Stepping up cyber protections for networks on Navy ships

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The Navy is seeking help from industry to improve the cybersecurity of ship-board networks. With the details, the Program Manager for cybersecurity in the Navy’s program executive office for C4I and space systems, John Armantrout, joined Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Mr. Armantrout, good to have you on.

John Armantrout: Good morning Tom. Good to be here, thank you.

Tom Temin: Now this concerns a program or a system I guess you could call it called VRAM. Briefly tell us what VRAM is, and I guess it goes back some years but what is it and what does it do?

John Armantrout: At the basic level VRAM, which the acronym stands for vulnerability, remediation, asset, manager. And so this capability basically the foundation of cyber security is understanding your network. And so this system stores data that’s collected from any network in the Navy and then allows operators to be able to understand what the lay down is, the configuration, what assets are on that network, how many laptops, how many desktops, printers. So it allows you to see the whole basis of your network anywhere within the data.

Tom Temin: And is VRAM updated as things happen, because in that case, given all of the Navy networks around the world and on the ships, there’s something changing probably every two seconds?

John Armantrout: Absolutely. And one of the key directives for the operators at the individual sites is they are responsible for scanning that network that they own and being able to upload this data into VRAM so that the data is as current as possible. And then the operators the analysts up the chain of command as well as program managers like myself, can look into the data and try to understand where there are vulnerabilities, where we need to apply a patch, where help is needed on the network.

Tom Temin: And how does it just briefly tie into say when you mentioned patching networks are made of not just wire but lots of software that the manufacturers are supporting with patches and maybe third party evaluators that understand vulnerabilities. So there must be more to it more data coming in such that you know, not only what you have, but also needs to be patched.

John Armantrout: Absolutely, 100%. So the Cyber Command, the US Navy command in charge of operating and maneuvering the Navy’s networks is tasking all the individual sites with specific orders on vulnerabilities that exist, where they need to patch, where they need to upgrade, specific directives that give them information about how to ensure that their network is at a highest state of readiness and security that it can be. So VRAM takes, as you mentioned the data from the site, it takes these task orders and other directors and compares the two and where there’s a delta or a difference between the two, that will send information to the operators to say, okay here’s my specific vulnerability. The key here for our system is we have to present actionable information to the user in a clear way so they don’t have to go and dig, or try to find out deep down in some computer somewhere where there might be a vulnerability. We present it in lists and pictures very clearly on actionable information that they can use to then go and fix a specific vulnerability.

Tom Temin: Because really, speed is of the essence in these situations because you want to get to the patch before the bad guys discover the unpatched.

John Armantrout: No question, no question — and the data in the system because it contains this vulnerability information would be a highly sought after prize. So we have a lot of security around our system itself. And then it is a system where as the scans come in, people can start analytics right then and understand where those vulnerabilities exist and alert the operator Fleet Cyber Command or their subordinate commands to be able to understand where those vulnerabilities are. And as you mentioned, speed is at the essence.

Tom Temin: And now you are seeking contractor or industry support for the whole VRAM effort. What is the purpose there? What are you hoping to achieve, or let’s say get out of industry here?

John Armantrout: VRAM was started as a homegrown Navy system because we found there were no commercial entities at the time — this was many, many years ago — that did this level of service, that provided this comparison between actual data from the network versus what should be there and how it could upload from multiple sites around the Navy, around the world, to ensure we understand the lay down of our network and then be able to patch it and, so the purpose of my RFI, request for information, at this point is that industry has more than caught up with where we were with this tool. And so I believe and doing my due diligence to look in the industry, I want to make sure that is there a tool that industry has a system that industry has that can take in the scan data, compare against the standards and the orders on what should be there and be able to send alerts and present the information to operators in a way that allows us to continue to obviously fully operate our networks. The key is that industry should be able to let us know if they have this capability. Important point there is it comes with the lifecycle support, the maintenance, the patching of the system itself, and understanding their upgrade cycle for that system. And so that’s what we’re looking at through this request for information.

Tom Temin: So is one potential here and again, you probably won’t want to nail it down at this point, but could VRAM be replaced with a camera product, and maybe some sort of a cloud based system, and that would take you out of the programming and hosting business so that you could worry more about cyber security?

John Armantrout: That’s exactly the right analysis of what we’re trying to do here. It absolutely could replace VRAM. There are a lot of intimate details within VRAM that we would need to ensure carried over — but if a commercial system in a cloud based environment that I can get to from any site anywhere in the world and do my analysis for my vulnerabilities, and I can do that on a commercial system, obviously secured in accordance with Navy directives to make sure the data is safe, and then I can do my analysis and look for where patchings required, etc. — then it could certainly replace VRAM, yes.

Tom Temin: And just a couple of gearhead questions here because in some of these old systems, often the data is difficult to extract from the logic as a separate entity, in the case of VRAM could the data about the networks themselves and the feeds coming in about the changes, could that easily transfer to another system? We’ll start with that question.

John Armantrout: Yes, absolutely it could. We use standard data format so nothing surprising, nothing Navy unique that we’ve designed and built to make it difficult to migrate. So we could certainly convert the existing data over to a new system. And industry then could help us understand, present the data and help us secure our networks. And like you said, that gives us, me as the program manager for cybersecurity to be able to do more on actual cybersecurity rather than simply building a system to look at the data.

Tom Temin: Sure. And I guess the corollary question is there anything strange in the logic of VRAM system itself that would be difficult to translate into a commercial product?

John Armantrout: I don’t think so. I think today in industry from all the vendor visits that I’ve conducted and sites that I’ve visited, it’s fairly standard to understand your network lay down, it’s fairly standard to understand what patches have been released on your operating system on other assets on your network, comparing those two and then being able to understand where the patches are and how to go get them. I think that’s all networking 101, in this day and age, and I don’t think there’d be any difficulty there on the industry side for understanding our lay down and the specifics we meet.

Tom Temin: And just out of curiosity, and let me know if this is outside of your purview or your authority to talk about, but as the Navy develops, the NGEN deal to upgrade, replace and go forward with all of its networking. Does this program have some relation to what that comes up with eventually?

John Armantrout: Well certainly I’m not the program manager for engine as you mentioned, but I do know a little bit about it. And certainly they are required by Fleet Cyber Command to protect and defend their network and be able to maneuver just like any other network in the Navy, so that same requirement is what VRAM helps answer as far as what’s on the network, all the assets, all the capabilities in that network, understand them in a single place in a single database. So certainly this tool would be a single stop shop for all the vulnerability data, how we manage those assets and how we look across the entire Navy network afloat and ashore, enterprise and tactical, and be able to understand where those vulnerabilities are.

Tom Temin: And getting back to your RFI, what is the status there? Are you getting stuff in now and what will be the next steps once the RFI closes and you’ve got a stack of data from industry?

John Armantrout: We do have the data in, of course the contract shop at NAVWAR, the Naval Information Warfare Systems Command, has provided us a packet now of data that these vendors have provided. I have not seen it yet, I have a meeting scheduled to go over this data and understand where industry is coming in with their proposed solution, so I’m excited to go and look at that and understand where we are and then see if there’s a solution out there that is either a 100% solution or something less but that we can live with that provides those pluses that industry can give us, which is the lifecycle support, the maintenance and the upgrades ongoing throughout the lifecycle for a program.

Tom Temin: John Armantrout is program manager for cybersecurity in the Navy’s Program Executive Office for C4I and Space Systems. Thanks so much for joining me.

John Armantrout: Thank you Tom. It’s been great this morning, I appreciate your questions.