af life cycle management center · 2016-07-21 · nist special publication 800-37, applying the...

AFLCMC… Providing the Warfighter’s Edge

An Engineering

Methodology for

Assessing Cybersecurity

Threats and Risk to DoD

Weapon Systems

Harrell Van Norman

AFLCMC/EZAS

Cybersecurity Technical Expert

AF Life Cycle Management Center

1

DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2014-2406 19 May 2014


... so I connectedthe unclassified black & classified red wires

for ONE com & datachannel...

Aircraft System Cybersecurity

2DISTRIBUTION A. Approved for public release: distribution unlimited

Case Number: 88ABW-2015-2146 30 April 2015


What is Cybersecurity?

• Prevention of damage to, protection of, and restoration

of computers, electronic communications systems,

electronic communications services, wire

communication, and electronic communication,

including information contained therein, to ensure its

availability, integrity, authentication, confidentiality,

and nonrepudiation.

Source: DoDI 8500.01

• Cybersecurity replaced Information Assurance (IA)

• Requires independent assessment & authorization

• Cybersecurity required by law, DoD & USAF instruction

• AFLCMC mandatory process

3

DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2015-2146 30 April 2015


4

Cybersecurity Applicability

Cybersecurity applies to all IT that receives, processes, stores, displays, or transmits DoD information

Note 1: PIT = Platform IT: aircraft, weapons, C2, medical, industrial control systems, etc.Note 2: Only an appointed Authorization Official can authorize operation of a system


Threats

• Insider Threat (Often under-estimated)

– Disgruntled personnel

– Unintentional actions of user

– Trusted insider

• Hacker/Cracker

• Malicious Code/Viruses/Worms– Via link or HW/SW upgrades

• State Sponsored Cyber Attack

• DOS (Denial of Service) Attacks– Self imposed

– Deliberate actions of others

5



Domain Expertise

Threat Actors

• Cybercriminals: stealing or corrupting

data for financial gain

• Script kiddies: curious & fame seeking

• Computer Spy: hired to steal

information

• Insiders: disgruntled over job

termination

• Cyberterrorists: defacing web sites to

spread propaganda or critical

infrastructure outages and corrupt vital

data

• Nation State: cyber warfare

Targets of Attack

• Banks & commercial

enterprises

• Easy targets and

unprotected systems

• Corporate competitors and

affiliates

• Former employers

• Critical infrastructures and

high profile web sites

• DoD Weapon Systems

6



Malicious System Exploitation Attacks

Representative Attacks and Vectors for Malicious Exploitation of Fielded Systems

Denial of Service (embedded malware)

Kill Switch Activation (embedded malware)

Mission Critical Function Alteration (embedded malware)

Exfiltration (by adversary)

Network Threat Activity (host discovery)

Compromised Server Attacks (on clients)

Malicious Activity (disruption, destruction)

Auditing Circumvention (evading detection)

Web Based Threats (disclosing sensitive info)

Zero Day Vectors (vulnerabilities without fixes)

Improper File/Folder Access (misconfiguration)

Configuration, Operational Practices

Supply Chain (penetration, corruption)

Malware (downloaded, embedded)

External Mission Load Compromise

DNS Based Threats (cache poisoning)

Applications (built-in malware)

E-mail Based Threats (attachments)

Data Leakage (via social media)

Password Misuse (sharing)




Example Aircraft Attack Surface

Key

Loader

Support

Equipment

Mission

Planning

Memory/Loader Verifier Backshop

Test Station

Removable

Media

SW

Development

LRUs

Data

Recorder

1553 Bus Data

Recorder

HW SW

LRUs

Depot &

contractors

Contractor

Laptop

Legend

Classified

Unclassified

NIPR/

SIPR

IFF Data

Links

GPSUHF/VHF

SATCOM

HF ACARS ADS-B



http://www.argoncorp.com/images/15inchdisplay/15bg.jpg





Risk Based Approach

RMF replacing DIACAP

9

DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2014-2406 19 May 2014


Roots of DoD Policy

10



Unified Framework

Before After

DoD is aligning cybersecurity and risk

management policies, procedures, and

guidance with Joint Transformation NIST

documents, the basis for a unified

information security framework for the

Federal government.

