You are here

Network Traffic Analysis for Cybersecurity for Navy Industrial Control Systems



OBJECTIVE: Develop a capability to monitor industrial controls system (ICS) communication networks and identify abnormal traffic that may indicate the presence of a cybersecurity threat or unusual system behavior that may indicate that maintenance is required. 

DESCRIPTION: The U.S. Navy is expending significant effort to secure its computer-based systems, both its business and management information systems (IS) and its ICS, which operate platforms such as ships, aircraft, and shore-based facilities such as shipyards, manufacturing facilities, and power plants. Although there are many similarities between information technology (IT) systems and ICS, the differences in hardware, software, and operating environment and requirements make securing ICS more difficult. The Government and private industry have made significant investment in and implementation of cybersecurity tools and applications for IS. Although initial research and proposed solutions associated with cybersecurity of ICS has occurred, little has been accomplished concerning prototyping and productionizing, and much less in operating such tools on deployed ICS. A fundamental way to portray the difference is by looking at the priority of three basic characteristics of computer-based systems: integrity, confidentiality, and availability. IT systems stress confidentiality, integrity, and then availability in that order, or CIA. The order for ICS is the opposite, stressing availability, integrity, and then confidentiality, or AIC. For example, if an IT system encounters a problem, a typical solution is to restart it. The operator can perform another task while waiting several minutes for the system to become operational again. If a problem occurs in the steering system of a ship, one cannot interrupt operation for even a few seconds. The operator must troubleshoot the problem and rectify it while the system is running. Significant investment has been made to develop cybersecurity applications for IS; however, because of the differences between IS and ICS, the tools developed for IS need to be modified to work on ICS. Comparison of IS and ICS: Performance Requirements: • Information System = Non-real time, High throughput is demanded, High delay and jitter may be acceptable. Industrial Control System = Real-time, Response is time-critical, Modest throughput is acceptable, High delay and/or jitter is not acceptable. Availability Requirements: • Information System = Responses such as rebooting are acceptable, Availability deficiencies can often be tolerated, depending on the system’s operational requirements; • Industrial Control System = Responses such as rebooting may not be acceptable because of process availability requirements, Availability requirements may necessitate redundant systems, Outages must be planned and scheduled days/weeks in advance, High availability requires exhaustive pre-deployment testing. Risk Management Requirements: • Information System = Data confidentiality and integrity is paramount, Fault tolerance is less important – momentary downtime is not a major risk, Major risk impact is delay of business operations; • Industrial Control System = Human safety is paramount, followed by protection of the process, Fault tolerance is essential, even momentary downtime may not be acceptable, Major risk impacts are regulatory non-compliance, environmental impacts, loss of life, equipment, or production. Communications: • Information System = Standard communications protocols, Primarily wired networks with some localized wireless capabilities, Typical IT networking practices; • Industrial Control System = Many proprietary and standard communication protocols, Several types of communications media used including dedicated wire and wireless (radio and satellite), ICS networks are complex and sometimes require the expertise of control engineers who have specialized knowledge compared to IT engineers. Change Management: • Information System = Software changes are applied in a timely fashion in the presence of good security policy and procedures. The procedures are often automated; • Industrial Control System = Software changes must be thoroughly tested and deployed incrementally throughout a system to ensure that the integrity of the control system is maintained. ICS outages often must be planned and scheduled days/weeks in advance. ICS may use operating systems (OSs) that are no longer supported. Managed Support: • Information System = Allow for diversified support styles; • Industrial Control System = Service support is usually via a single vendor. Component Lifetime: • Information System = Lifetime on the order of 3-5 years; • Industrial Control System = Lifetime on the order of 15-20 years. Access to Components: • Information System = Components are usually local and easy to access; • Industrial Control System = Components can be isolated, remote, and require extensive physical effort to gain access to them. The application to be developed under this effort will ideally work in real-time; however, during development it can analyze prerecorded data. Measures of effectiveness of the application include the time and amount of data required to identify normal operation of a system, time from start of an anomaly to notification of the anomaly, accurate identification of the anomaly, and the ratio of correct versus false indications, to name a few. Examples of anomalies that could be associated to cybersecurity threats are traffic from a newly introduced piece of equipment, inappropriate commands coming from a component not normally expected to direct other components, and a component flooding the network with traffic meant to overwhelm and slow the system. When provided with system data, the application would be able to make predictions on system failures. Examples of anomalies that may indicate maintenance is required are the unusually frequent cycling of a cooling pump, indicating a problem with the system or a loss in efficiency of the pump. Current cybersecurity of commercial ICS is inadequate despite incidents that are regularly reported in the press, such as the shutdown of an electric distribution grid described in Reference 4. Work produced in Phase II may become classified. Note: The prospective contractor(s) must be U.S. Owned and Operated with no Foreign Influence as defined by DOD 5220.22-M, National Industrial Security Program Operating Manual, unless acceptable mitigating procedures can and have been implemented and approved by the Defense Security Service (DSS). The selected contractor and/or subcontractor must be able to acquire and maintain a secret level facility and Personnel Security Clearances, in order to perform on advanced phases of this contract as set forth by DSS and NAVSEA in order to gain access to classified information pertaining to the national defense of the United States and its allies; this will be an inherent requirement. The selected company will be required to safeguard classified material IAW DoD 5220.22-M during the advance phases of this contract. 

