Sponsored by Oshkosh
www.oshkoshdefense.com
————————————————————————-
02 Jan 19. Is there such a thing as too much supply chain cybersecurity? The military supply chain is vast, multifaceted, and riddled with potential cyber vulnerabilities. As a result, “there is [a] possible theft of data or proprietary information or classified information. There’s the ability through malware to sabotage activities or to destroy the confidence in the data,” said Daniel McGarvey, former director of information protection for the Air Force and a senior consultant to the federal Performance Accountability Council. “There’s the threat of putting embedded malware into a system that either takes control of or actually disables the system.”
In an increasingly digital battlefield, senior leaders, experts and analysts say supply-chain cybersecurity could be a weak point in the military’s armor. To remedy that, they urge closer oversight of contractors, and tighter coordination on cyber issues between military buyers and defense-industry suppliers.
Threat window
In a 2017 document, the Pentagon’s Defense Science Board said the complex relationships in the supply chain creates a window for bad actors. “The supply chain for microelectronics parts is complex, involving multiple industry sectors. Each sector sells to each of the others,” they noted. “Furthermore, parts may be returned to manufacturers or distributors and subsequently reenter the supply chain making both pedigree and provenance difficult to track using current procedures.”
As a result, “assuring that defense electronics are free from vulnerabilities is a daunting task,” they wrote. “Of particular concern are the weapons the nation depends upon today; almost all were developed, acquired, and fielded without formal protection plans.”
Analysts point to a number of factors working against the military’s interest here. Waning corporate loyalty has ratcheted up the insider threat in recent years. The sheer volume of electronic components makes detailed quality-control checks impractical. Contractual requirements can push suppliers to be more diligent – but only if they are acting in good faith to begin with. “That only works for suppliers who have no malicious intent,” McGarvey said.
Moreover, while the military controls prime contracts, it struggles to exert that control further down the food chain, said Ray Gagne, the Army’s director for Acquisition Program Information Protection.
“With the primes we have contractual understandings, but when they subcontract out, that is inherently a vulnerability,” he said. “There is activity ongoing to ensure that a piece of technical data is protected as it flows down the chain, but that is still a work in progress.”
Despite the hurdles, experts point to a number of steps the military and its partners could take to prevent or minimize cyber incursions in the production of military systems.
Rating the risk
In order to safeguard the cyber jewels, the military first needs to have a realistic understanding of what technical data and intellectual property is in play.
“We work with the respective program management offices to ensure they are knowledgeable about the information that is in the hands of industry,” Gagne said. “If it’s a program that we deem to be of a critical nature to the Army, we may ask the program managers to take additional steps to ensure sufficient security counter-measures are in place.”
This risk-based approach forms a critical first layer of defense, he said. Given the vast number of systems in the military portfolio, any realistic effort to close cyber gaps in the supply chain needs to start with a push to prioritize the vulnerabilities.
For systems deemed high risk, some exerts suggest a line of defense that focuses on the behavior of people, rather than cyber-health of specific systems. For any given production task, a manufacturer “can set a baseline of what is normal behavior, alerting security experts earlier when there are anomalies with how users are interacting with data,” said Eric Trexler, vice president for global governments and critical infrastructure at security firm Forcepoint.
By watching for suspect activity, he suggested, it might be possible to stop cyber disruptions before they occur. Others endorse this approach, saying the onus is on industry to adopt best practices.
“Some contractors have developed their own secure development and supply chain practices,” said Wayne Lloyd, federal chief technology officer of cybersecurity company RedSeal. “It’s in the best interest of defense contractors to validate that software and components have not been subverted or come from questionable suppliers. This also relieves the burden of effort on the [Department of Defense] to have to ensure the authenticity of components for weapons systems.”
Contractors could also be more active via human resources as a way to reduce the insider threat. “They could create a working group, for example, that cuts across legal, security, HR and management, with the aim of addressing employee wellness,” McGarvey said. “You want to develop individuals who are not going to be vindictive, who fit well into the social environment of the organization. Employee wellness creates organizational wellness.”
The military, for its part, might look to expand upon existing structures that help to ensure the validity of material in the supply chain.
Microelectronics DOD can trust
Take for instance the trusted supplier program managed by the Defense Microelectronics Activity (DMEA). That program accredits suppliers of integrated-circuit related products and services to ensure integrity in design and manufacturing.