NIST Special Publication 800-37, Applying the Risk Management Framework to Federal Info Systems

NIST Special Publication 800-30, Guide for Conducting Risk Assessments

NIST Special Publication 800-39, Managing Info Security Risk: Organization, Mission, & Info System View

NIST Special Publication 800-53, Security and Privacy Controls for Federal Info Systems & Organizations

NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Info Systems & Orgs

NIST Special Publication 800-137, Info Security Continuous Monitoring (ISCM) for Federal Info Systems & Orgs


12

Cybersecurity Systems Engineering

Approach

Concur?

Assessment

Assessment

Verify

Concur?

Certify /

Approval?

Cybersecurity

Design

Verification

Cybersecurity

Design Verification

Test Plan

Review

Cybersecurity

RequirementsAO

SCA

SCA

SCA

SCA

SCA

AO Decision - ATO

SRR

SFR

PDR

CDR

TRR

SVR

Systems

Engineering

Process SCA

Cybersecurity

Functional

Requirements

PIT Cybersecurity

Risk Management

Framework

IATT


Components of Risk

13

Likelihood Impact

Cause Effect

Means & Opportunity

of the threat

Severity of

vulnerability &

Criticality of the

system/subsystem

VulnerabilityThreat

Risk Analysis


Impact

5 - Catastrophic

4 - Major

3 - Moderate

2 - Minor

1 - Negligible

Risk Assessment

Example

Risk Likelihood

Op

port

un

ity

O-5 L-2 L-3 L-4 L-5 L-5

O-4 L-2 L-3 L-4 L-5 L-5

O-3 L-1 L-2 L-3 L-4 L-5

O-2 L-1 L-2 L-3 L-4 L-4

O-1 L-1 L-1 L-2 L-3 L-3

M-1 M-2 M-3 M-4 M-5

Means

Impact

Vu

lner

ab

ilit

y S

ever

ity S-5 I-2 I-3 I-4 I-5 I-5

S-4 I-2 I-3 I-3 I-4 I-5

S-3 I-1 I-2 I-3 I-4 I-5

S-2 I-1 I-1 I-2 I-3 I-4

S-1 I-1 I-1 I-1 I-2 I-3

C-1 C-2 C-3 C-4 C-5

Mission Criticality

Overall Risk Factor Matrix

LIK

EL

IHO

OD L-5

L-4

L-3

L-2

L-1 X

I-1 I-2 I-3 I-4 I-5

IMPACT

Likelihood

5 - Near Certainty

4 - Probable

3 - Occasional

2 - Remote

1 - Improbable

Criticality

Analysis

Within risk

tolerance?

Derived from:

NIST 800-30 Risk Assessment

DOD Risk Management Guide

Vulnerability

Assessments

Threat

Assessments

INTEL

TEST

Consequence

of Loss

Likelihood of

Loss

Likelihood= L-1

Impact= I-3

Risk= Low

Risk

High

Moderate

Low

14

Risk Assessment


Example Risk Reporting Template

Component Control /

Requirement

Risk # Control name Initial risk level

High

Threat: Any circumstance or event with potential to intentionally or unintentionally exploit one or more vulnerabilities in a

system, resulting in a loss of confidentiality, integrity, or availability.

Examples of threat agents are malicious hackers, organized crime, insiders, terrorists, and nation states.

Vulnerability: Flaw or weakness in design or implementation of hardware, software, networks, or computer-based

systems, including security procedures and controls associated with the systems. Be specific

Risk: Combination of the likelihood that a particular vulnerability in an organization’s systems will be either intentionally or

unintentionally exploited by a particular threat agent and the magnitude of the potential harm (consequence) to the

organization’s operations, assets, or personnel that could result from the loss of confidentiality, integrity, or availability.

