Early Concept Documentation Prototype Implementations Who We Are

OpenC2

The OpenC2 Forum is now in OASIS

As of June 7, 2017, the OpenC2 Forum has Transitioned to the

OASIS International Standards Body

We welcome your participation in the OpenC2 Technical Committee

Open Command and Control (OpenC2):

A Forum to Promote Global Development and Adoption of Command and Control

Today, cyber-attacks are increasing in terms of complexity, speed, and dynamics. Advanced cyber actors now use highly-sophisticated, dynamic attack steps with automation, and these trends are likely to continue.

Current Cyber-Defense

Modern defense systems are typically statically configured and integrate products in a nonstandard way. Upgrading or modifying the functional blocks within the cyber-defense is intensive, may impact the efficacy of the system as a whole, and in many cases cannot be realized in cyber-relevant time.

       

Defense in Cyber-Relevant Time

Future defense will require the integration of new functional blocks, coordination of responses between domains, synchronization of cyber defense mechanisms, and automated actions at machine speed against current and pending attacks. Standard interfaces and protocols to facilitate the integration of components resulting in a more flexible and interoperable cyber defense system. A defined, standardized, and unambiguous machine-to-machine command and control language will help realize this vision.

Our Vision: The OpenC2 Forum defines a language at a level of abstraction that will enable unambiguous command and control of cyber defense technologies. OpenC2 is broad enough to provide flexibility in the implementations of devices and accommodate future products and will have the precision necessary to achieve the desired effect.

 

Join

Interested in having an impact on the standardization of cyber command and control?

Consider joining our team of cyber security stakeholders including cyber security integrators, product vendors, government, and academia.

Join the OpenC2 Technical Committee

 

Design Principles

Cyber attacks operate at machine speed. Effective responses to attacks must operate at machine speed. Security solutions must not only be faster and smarter, they must be able to work together to create a concerted automatic cyber defense. This coordinated defensive activity requires that there be a commonly understood way to express system actions. OpenC2 is an open standards approach to translating the operational and defensive intent of an organization into orchestrated and automated system control actions.

A command set and syntax, OpenC2, based on the actions, targets, actuators, and attributes required to encode desired effect and command decisions as machine-readable instructions to enable automated courses of action has been defined. The expressiveness of the language can be expanded in a context-specific way by adding attributes and objects to further specify the general activities. This strategy achieves broad interoperability while only standardizing and maintaining a small set of actions.

The definition of a language such as OpenC2 is necessary but insufficient to enable future cyber defenses. OpenC2 was designed to be flexible, agnostic of external protocols that provide services such as transport, authentication, key management and other services.

The OpenC2 design principles include the following:

  • Support cyber relevant response time for coordination and response actions.
  • Be infrastructure, architecture, and vendor agnostic.
  • Support multiple levels of abstraction, necessary to permit the contextualization of commands for a wide variety of operating environments.
  • Permit commands to be invoked that are either tasking/response actions or notifications
    • Tasking/response actions result in a state change.
    • Notifications require supporting analytics/decision processes.
  • Provide an extensible syntax to accommodate different types of actions, targets, and actuators (e.g., sensor, endpoint, network device, human) and specific targets and actuators.
  • Ensure the OpenC2 command is independent of a message construct that provides transport, includes identification of priority/ quality of service, and supports security attributes.

Syntax

Conceptually, an OpenC2 command has the following form:


(
    ACTION (
        type = <ACTION_TYPE>
    ),
    TARGET (
        type = <TARGET_TYPE>,
        <target-specifier>
    ),
    ACTUATOR (
        type = <ACTUATOR_TYPE>,
        <actuator-specifier>
    ),
    MODIFIERS (
        <list-of-modifiers>
    )
)

Click here for more details.

Actions

All OpenC2 commands start with an ACTION which indicates the type of command to perform such as gather and convey information, control activities and devices, and control permissions and access. The range of options and potential impact on the information system associated with a particular ACTION is a function of the ACTUATOR. For cases that involve multiple options for an ACTION, modifiers are used.

Action Details

Targets

The TARGET is the object of the ACTION (or conversely, the ACTION is performed on the TARGET). OpenC2 will utilize pre-existing data models to provide the namespace for the TARGETs. Initially, OpenC2 will reference the applicable CybOX objects in the OpenC2 TARGET namespace. However, OpenC2 can be supported by custom or other data models.

Target Details

Actuators

An ACTUATOR is the entity that puts command and control into motion or action. The ACTUATOR executes the ACTION on the TARGET. To the extent possible, OpenC2 will leverage existing standardized data models for ACTUATORs (e.g., IETF Security Automation and Continuous Monitoring, Information Security Continuous Monitoring (ISCM)).

Actuator Details

Specifiers

"Specifiers" further distinguish individual or groups of targets or actuators. Specifiers can be associated with the TARGET or ACTUATOR in an OpenC2 command. Commands are appended with specifiers as context specific details become available.

Modifiers

Modifiers provide additional information about the action such as time, periodicity, duration, and location. Modifiers can denote the when, where, and how aspects of an action. The modifier can also be used to convey the need for additional status information about the execution of an action. Modifiers can be used to indicate whether the actuator should explicitly acknowledge receipt of the command, respond upon completion of the execution of the command, or provide some other status information. The requested status/information will be carried in a RESPONSE.

Modifier Details

About

The Open Command and Control Forum promotes the global development and adoption of the OpenC2 language and reference material.

What is the OpenC2 Approach?

Initial Scope

The OpenC2 Forum is initially focused on defining a language at a level of abstraction that will enable command and control of cyber defense entities that execute the actions with enough generality to provide flexibility in the implementations of devices and accommodate future products.

The initial scope of the OpenC2 effort is to create a lexicon with a set of terms that define the actions, the target of the actions, and the entities that execute the action. The OpenC2 language also defines an extensible syntax to accommodate attributes that further specify the targets, components, and actions that support a wide range of operational environments.

Future Scope

Future OpenC2 efforts will further detail the syntax, lock down the controlled vocabulary, and define implementation approaches to facilitate interoperable machine to machine communications. The OpenC2 effort will develop and promulgate reference implementations to demonstrate the use and flexibility of OpenC2 and promote the incorporation of OpenC2 in cyber defense solutions.

Reference Implementation

The expressiveness of the language can be expanded in a context-specific way by adding attributes and objects to further specify the general activities. This strategy achieves broad interoperability while only standardizing and maintaining a small set of actions.

Description Action
Target
Target-Specifier
Actuator
Actuator-specifier
 Modifier
Block traffic to/from specific IP address [effects-based, no actuator specified]; suitable for inter-domain coordination Deny
Network Connection
Source and Destination IP Address
Block traffic at all network devices [specify actuator class]; suitable for inter-domain coordination or as a command to an orchestration engine which further contextualizes for the enclave’s environment Deny
Network Connection
Source and Destination IP Address
Network (any devices)
Block traffic at network routers [specify type of network device actuator]; suitable within an enclave Deny
IP
Source and Destination IP Address
Network.router
(optional)
Block traffic at specific network router; suitable within an enclave Deny
IP
Source and Destination IP Address
Network.router
Router identity
Block access to bad external IP by null routing; suitable within an enclave Deny
IP
Source and Destination IP Address
Network.router
(optional)
 Method= blackhole