Risk Reduction and Resiliency Modeling Software for Industrial Control Systems
AREA(S): Information Systems
PROGRAM: PMS 397, COLUMBIA SUBMARINE Class Program Office.
Develop an innovative software prototype that can model and evaluate the
resiliency of industrial control systems in conjunction with processes and
operations to reduce the risk of unacceptable consequences while eliminating
the costs of unnecessary cybersecurity capabilities.
The Navy is seeking a resiliency modeling prototype that can efficiently model
existing systems-of-systems including technology and processes in order to identify
resiliency concerns where disruption of services or unacceptable consequences
are possible. The modeling prototype should also provide an accepted means to
measure resiliency across systems-of-systems and inform current risk management
practices and policies such as DoDI 8500.01 (Cybersecurity) and DoDI 8510.01
(Risk Management Framework (RMF)) in order to reduce or eliminate low-value
administrative churn. These improvements will reduce procurement and
sustainment costs by eliminating cybersecurity technology initiatives that
provide little to no value for industrial control systems. The prototype will
support the best analysis of alternatives from technologies and processes in
order to determine affordable solutions, with the greatest improvement in risk
reduction and resiliency, in a timely manner (days versus months).
Resilience is the capacity of any entity—an individual, a community, or a
system—to prepare for disruptions, to recover from shocks and stresses, and to
then adapt and grow from that disruptive experience. For a system, resiliency
is a factor, not only of the technology employed, but also of the procedures
established for operations, and the proficiency of operators and maintainers.
Today, some practitioners of cybersecurity attempt to keep out all threats and
eliminate all vulnerabilities. In this manner, their efforts can be seen as
trying to fix every weak link in the chain. Practitioners of resilience believe
there will always be weak links, so systems must be developed with the best
combination of people, process, and technology to respond to the shocks and
stresses that will inevitably come. Resilience is analogous to multiple diverse
chains operating in parallel, so that even if one weak link in a chain fails,
the entire system will not. There currently is not any commercial technology
available that provides the process and software necessary to model and measure
systems-of-systems resiliency, in a timely manner (days versus months), so that
programmatic decisions can be made regarding the security and resiliency of the
There is currently a need to develop a process to ensure that industrial
control systems (ICSs) on defense platforms, in shipyards or in National
critical infrastructure are sufficiently resilient to current and future cyber
threats. Many of today’s cybersecurity risk management approaches work toward
establishing ever greater defense-in-depth to secure each individual system
from an unknown number of threats. Unfortunately, this current state of affairs
offers no way to measure how much defense-in-depth is enough, does not address
future threats, and fails to address the resiliency that can be gained from a
systems-of-systems approach. Providing the ability to model and assess the
resiliency of people, process, and technology across systems-of-systems will
ensure that this approach is not only effective, but that the most affordable
solution, be it via cybersecurity processes or technologies, will be
In the past, ICS had little resemblance to traditional information technology
(IT) systems in that ICSs were isolated systems running proprietary control
protocols using specialized hardware and software. ICS components were located
in physically secured areas and the components were not connected to IT
systems. Over time, widely available Internet Protocol devices have replaced
many ICS solutions, which have increased the risk of cybersecurity incidents.
However, the security objectives of ICS still typically follow the priority of
availability and integrity, followed by confidentiality. A significant amount
of effort has recently been devoted to improving cybersecurity for IT systems;
without careful consideration when applied to ICS, this same approach, which
emphasizes protection of information confidentiality would result in a waste of
resources, and not ensure that ICS safety and reliability concerns were
properly addressed. For industrial control systems on naval platforms, in
shipyards, and in critical infrastructure, what matters is that those
cyber-physical systems, coupled with the people and processes that operate
them, provide sufficient resilience to assure that key services can be relied
upon, and that unacceptable consequences will be suitably constrained. This
topic seeks a software prototype to provide a holistic approach that addresses
risk and resilience across systems-of-systems and best prepares Navy platforms,
shipyards, and critical infrastructure against future cyber threats.
I: Investigate approaches to develop an innovative concept for a proposed ICS
resilience modeling prototype that meets the requirements described above.