“This 100-percent needs to be expanded to cover any microelectronics that are going into a critical weapons system,” said Jennifer McArdle, a professor of cyber defense at Salve Regina University and a non-resident fellow at the Center for Strategic and Budgetary Assessments. “We need to work more closely with industry to make sure we get microelectronics we can trust.”
McArdle would also like the military to do more to validate the components it puts into play. “You can’t test and evaluate everything, but if you can test and evaluate a small batch you can at least have some degree of assurance,” she said. “You cannot check every single connection, it would just take forever. The question is always, how much enough? If you can’t solve the problem, you at least have to mitigate the risk.”
The Pentagon could also leverage its sizable market muscle to steer providers toward better cyber practices.
In a strategy called “Deliver Uncompromised,” which has been adopted by the Defense Department, the Mitre organization laid out such a path. “Through the acquisition process, DoD can influence and shape the conduct of its suppliers,” the authors wrote. “It can define requirements to incorporate new security measures, reward superior security measures in the source selection process, include contract terms that impose security obligations, and use contractual oversight to monitor contractor accomplishments.”
While such obligations could help improve the process, military officials argue, success in the long run comes from forging a new cooperative working environment that recognizes the military need for security, on the one hand, and the potential financial and operational burdens of cyber hygiene on the other.
“We have to identify the things that are most critical, and then it has to be negotiated between the government and the contractor,” Gagne said. “For example, the contractor may have the ability to secure a system, and it’s just a matter of asking them to do it, or it may fall to the program manager to determine the level of risk the government is willing to take. They’ll have to make decisions together, based on both the risk and the cost.”
Where Gagne envisions a two-way street, some in industry are wary. They suggest that at the end of the day, securing the military supply chain may be, mostly, the government’s job.
“This a counter-intelligence game: What does our enemy want and what can we do about it? That process already exists and maybe you could build off of that,” said Bryson Bort, chief executive officer of the security firm Scythe and a fellow at the National Security Institute at George Mason University.
“In industry when we look at information [security], it’s ongoing. We do penetration testing, we do focused security hardening and testing, we introduce dynamic third part threat evaluations,” he said.
Wouldn’t it be expensive for the military to apply that same rigor across the supply chain? To answer, Bort referenced China’s J-20 stealth fighter, widely believed to be based on plans for a U.S. fighter that were stolen by hackers.
“Yes, it is expensive,” he said. “But is that any worse than when the Chinese show up with the J-20 instantly built, and they’ve skipped two generations of air warfare because they stole the plans? What’s the cost of that?” (Source: C4ISR & Networks)
28 Dec 18. The Boeing Co., Oklahoma City, Oklahoma, has been awarded a $400,000,000 indefinite-delivery/indefinite-quantity contract for B-1 and B-52 bomber engineering services. This contract provides for recurring and non-recurring engineering services to B-1 and B-52 aircraft. Work will be performed at Tinker Air Force Base, Oklahoma; Edwards Air Force Base, California; Barksdale Air Force Base, Louisiana; and Oklahoma City, Oklahoma. Work is expected to be complete by Dec. 31, 2019. Fiscal 2019 operations and maintenance funds in the amount of $35,232,481 are being obligated at the time of award. Air Force Life Cycle Management, Tinker Air Force Base, Oklahoma City, Oklahoma, is the contracting activity (FA8107-19-D-0001).
28 Dec 18. China fields more capable pontoon bridge. The China Harzone Industry Corporation Ltd, a subsidiary of China Shipbuilding Industry Corporation (CSIC), is marketing its latest HZ Power Pontoon Bridge (PPB) in a Military Load Class 80 (MLC 80) configuration on the export market. The HZ PPB has been deployed by the People’s Liberation Army (PLA) and can be rapidly deployed over rivers or wet gaps with a velocity of less than 2.5 m/s. In Western military terms, a PPB would be referred to as a ‘powered ribbon bridge’.