Likelihood: (Highly Likely) Explain the probability of occurrence due to mission parameters. Make sure this

category designation matches the Matrix category designations.

Impact: (High) Explain the consequence to data, mission, operation, or life in quantifiable terms. Make sure designation

matches consequence column headers on Risk Matrix. Describe in terms of confidentiality, integrity & availability,

Mitigation/Countermeasures:

List actions that are that are implemented and documented relevant to the risk.

Residual Risk:

After mitigation/countermeasure have been applied what is the risk level?

Why should the AO accept the risk

Current

Residual Risk:

Moderate

Additional countermeasures needed for Low residual risk: What is needed to meet the requirement or mitigate to

a low risk

15


Current Challenges

• Legacy assessment backlog

• Legacy systems were not

designed to cyber requirements

• Policy geared toward networks

• Workforce Development LOA3

• Requirements and funding

– Program funds to implement fixes

or upgrades

– No funds for site audits or training

certifications

• Programs access to timely Intel

• Classification Issues

– Program office IPT without access

to threat, vulnerability information

– Tools such eMASS create

classification issues for risk

assessments

16

• Test and Evaluation Resources

– Red/Blue team capability against

weapons systems

• Lack of tools to conduct avionics

cyber analysis

• Software/Hardware assurance &

SCRM– Tools, techniques and expertise for HW

& SW Assurance

– Systems using COTS components built

on foreign technologies and hardware

– Supply chain risk assessment release-

ability/classification.

• ‘Permanent' temporary T-1, 1067,

UON/JUON mods to system

• Process for reporting of incidents



Challenges Applying Enterprise

Requirements to Embedded Systems

• Network tools and assessment techniques have limited relevance to

Weapons Systems architecture and interfaces

• Automatic updates and centralized account control not possible due to

connectivity, safety, configuration management and availability

• Weapons systems must decrease attack surface limiting access points

• Form factor, weight, power, and safety preclude many enterprise

implementations in weapons systems

• Embedded firmware, unique internal buses & controllers

• Real-time OS vs Enterprise Network / Desktop operating systems

• Different Operating Environments, CONOPs, Threats & Vulnerabilities

• Focus network related protections at Mission Planning and Maintenance

touch points versus applying requirements internal to real-time systems

• Virus definitions and STIGs irrelevant to Weapons system OS

• Implementation of controls and assessment methods are very different

• Security Classification of Weapons Systems Vulnerability & Threat

PIT was defined due to the unique aspects of real-time embedded systems

17



Defense in Depth

• Confidentiality –Assurance that information is not disclosed to unauthorized persons

• Integrity – Data, processes, material is what is expected

• Availability – Timely, reliable access to data and information services for authorized users

18



Avionics Cyber Core Competencies

• Mission Analysis

• Failure Mode Effects Criticality Analysis

(FMECA)

• Cybersecurity Risk Management

• Data Flow - Attack Pattern/Threat Modeling

• Requirements Analysis

• Cyber T&E Assessments

• SwA/HwA & SCRM

• Systems Security Engineering

19



Overview of DoDAF 2.0 viewpoints


Risk Assessment with DODAF 2.0

AV1, AV2, OV1

OV2

OV3, OV5, CV6

DIV1, DIV2

DIV3

OV6(a,b,c)

SvcV1, SvcV2,SvcV3b, SvcV5,CV7

SV1, SV2, SV3, SV5b

SvcV4, SvcV6

SvcV3aSV4, SV5a

SV10(a,b,c)Svc10

(a,b,c)

General information about the mission, context(not sufficient for automated analysis)

Operational resource flow; introduces performers andInformation exchanges; suitable for automated analysis; gives operational overview of the entire enterprise; perfect for threat and risk analysis; but may not be sufficient for human interpretation without additional information, which may come either from informal sources or more detailed views

Operational path

Services pathSystems path

Operational activities

Detailed Operational activities

Physical data

Conceptual and logical data

Service decomposition

Systems decomposition

Service functions

Systemfunctions

Detailed Service functions

Detailed Systemfunctions

Service-System mapping

CV2,CV4Capability views; useful for analysisIn combination with OV views

1

2

3

4

5 6a 6b

6c9a

7

8 9b

10a 10b


What is “risk”? (ISO 15408)

There are many

categories of risk (e.g.,

financial, systemic,

project). We are

focusing on the

operational risk (ie, any

undesired events that

disrupt the operations

of a system due to

attacks, incidents, or

failures).


