Defense Enterprise Cyber Range Environment Command and Control Information Systems

(DECRE C2IS)

International Testand

Evaluation Association7 March 2018

DECRE C2IS Road to Here• Feb 2013 DOT&E asked JS J6 to lead efforts to integrate “range” capabilities to

build an operationally realistic representation of a CCMD’s networks, C2 systems & process…to support testing, training & development of cyber capabilities.

• Over the past 4 years DECRE C2IS partners have conducted 28 two/three-week events in the closed environment of the cyber range.

• 2013-2014: Focused on air & missile defense systems in NORAD-NORTHCOM.Discovered C2 system vulnerabilities and implemented exercise cyber effects.

• 2015: Continued NORAD-NORTHCOM focus – expanded to include EUCOM. Incorporated AEGIS weapons system and Missile Defense C2 systems, and demonstrated real time data feed from CCMD exercise to the range.

• 2016: Supported USPACOM with a series of cyber training and mission rehearsal events in preparation for Exercise PACIFIC SENTRY 16-2 and 16-3. In house V&V of ability to support GCCS-J test.

• 2016-2017: Built a SECRET//REL FVEY environment to support USPACOM and Australian Defense Force training & mission rehearsal for TALISMAN SABER 17.

• 2017: Restored the SECRET//NOFORN environment to train USPACOM and USTRANSCOM CPTs and USPACAF Mission Defense Teams.

2

DECRE C2IS Partners

Realistic cyber environment to support vulnerability assessments,cybersecurity testing and warfighter training

462 SQN Adelaide, AUS

DCOT

TSMOHuntsville, AL

Red Team

NIOCNorfolk, VA

Red Team

CCMD CPT CWIC,

Camp Smith, HI

CPT

613TH AOC MDT Hickam AFB, HI

MDT

C5AD Suffolk, VA

C2 Systems/Data

CDSA-USS SecureDam Neck, VA

Navy Labs

Ship C2 Systems

46 TS Eglin AFB, FL

C2 Systems/Data

DODIN CPT Ford Island, HI

CPT

57 IASNellis AFB, NV

Red Team

DCSRStafford, VA

Network Infrastructure/

Services

JMNHuntsville, AL

Data Transport

JIORNorfolk, VA

Data Transport

RSDPs: Huntsville, ALPax River, MD

Network Infrastructure

Traffic Gen/Services

Subject to Cyber Effects

MDASchriever AFB, CO

BMD Systems

NCR Orlando, FL

Network Infrastructure/

Services

NCRC

747TH CS MDT Hickam AFB, HI

MDT

673TH CS MDT Elmendorf, AFB, AL

MDT

CCMD CPT Scott AFB, IL

CPT

AOC: Air Operations CenterBMD: Ballistic Missile DefenseC5AD: C5 Assessments DivisionCCMD: Combatant CommandCDSA: Combat Direction Systems ActivityCS: Communications SquadronCWIC: Cyber War Innovation CenterDCOT: Defensive Cyber Operations TeamDCSR: DoD Cyber Security RangeDODIN: DoD Information NetworkIAS: Information Aggressor SquadronJIOR: Joint Information Operations RangeJMETC: Joint Mission Environment Test CapabilityJMN: JMETC MILS NetworkMDA: Missile Defense AgencyMDT: Mission Defense TeamNCR: National Cyber RangeNCRC: National Cyber Range ComplexNIOC: Navy Information Operations CommandRSDP: Regional Service Delivery PtTS: Test Squadron

607 AOC MDT Osan AFB, ROK

CPT

USN CPT Yokosuka Naval

Base, JP

CPT

2018

3

Concepts Underlying DECRE C2IS Cyber Range

Create an operational environment in which Blue Force Players, C2 systems and networks, and Red Teams can interact in a realistic manner

Integration of real C2 system & networks and virtual C2 systems & networks, NIPR & SIPR (Focused on JOC, MOC, AOC, JFLCC)

Integration of recorded exercise data or real time data from exercises to drive C2 data play

Integration of instrumentation to quantify system performance, survivability and mission impacts

Integrate training of network operators and defenders, Enterprise Operations Centers (EOC), Cyber Security Service Providers (CSSP), and Cyber Mission Force operators and systems

4

DECRE C2IS Activities and Capabilities

Activities• Training • Mission Rehearsal• Capability

Development• Experimentation• Testing

• Persistent SECRET NOFORN Environment• Persistent SECRET REL (FVEY) Environment• JIOR and JMN interconnected, 220+ nodes• Integrated Planning Team / White Cell• Joint CCMD architecture• Emulates Base/Post/Camp/Stations

interconnected by DODIN• NIPRNet and SIPRNet

• Traffic emulation for NIPR/SIPR & C2 systems• Cyber defenders install/configure own Cyber

