For many U.S. government agencies
charged with defending networks from
intrusion and corruption, cyber defense
mainly involves protecting information
technology (IT) networks.
But for the U.S. Navy, cyber defense is a broader
concern: protecting the hull, mechanical and electrical
systems (HM&E) of its ships and the combat systems
of its ships and aircraft, with the consequences of failure including loss of control, damage, injury and death.
Cyber defense also must be reconciled with the Navy’s
initiatives to seamlessly network its forces.
Naval Sea Systems Command (NAVSEA) and Naval
Air Systems Command (NAVAIR), among other commands, have the major responsibility of integrating
cyber defense in the Navy’s ships, aircraft, weapons
and combat systems. They have formed cyber councils
to figure out the ways to defend the platforms and systems from cyber attack, from back-fitting defenses in
legacy systems to designing in cyber defense up front
in new systems.
“I look at warfare systems developed by PEO
IWS [Program Executive Office-Integrated Warfare
Systems] and the other [systems commands] and
certify those for all Navy surface ships,” said Bill Williford, who until January was the director for Integrated
Warfare Systems Engineering for NAVSEA as well as
the technical authority for the PEO IWS, among other
titles. He now is executive director of Marine Corps
“What we were attempting to do is use our normal
processes that we use for certification for warfare sys-
tems and systems engineering and add cyber security
as part of that system engineering process,” he said.
“We see cyber security as another discipline within the
system engineering process that we want to add to our
Williford noted the challenges of adding cyber security
to what he calls the three fleets: the new-construction
fleet, the future fleet and the in-service fleet.
“With the in-service fleet, we’ve got to figure
out a solution to handle our legacy systems that are
already in the fleet today,” he said. “With the new-
construction fleet, we’ve got a little bit more time
to figure out a solution. With the future fleet, those
programs coming down the line, we’ve got a little bit
of time to put cyber specifications and capabilities in
there as we build those platforms.”
Williford said cyber vulnerability in the information
systems is similar to that in the combat systems and
HM&E side, but with some stark differences.
“In information systems today, you’re trying to get
information/data to the right place, but if it’s delayed
by a little bit, it’s not a problem,” he said. “With the
weapons systems, navigation, HM&E side, you have
real-time systems. As a control system, you’re making
something happen: a gun shoot; a missile fly; a gener-
ator go up and down in capability; a propulsion system
giving me more propulsion or not; steering the ship.
Those types of things are real-time capabilities.”
NAVSEA approached the National Institutes for
Standards and Technology (NIST) to begin to develop
“Based on threats in the past, what the NIST instruction told us to do is — it was pretty simple — separate
information systems from control systems, because getting into one can easily get you into the other if you’re
totally connected,” Williford said. “It doesn’t mean
disconnect from the information systems, but separate
them. That means probably a physical boundary between
information systems and control systems so that you
could control the data flow as it comes back and forth.
“The impact to a control system, in my mind,
would be a starker impact than it would be for an
information system on an afloat platform,” he said.
“That’s one of the reasons that we looked at NIST and
we said, ‘we want to segregate these systems.’
SAFE OR SEAMLESS?
THE NAVY GRAPPLES WITH PROTECTING SYSTEMS
WHILE PRESERVING NETWORK CONNECTIVITY
BY RICHARD R. BURGESS, MANAGING EDITOR
WWW.SEAPOWERMAGAZINE.ORG 20 SEAPOWER FEBRUARY/MARCH 2017
SPECIAL REPORT: NETWORK-CENTRIC WARFARE & COMMUNICATIONS