Systematic Enumeration of Risks

Identified Risks

To what ?

So what ? How ?

Who cares ? Assets and Targets

Owners and criteria

sensitivity

Undesired events, Operational Impact

severityAttack scenarios

Likelihood

What to do about it ?

Controls, mitigation options

By who ? and Why ?

Threat Sources


JFAC Capabilities

Static Source Code Analysis

Dynamic Binary Analysis

Static Binary Analysis

Web Application Analysis

Database Analysis

Mobile Application Analysis

Incident Response and Forensic Analysis

SME support during the product lifecycle:

• Secure Software Design

• Secure Coding Practice Audit/Review

• Criticality Analysis

• Milestone Review

• Deployment Assistance and Review

• Sustainment Support & Penetration Testing

24

Detection

Techniques

Maturity Level:

Low High

Maturity Level:

Low High


Directorate Engineering Analysis Tech Hub and

System Training, Analysis & Research (Death Star)

• Death Star 143

– AutoCAD

– BlockSim

– Enterprise Architect

– Fortran

– IMPRINT

– JMP

– LCOM

– MultiSim

– RCM ++

– Weibull++

– AFGROW

– AMESim

• Death Star 145

– Ansys Mechanical

– DARWIN

– Fieldview

– NX

– Pointwise

– Solidworks

– STAR-CCM+

– Tecplot Focus

Allow USAF engineers to work collaboratively with

contractors in problem solving and system enhancements.

Tools enable data driven, fact based engineering to re-

establish a center of technical excellent capable of

independent, timely technical assessment in support of

major USAF and DoD acquisition programs.


Death Star Cyber Lab

‒ Architectural Risk Assessment Tools

• IBM Rational System Architect

• Sparx Enterprise Architect

• MagicDraw 18.3 FR Personal

– JFAC Software Assessment Tools

• Fortify

• Coverity

• Sonatype

– Cybersecurity Forensics Assessment Tools

• Forensic Recovery of Evidence Device (FRED)

• AccessData’s Forensics Tool Kit (FTK)

Directorate Engineering Analysis Tech Hub and

System Training, Analysis & Research (Death Star)


Death Star Cyber Lab

– Cybersecurity Protection Tools

• McAfee’s Integrity Control

Whitelisting Tool

• AFRL’s Port Protection Program

for Weapon Systems (P3)

– Software Assessment Tools

• KDM Analytics Blade Tools Output

Integration Framework (TOIF)

• Grammatech Software Assessment

Tool (SWAT)

– Vulnerability Assessment Tools

• DISA’s Assured Compliance

Assessment Solution (ACAS)

• DISA’s SCAP Assessment Tool

Suite, Gold Disk, Retina

• Open Source Tools: NMap,

ZENMap, Cain & Abel, Wireshark,

Metasploit

– Architectural Risk

Assessment Tools

• KDM Analytics Blade Risk

Manager (BRM)

• Microsoft Tools

– Microsoft Security Assessment

Tool 4.0 (MSAT)

– Microsoft Threat Modeling Tool

• DHS Cyber Security Evaluation

Tool 7.0 (CSET)

• Edaptive Risk Analysis

Integration into Architecture-

based Systems Engineering for

Trustworthiness Assessment

(RAISE/T)


Summary

• Domain Expertise needed for Weapon System

Cybersecurity

• Unique Aircraft System Attack Surface

• Cybersecurity Part of Systems Engineering

• Industry Partnership Essential to Address

Challenges and Requirements

• Unique Avionics Cyber Core Competencies

28


af life cycle management center · 2016-07-21 · nist special publication 800-37, applying the...

Documents