Defense Applications/Sensors/Rule Sets• Network Operations Monitoring and Analysis

with SOLARWINDS and RIVERBED• Daily after-Action Review Capability (Ground

Truth for Testing and Training)• Scenario & Traffic Playback J7 M&S Federation

(3 recorded CCMD exercises in hand, 4 more by April 2018)

Current Capabilities

DECRE C2IS Footprint

5

DECRE C2IS (Example)

(Site A) JFACC/AOC

(Site B) CCMD JOC

(Site C) JFMCC/MOC

(Site D) JFLCC (Site E) External Interface

DISA IAP

Internet

6

Command & Control Systems and Supporting M&S

7

AOC Weapon System Critical C2 Systems (example)

ServicesAir Operations NetCore ServicesDefense Message SystemGeospatial Product LibraryGlobal Broadcast System-IPInfoWorkSpaceNSA Threat Warning NetworkPredator Video

InfrastructureAOC Comm Enhancement PkgAF Tactical Receive SuiteBoundary Security System*C2 Wpn Sys Part Task TrainerCore Infrastructure

(e.g., routers, network apps)Cross Domain SolutionsDeployable Transit-case SystemJt Air Defense System IntegratorPrecision Lightweight GPS Rcvr

AOC 10.1 Baseline AOC 10.1 BaselineWeb-Based ToolsGlobal Transportation NetworkINTELINK and INTELINK-S* Requirement Mgmt System

Mission ApplicationsArmy Battlefield Control SystemC2 Info Processing SystemC2 Personal ComputerC2 Common ClientCollection Mgmt Mission Applic’nCombat Survivor Evader Locator DoD Intel Support System Generic Area Limit’n Envrnmt Lite Global Cmd & Control System - I3Global Cmd & Control System - J Global Decision Support System GPS Interference & Navigation ToolImagery Product LibraryInfo Warfare Planning CapabilityInterim Targeting SolutionJoint Air & Ground StationJoint Auto Deep Ops Coord SystemJoint Targeting ToolkitJoint Weather Impact ServerMAAP Tool KitCSAR C2 SoftwarePlanning & Decision Aid StationPortable Flight Planning SystemProcess’g & Displ Subsys Migrat’nSpace Battle Mgmt Core SystemTarget Application WorkstationTheater Battle Mgmt Core SystemWeapons System Video

8

M&S Capabilities in DECRE C2IS Cyber Range

BLUE GROUND LOTS WS

BLUE NAVAL LOTS WS

BLUE AIR LOTS WS

C2 SYSTEMS

Low Overhead Training System (LOTS)Joint Staff J7 GOTS software application designed to stimulate C2 Systems when simulation of forces is not needed

Joint Simulation Protocol Analyzer (JSPA) Logs all exercise simulation traffic

C2 Networks (OTH-Gold / TADIL / USMTF / FDL)

HLA / DIS / TENA Networks

JRC JSPA LOTS

JMECSJAWS VRSGJMEM

JS J7 JLVC Federation

Record on SIPRNET and

Play-back C2/M&S in DECRE C2IS

(JIOR)

LARIAT MIT-Lincoln Labs (MIT-LL): Emulates users performing real tasks, with real applications, e-mail, browsing, chat of from to a million physical hosts.

Cross Domain Solution (Controlled Interface)

Radiant Mercury

USEUCOM / USAREUREUCOM AC15 C2/M&S Track Feeds to DECRE

DECRE C2IS EnvironmentSuffolk, VA

Joint MSEL and Exercise Control Station (JMECS)C2 Stimulation and MSEL Management

Live feed

9

Cyber Security RangeStafford Joint IO Range

NorfolkC4 Assessment Division

Suffolk

Navy Combat Systems Direction Activity

Dam Neck / Virginia Beach

Red TeamSandia National Labs

Albuquerque

Air Force Red Team57 IAS

Nellis AFBNavy Red Team

Navy IO CommandNorfolkTest Resource Mgmt Center

JMETC MILS Network PointRedstone

USPACOM Cyber Protection TeamCyber War Innovation Center

Camp Smith

Cyber Defense Flight613 AOC

Hickam AFB

462 SquadronRAF Edinburg

Defence Network Operations CentreCanberra

Hawaiian Islands

Australia

CONUS

Range/Capability Provider

Cyber Defender

OPFOR Red Team

9,800 miles

5,700 miles

9,900 miles

4,400 miles

DECRE C2IS Footprint for US/AUS Training and Mission Rehearsal

46 Test SquadronEglin AFB

Army Red TeamThreat Systems Mgmt Office

Redstone

Objectives Support PACOM DCO training, Cyber C2

CONOPS & TTP development Build the US/AUS Environment on the

range in preparation for TS17 – Work through issues of integration,

interoperability and survivability.

