Modeling and simulation in mission assurance

Abstract

Modeling and simulation (M&S) continue to play a significant role in military training and operations. With the growth of cyberspace in support of military operations, it is only appropriate for M&S to follow a similar trajectory. In cybersecurity in particular, M&S can provide invaluable training for the cyber workforce, both for defensive and offensive operations, testing of network defenses and to support operational resiliency. Threats to military operations increase in complexity as adversaries develop their multi-domain capabilities to exploit information networks and mission systems. Adversaries are looking to physically attack defense critical infrastructure through cyber means along with exploiting vulnerability of information systems to gain physical access. Organizations must contend with threats from both physical and cyber means. A promising approach to assure operations resiliency in the face of this multi-domain threat lies in the concept of convergence of three security disciplines—physical, cyber, and continuity of operations (COOPs). Units can no longer depend on cybersecurity, nor can they rely entirely on guards, guns, and gates to protect critical missions, people, and infrastructure. Comprehensive risk-managed operational practices complemented by diverse, converged security protection programs are needed to meet these challenges. M&S has a significant role to play and must incorporate a more complex, holistic operational environment to address the resiliency of modern infrastructure. Network operators and cybersecurity providers must focus on assuring operational resilience and not merely on compliance with policies. Although policies provide a baseline to address common vulnerabilities, they are not sufficient in securing against complex threats, undiscovered vulnerabilities, or advanced adversaries. These adversaries continue to circumvent defenses whether from the inside, e.g., phishing and ransomware, or the outside through supply chain, vulnerable interfaces, or protocols. One way the Department of Defense (DoD) is addressing complex risks to its most strategic assets is to conduct a comprehensive vulnerability assessment utilizing a multidisciplinary approach called mission assurance (MA). MA, governed by DoD Instruction 3020.45, is the process to identify, protect, or ensure the continued function and resilience of capabilities and assets, including personnel, equipment, facilities, networks, information and information systems, infrastructure, and supply chains, critical to the execution of DoD mission-essential functions in any operating environment or condition. A major component of the MA concept is the on-site vulnerability assessment designed to discover gaps and weaknesses from multiple disciplines, i.e., physical security, general engineering, emergency management, and cyber operations. The framework provides a comprehensive risk assessment of critical assets that could prevent accomplishment of a unit, installation, or higher authority mission. No matter what program is levied on organizations to assure operational resiliency, situational awareness, monitoring, and adjustments are needed to compensate, react, and anticipate changes in the operational environment and adversary actions. Not only does the enemy gets a vote, but also we must assume that our systems are vulnerable, and in many cases, are already accessible and exploitable. Assuming the best, i.e., air-gapped networks are impenetrable, lowers operators’ guard and security diligence, which have yielded grave consequences. M&S can assist with modeling critical missions and mapping their mission relevant terrain to include supporting infrastructure. These models can be used for comparison and simulation of contingency events in support of training, exercises, COOP options, and concept of operations development. In the future, M&S can play a significant role in operational resiliency assessments to help pave the way for advancement in developing alternatives, redundancy, technical solutions, policies, and training. Incorporating