One standard HZ PPB set consists of two ramp bays and eight interior bays, with each of these elements being transported by a 6×6 cross-country truck and 30 operating personnel. A complete HZ PPB set can be used to form a 104 m long floating bridge in about 15 minutes, and this can then take tracked loads of up to 72 tonnes. The complete bridge is 8.3 m wide and 5 m of that is the carriageway. In addition to being used as a floating bridge, it can also be used to rapidly construct ferries with a capacity of 20, 40, 60, or 85 tonnes, depending on the number of interior bays used. Each ferry would typically have one ramp bay and a number of interior bays to suit the required load, and each interior bay has a capacity of 20 tonnes. An individual HZ PPB element is carried folded on the transport vehicle, which then backs to the water’s edge and a stabiliser is lowered on either side at the rear. The element then slides into the water where it unfolds. Each of the interior bays has its own water propulsion unit. This feature enables the HZ PPB to be rapidly deployed without motor boats. The standard Chinese HZ ribbon bridge, which has been deployed by the PLA for many years, consists of 14 interior bays, two ramp bays, and five motor boats. (Source: IHS Jane’s)
21 Dec 18. Stantec gets infrastructure design contract from US Navy. Stantec has received a $35m contract from the US Naval Facilities Engineering Command (NAVFAC) to deliver planning and preliminary design of a multi-mission dry dock and other upgrades at Portsmouth Naval Shipyard (PNSY) in Kittery, Maine. Under the contract, Stantec will provide preliminary design services to enhance the shipyard’s capabilities to support naval personnel. Work will include shipyard structures that allow vessels to be hauled into a dock when it is flooded. Water in the dock is drained out after the vessels are positioned over keel blocks to begin overhaul, maintenance, or repairs work. Stantec programme manager Paul Harrington said: “We have a 60-plus year history at PNSY and that brings a deep understanding of the past, present and future state of this critical infrastructure.
“We value our long working relationship with NAVFAC and the public works staff and are excited to continue that partnership on these critical projects.”
Critical upgrades are expected to boost the country’s military readiness and support the PSNY workforce as they carry out repair and modernisation works on naval vessels. The navy is set to undertake a $20bn capital programme to modernise the public shipyards. The projects at the PNSY represent tasks to be carried under Stantec’s $60m indefinite-delivery, indefinite-quantity (IDIQ) contract for the provision of multi-discipline waterfront architect-engineering services for the NAVFAC, Mid-Atlantic region. Stantec’s five-year IDIQ contract is expected to include dry docks, piers, wharves, bulkheads, crane rail systems, dredging, coastal and shoreline protection, and waterfront-related utilities. (Source: naval-technology.com)
19 Dec 18. Saab Receives Launch order for Deployable Aircraft Maintenance Facility. Saab has signed an order to provide enhanced aircraft maintenance capability to the Hungarian Air Force, using the mobile solution Deployable Aircraft Maintenance Facility. Deployable Aircraft Maintenance Facility (DAM) is a mobile hangar solution that enables enhanced aircraft maintenance capacity combined with superior protection. DAM provides capability equivalent to stationary maintenance infrastructure, but at a fraction of the cost.
“This is an important breakthrough for Saab as it marks the first order of the DAM, a fairly new offering in our product portfolio, however based on solutions with previous proven performance. It is a proof of our continued capability to deliver support solutions allowing air forces to combine operational availability with cost efficiency,” says Ellen Molin, Senior Vice President and head of Saab’s business area Support and Services.
The Hungarian Air Force is currently operating 14 Gripen fighter aircraft on a lease-purchase agreement with the Swedish government. DAM will provide the Hungarian Air Force with an increased level of flexibility and reduce their dependency on stationary infrastructure for maintenance and protection of their Gripen fleet. A DAM solution can be rapidly deployed (in less than 48 hours) to enable sustainment of self-sufficient operations for extended periods of time, in any location, regardless of whether they are domestic or overseas. The solution will be delivered in 2019. (Source: ASD Network)
————————————————————————
About Oshkosh Defense
Oshkosh Defense is a leading provider of tactical wheeled vehicles and life cycle sustainment services. For decades Oshkosh has been mobilizing military and security forces around the globe by offering a full portfolio of heavy, medium, light and highly protected military vehicles to support our customers’ missions. In addition, Oshkosh offers advanced technologies and vehicle components such as TAK-4® independent suspension systems, TerraMax™ unmanned ground vehicle solutions, Command Zone™ integrated control and diagnostics system, and ProPulse® diesel electric and on-board vehicle power solutions, to provide our customers with a technical edge as they fulfill their missions. Every Oshkosh vehicle is backed by a team of defense industry experts and complete range of sustainment and training services to optimize fleet readiness and performance. Oshkosh Defense, LLC is an Oshkosh Corporation company [NYSE: OSK].
To learn more about Oshkosh Defense, please visit us at www.oshkoshdefense.com.
————————————————————————