Identify how this technical solution can be utilized to improve the resilience
of industrial control systems (ICSs) while reducing procurement and sustainment
costs of unnecessary cybersecurity technical initiatives. Develop two notional
examples to demonstrate the feasibility of the information that would need to
be gathered as input to and the expected output from the modeling prototype. Develop
a Phase II plan. The Phase I Option, if exercised, will include the initial
design specifications and capabilities description to build a prototype
solution in Phase II.
II: Develop the ICS resilience modeling prototype for evaluation that uses the
innovations identified and developed in Phase I. The performer’s SOW will
provide performance goals and key technical milestones, address technical risk
reduction, and include estimates of development cost and schedule as well as
the associated cost, schedule, and performance risks. Demonstrate and validate
the prototype’s performance using representative ICSs either provided or
approved by the Government after submittal by the awardee. Test the prototype
in the laboratory to evaluate performance to Navy requirements. Consider
Reliability, Maintainability, and Availability (RM&A) and implement as part
of the SOW. Determine ICS resilience benchmarking metrics to be measured by the
software prototype in Phase II. This software modeling prototype is intended
only to be used by shore-based organizations, and thus will not require testing
at sea. Refine the system and prepare a Phase III development plan and RM&A
predictions to test and prepare the system for Navy use.
III DUAL USE APPLICATIONS: Provide an ICS resilience modeling system that can
transition to the Navy. Engage in the testing, qualification, and certification
to make the system available for Navy use for platforms and facilities with
industrial control systems (e.g., ships, submarines, maintenance facilities,
other critical infrastructure. Ensure that the resulting system will support
the assessment of ICS resiliency across system-of-systems. Provide benchmarking
metrics to identify areas of concern and aid in the analysis of alternatives to
determine the most suitable and affordable cybersecurity solutions.
This technology has potential commercial transition to industrial control
systems throughout National critical infrastructure. The product will aid in
risk reduction and resiliency of industrial control systems, agnostic of
military or commercial domains, since resiliency of industrial control systems
is a cross-cutting, critical capability need. Possible other uses for this
technology include the water, electric and power industries. Large industrial
plants in the private sector can will also be able to take advantage of this
Young, Bill and Leveson, Nancy. “Systems Thinking for Safety and Security.
Association for Computing Machinery (ACM), Massachusetts Institute of
Technology, Engineering Systems Division; Department of Aeronautics and
Astronautics, December 2013. http://hdl.handle.net/1721.1/96965
Bochman, Andy. “Internet Insecurity.” Harvard Business Review, May 29, 2018. https://hbr.org/cover-story/2018/05/internet-insecurity
Geer Jr., Daniel E. “A Rubicon.” A Hoover Institution Essay, Aegis Series Paper
No. 1801, May 29, 2018. https://www.hoover.org/sites/default/files/research/docs/geer_webreadypdfupdated2.pdf
Rothrock, Ray. “Digital Resilience: Is Your Company Ready for the Next Cyber
Threat?” American Management Association, New York, 2018.
Industrial Control Systems; Resilience; Critical Infrastructure; Risk
Management; System of Systems; Cybersecurity Defense-in-depth
** TOPIC NOTICE **
These Navy Topics are part of the overall DoD 2019.1 SBIR BAA. The DoD issued its 2019.1 BAA SBIR pre-release on November 28, 2018, which opens to receive proposals on January 8, 2019, and closes February 6, 2019 at 8:00 PM ET.
Between November 28, 2018 and January 7, 2019 you may communicate directly with the Topic Authors (TPOC) to ask technical questions about the topics. During these dates, their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is not allowed starting January 8, 2019 when DoD begins accepting proposals for this BAA.
However, until January 23, 2019, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS during the Open BAA period for questions and answers and other significant information relevant to their SBIR/STTR topics of interest.
Topics Search Engine: Visit the DoD Topic Search Tool at sbir.defensebusiness.org/topics/ to find topics by keyword across all DoD Components participating in this BAA.
Proposal Submission: All SBIR/STTR Proposals must be submitted electronically through the DoD SBIR/STTR Electronic Submission Website, as described in the Proposal Preparation and Submission of Proposal sections of the program Announcement.
Help: If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or via email at firstname.lastname@example.org