10

Red /Blue Team Observations

• July 2017 (PACOM TS17 Cyber FTX)• On a scale of 1-10 with 10 being real, how representative of a

CCMD network is the DECRE C2IS? • 613th AOC Mission Defense Team – 7 (by design due to REL-FVEY)

• 501 CPT, AOC defense mission – 8• 462 SQDN DCOT, Australian AOC cyber defense team – 8• 500 CPT, PACOM JOC defense mission – 8• 46th Test SQDN, AOC system provider – 7 (by design due to REL-FVEY)

• TSMO, US Red Team – 4 (need for more systems and traffic) (previous event was 8)

• This was a PACOM/Australia SECRET REL FVEY environment involving combined US/Australian Blue and Red Teams attacking and defending a JOC and AOC. – “Network traffic replicated real world well, making it challenging to pinpoint the

Red Team” (501CPT)– 1st time US and REL FVEY partner have jointly defended and attacked C2 systems

11

Near Term Focus: • More: C2 systems, enclaves, system operators, MDTs, CPTs, and CSSPs• Persistent unclassified and classified environments (NIPR, SIPR, REL FVEY)• PKI, DEE, Dynamic Web Services, Dynamic SharePoint, LARIAT supplement• Build cloud computing environment (Web services to host TRANSCOM)• Support to C2 cyber testing and assessment

Challenged by: (working with JMETC and TENA to address)• Persistence• Event management functions (OPFOR, Scenario, White Cell) (TENA)• Automated threats• Automated configuration tools for creation, restoration and re-use (TENA)• Instrumentation to quantify Red and Blue team actions and effectiveness of tools and response actions (TENA)

Focus and Challenges

12

DECRE 18-226 Feb - 16 Mar

DECRE C2IS FY 18 Schedule

H - Marks Holidays2017Labor 4 SepColumbus 9 OctVeteran’s 10 NovThanksgiving 23 NovChristmas 25 Dec

As of 8 Feb 2018

BQ 18-1 TBD

PS/KE 18-2 26 Jan-2 Feb

PS 18-3 6-24 Aug

RF 18-122 Jan-9 Feb

RF 18-216-27 Jul

CSR MX2-7 Jan

BQ 17-2 2 Oct-3 Nov

Engineering11-29 Sep

DECRE 18-1Eng 6-9 Nov

EX 13-17 Nov

TC/UG/VS 18 30 Oct – 7 Nov

C5AD MX 20 Nov-12 Jan

2018New Year 1 JanMLK 15 JanPres B-Day 19 FebMemorial 28 MayIndependence 4 JulLabor 3 Sep

HHHHHHHHHHH

DECRE 18-1 Objectives: Establish S//NF environment for FY 18 CCMD SupportDeploy JIOR nodes for current / future operationsNIPR & SIPR enclaves; NIPR Internet Access PointDefine requirements for TENA support / integrationConduct Red & Blue Team environment assessmentExercise CPT defensive actions

Oct 17 Nov Mar Apr May Jun Jul Aug Sep 18 Dec 17 Jan 18 FebSep 17 Oct 18

TC/UG/VS 19 TBD Oct

DECRE 19-1TBD

DECRE 18-39 - 27 Apr

DECRE 18-44 - 22 Jun

DECRE 18-530 Jul - 17 Aug

DECRE 18-4 Objectives: TBD• Establish US/ROK S//REL ROK Cyber Range• Host Event environment in PACOM RSDP• Enable US/ROK information sharing

DECRE 18-5 Objectives: • S//NF Mission rehearsal support for CPTs & AOC

MDTs in PACOM AOR• S//NF Mission rehearsal for USTC CSSP & CPT• Exercise CSSP, CPT and User defensive actions• Improve USTC and JFCC enclaves• Add additional mission systems• Deploy Military Sealift CMD ship (USS Secure)

CG / CF 18 4-8 Jun

18-29 Jun

Other Known / Expected Events

DECRE 18-3 Objectives: • S//NF Support mission rehearsal /training for CCMD

CPTs & PACAF MDTs • Integrate 46 TS AOC enclave• Exercise CPT & MDT defensive actions / TTPs • Begin Integration of PKI Capabilities• Integrate TENA Visualization/Event Mgmt capabilities• Deploy 128T (MTU mitigation) capabilities

USPACOM & USTRANSCOM Cyber Mission Rehearsal and Training

DISADefender10-14 Sep

CSR MX3-8 Apr

CSR MX3-8 Jul

CSR MX2-7 Oct

13

Black Demon16 Apr-7 May

DECRE 18-2 Objectives: • S//NF Support mission rehearsal /training for

CCMD CPTs & PACAF MDTs • Robust & refine traffic generation capabilities• Improve OPFOR planning & threat presentation• Exercise CPT & MDT defensive actions / TTPs • Integrate TENA Event Management Capabilities

Gregory CurthJoint Staff J6, C5AD(757) 203-4485gregory.p.curth2.civ@mail.mil

Randy CoontsJoint Staff J6, C5AD(757) 203-5714

randy.e.coonts.civ@mail.mil

Roderick HallumJoint Staff J6, C5AD(757) 203-5714

roderick.w.hallum.ctr@mail.mil

Points of Contact

14