HMGCC Co-Creation Challenge: Managing cyber-security risk through network monitoring

All organisations are aware of cybersecurity risks, with several recent high-profile
cases. There are numerous online guidance and resource documents to help
organisations protect themselves, notably published by the National Cyber Security
Centre.

To protect the UK government against potential risks and new attacks, greater
visibility and network testing are required. To enable this, the use of low size and
cost network monitors is being explored. These would enable advanced penetration
testing capabilities to be used against networks including packet manipulation as
well as increasing network visibility.

There are some existing tools that can directly monitor network traffic, but these are
typically targeted towards large operators and are scaled for much higher network
volumes than is needed for this use case, resulting in higher price tags. There is a
requirement to develop a low size, weight and power variant, which can operate
within small data centres. It should also be low-cost to encourage wider adoption.

The critical technical requirement is a network pass-through (optical or copper) that
allows the network to be unaffected by the network monitor, even if the network
monitor were to fail in operation.

To guard against potential hacking attempts, a security operations centre is working
with a team to monitor network traffic to and from a government estate. As part of
increased security, they also plan to carry out regular penetration tests on the
network, to ensure it is protected.

Kay’s team is trialling a new network monitor to observe traffic at source. If
successful, Kay will roll this out to other sites. Even though this is a test, it would
cause serious impact if the network monitor disrupted internet connection.

Part of Kay’s team are specialist network engineers to ensure correct installation.
They are working late at night to minimise disruption. The installation area is
cramped for space, can get quite hot, but at least does have easy access to AC
mains.

Once installed successfully the data link is passed to the security operations centre.

Kay’s team also has the option to inject modified packets to simulate malicious traffic. This penetration test is caught by the firewall, confirming a successful outcome for the security operations centre.

At some point during operation, the network monitor fails. It is later discovered that there was a minor manufacturing defect that only caused an issue after some time. However, this proved a successful trial as, during failure mode, the fail-safe pathway allowed data to bypass the network monitor without incident.

Applicants should aim to deliver a demonstrator and report in this 12-week project. This is open to Technology Readiness Levels (TRL) from 5 – 9. It is recommended that proposals label both the existing TRL and the TRL expected by the end of the 12 weeks. Critical, essential and desirable requirements are listed, along with constraints and what is not required.

Critical requirement

• Must incorporate an optical or copper pass-through, so if the device fails it does not affect normal network traffic.

Essential requirements

• Deliver a physical demonstrator at the end of the project, for further testing by the sponsors.
• Operating temperature range of -10C to +60C.
• Low size, weight and power (SWaP) must be considered, and if not achievable in the 12-week project a roadmap must be presented to achieve this in the future.
  • Ideal size is less than 1 litre.
  • Ideal power is less than 45W, from mains AC.
• Processor must be capable of bi-directional 10Gb bandwidth.
• Copper network input or fibre network input.
• Multi-mode and single mode network.

Desirable requirements

• Ideal Ingress Protection rating is IP66.
• Consider relatively low cost for final unit price, a price over £5,000 may be prohibitive.
• Consider the mechanism to program a unit. The sponsors of this challenge will work with the solution provider on preferences and software package trade-offs.
• Copper network input and fibre network input in the same unit.
• Consider robust and rugged used units, however this is largely out of scope for this phase of the project.

Constraints

• Operation within a small data centre.

Not required

• Horizon scanning only.
• Large bulky and high-cost units.
• Not just a passive tap or span.

Please note, the successful solution provider will be expected to have availability for a one hour onboarding call via MS Teams on the date specified to begin the onboarding/contractual process.