Cybersecurity (CS) requirements and considerations have increasingly been impacting special-purpose systems with embedded
Information Technology (IT) such as simulator and training systems in recent years. This is primarily driven by increased insider
threats, proliferation of network interconnections, and the rise of mobile computing (smartphones/tablets) as well as increased
capabilities of nation states, organized crime, and political activists to gather and exploit information about current capabilities. In
the past CS measures have been applied through either Risk Avoidance “shutting down a capability until the risk is eliminatedâ€�
or Risk Ignorance, “operating a system without regard to the risk because of a perceived functional or operational needâ€�.
However, through the use of Risk Management, CS can balance these two areas by assuring the mission and protecting the
systems, networks and information by properly categorizing the system and the information through a risk based assessment
process. To avoid mission impact previous policy was compliance based and risk was typically avoided or waived rather than
mitigated. The DoD Risk Management Framework (RMF) (DoDI 8500.01, 2014) seeks to address the shortfalls that compliance
management imposed on systems. However, a clear understanding of how to apply risk is needed to provide a balanced approach
to CS. To support CS requirements this paper will present an approach for assessing risk to simulator and training systems and
outline the steps necessary to overcome and mitigate said issues through a process that focuses on applicability, compliance,
mitigation, and reduction of impact. This paper is not a description of the DoD RMF, but seeks to provide a process to assess CS
requirements by addressing the “Spirit and Intentâ€� of the CS requirement, its applicability, probability, and impact of applying or
not applying that requirement, and identifying solutions that resolve the finding or reduces the impact to an acceptable level for
authorization. This paper will strive to provide a practical approach to assessing system risk by providing initial framework
examples that will demonstrate its applicability to manage new technology insertions, network connectivity, existing program
limitations and mobile computing impacts to existing simulator and training systems.
Cybersecurity Challenges and Resolutions for Simulator & Training Systems
14 views