PHASE I: Develop an initial design specifications and capabilities document with particular attention paid to the hardware and software requirements for the technology to run on Navy ICS. Develop a Plan of Action, Milestones (POA&M) to design, develop, test, and integrate the proposed technology concept into Navy ICS environments. The Phase I Option, if awarded, will include the initial design specifications and capabilities description to build a prototype solution in Phase II. Develop a Phase II plan. 

PHASE II: Based on the results of Phase I and the Phase II Statement of Work (SOW), refine the design specification and develop a prototype. The prototype will, at a minimum, analyze pre-recorded network traffic data but will ideally run with real time data collection. Demonstrate the prototype on the company’s own real or virtual ICS. Provide requirements, test plans, and procedures to demonstrate that the product meets the attributes in the Description section of this document without interfering with the normal operation of the ICS. Prepare a Phase III development plan to transition the technology for Navy and potential commercial use. It is probable that the work under this effort will be classified under Phase II (see Description section for details). 

PHASE III: Support the Navy in transitioning the technology to Navy use. Transition the prototype to operate on a land-based or virtual Navy test facility. The prototype will operate using real-time collection of network data and not interfere with the normal operation of the ICS. The company will develop a transition plan to describe how the technology will be installed on a Navy asset to be determined during Phase III, most likely a Navy surface ship. Navy and commercial ICS hardware and software have much in common. Since cybersecurity of ICS is a nationwide defense issue, it is in the Government’s best interest to make cybersecurity technologies developed by this topic available in generic unclassified form to U.S. companies. The current cybersecurity of commercial ICS is inadequate despite incidents that are regularly reported in the press, such as the shutdown of an electric distribution grid described in Reference 4. Therefore, there is a large potential to transition this technology to private sector manufacturing, processing, transportation, and other concerns that use ICS. 


1: "Guide to Industrial Control Systems (ICS) Security." National Institute of Standards and Technology (NIST) Special Publication 800-82 Rev. 2, May 2013.

2:  Miller, Charlie and Valasek, Chris. "Remote Exploitation of an Unaltered Passenger Vehicle." 2015.

3:  Luallen, Matthew E. "Critical Control System Vulnerabilities Demonstrated - And What to Do About Them." 2011 SANS Institute InfoSec Reading Room.

4:  Walters, Riley. "Russian Hackers Shut Down Ukraine’s Power Grid." Newsweek, January 14, 2016.

KEYWORDS: Industrial Control Systems; Cybersecurity; Computer Network Traffic Analysis; Anomalous Network Traffic Detection; Network Traffic Maintenance Indications; Network Intrusion Detection 


Richard Zebrowski 

(202) 781-2072 

Jay Emmanuel 

(240) 419-8478 

US Flag An Official Website of the United States Government