to access the resources with some special privileges to read and write on their data, Securing, limiting, and enforcing person, non-person, and federated entities’ access to DAAS encompasses the use of ICAM capabilities such as multi-factor authentication (MFA) and continuous multi-factor authentication (CMFA). Organizations need the ability to continuously authenticate, authorize, and monitor activity patterns to govern users’ access and privileges while protecting and securing all interactions. RBAC and ABAC will apply policies within this pillar to authorize users to access applications and data.

(2) DEVICE:

At this level, we need to take care of those devices that are connected to our network. From updating your devices to securing them from any malware to patching any vulnerability. Having the ability to identify, authenticate, authorize, inventory, isolate, secure, remediate, and control all devices is essential in a Zero Trust approach. Real-time attestation and patching of devices in an enterprise are critical functions. Some solutions such as Mobile Device Managers or Comply to Connect programs provide data that can be useful for device confidence assessments. Other assessments should be conducted for every access request (e.g. examinations of compromise state, anomaly detection, software versions, protection status, encryption enablement, etc.)

(3) NETWORK/ENVIRONMENT:

This pillar focus on protecting your networks. As we all know that in the IT industry the most prominent thing we study is how to protect our networks because this is the entry point from which every attack takes place. Configuration of firewall and IDS/IPS are also considered to be prerequisites. Segment (both logically and physically), isolate, and control the network/environment (on-premises and off-premises) with granular access and policy restrictions. As the perimeter becomes more granular through macro-segmentation, micro-segmentation provides greater protection and control over DAAS. It is critical to (a) control privileged access, (b) manage internal and external data flows, and (c) prevent lateral movement.

(4) APPLICATION & WORKLOADS:

Applications and workloads include tasks on systems or services on-premises, as well as applications or services running in a cloud environment. Zero Trust workloads span the complete application stack from the application layer to the hypervisor. Securing and properly managing the application layer as well as compute containers and virtual machines is central to Zero Trust adoption. Application delivery methods such as proxy technologies, enable additional protections to include Zero Trust decision and enforcement points. Developed Source Code and common libraries are vetted through DevSecOps development practices to secure applications from inception.

(5) DATA:

Data Security is the next thing that needs to pay attention to. We need to apply the techniques like data encryption, data backup, and data recovery this is how Zero Trust protects critical data, assets, applications, and services. A clear understanding of an organization’s DAAS is critical for a successful implementation of a zero-trust architecture. Organizations need to categorize their DAAS in terms of mission criticality and use this information to develop a comprehensive data management strategy as part of their overall Zero Trust approach. This can be achieved through the categorization of data, developing schemas, and encrypting data at rest and in transit. Solutions such as DRM, DLP, Software-Defined Storage, and granular data-tagging are relevant in protecting critical data.

(6) VISIBILITY and ANALYTICS:

Vital, contextual details provide a greater understanding of performance, behavior, and activity baseline across other Zero Trust pillars. This visibility improves the detection of anomalous behavior and provides the ability to make dynamic changes to security policy and real-time access decisions. Additionally, other monitoring systems, such as sensor data in addition to telemetry will be used, will help fill out the picture of what is happening with the environment, and will aid in the triggering of alerts use for response. A Zero Trust enterprise will capture and inspect traffic, looking beyond network telemetry and into the packets themselves to accurately discover traffic on the network and observe threats that are present, and orient defenses more intelligently.

(7) AUTOMATION and ORCHESTRATION:

At last, we all try to automate the process of securing the system so that our workloads get distributed. The techniques we used to protect are changing according to our data and requirements. There are many solutions that help us to achieve it like SOAR layers, XDR layers, and Robotic process automation (RPA) this thing helps us to automate manual security processes to take policy-based actions across the enterprise with speed and at scale. SOAR (Security Orchestration Automation and Response) improves security and decreases response times.

Security orchestration integrates Security Information and Event Management (SIEM) and other automated security tools and assists in managing disparate security systems. Automated security response requires defined processes and consistent security policy enforcement across all environments in a Zero Trust enterprise to provide proactive command and control.

<< Benchmarks For Success >>

It is the process of researching competitors and peers and setting internal performance goals based on that research. Cybersecurity Benchmarking is a well-established practice among successful organizations, but the areas these organizations choose to benchmark have not always evolved with changing business concerns.

⇒ Following are some benchmarks that can give any Critical Infrastructure a sturdy base from malicious activity.

(1) Keep up-to-date architecture diagrams with inventories of all hardware and software to be able to respond to threats quickly.

(2) Patch and configure security settings on all devices and software.

(3) Employ active defenses for known attack vectors and stay ahead of attackers with the latest intelligence and response actions.

(4) Monitor network and device activity logs and look for anomalous behaviors.

(5) Employ multi-factor authentication because usernames and passwords are easily hacked.

(6) Employ email and browser defenses and prevention for two of the most prevalent attack vectors.

(7) Employ malware protection on the networks.

(8) Encrypt data at rest and in transit.

(9) Train staff to avoid and respond to suspicious events.

(10) Have contingency plans and exercise them. Employ backup and recovery, alternative services, emergency response/notification, and other similar processes to ensure the organization can successfully respond to a cyber event.

Without the following references, It would have not been possible for me to write this blog. I urge you to read the following mentioned books and articles.

1. Unclassified and Secure A Defense Industrial Base Cyber Protection Program for Unclassified Defense Networks by Daniel Gonzales, Sarah Harting, Mary Kate Adgie, Julia Brackup, Lindsey Polley, Karlyn D. Stanley.
2. Zero Trust Reference Architecture Prepared by the Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering Team. (https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v1.1(U)_Mar21.pdf)
3. https://www.defense.gov/News/News-Stories/Article/Article/2926539/dod-focused-on-protecting-the-defense-industrial-base-from-cyber-threats/
4. https://www.defense.gov/News/News-Stories/Article/Article/2806264/summit-highlights-dods-cybersecurity-initiatives-challenges/
5. https://usiofindia.org/publication/usi-journal/cyber-threat-and-military-challenges/
6. https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2985

I will try to put more content related to OT (Operation Technology) environments.

Thanks for reading my blog. Until then have a good day.

Rohit Burke :)