af life cycle management center · 2016-07-21 · nist special publication 800-37, applying the...
TRANSCRIPT
AFLCMC… Providing the Warfighter’s Edge
An Engineering
Methodology for
Assessing Cybersecurity
Threats and Risk to DoD
Weapon Systems
Harrell Van Norman
AFLCMC/EZAS
Cybersecurity Technical Expert
AF Life Cycle Management Center
1
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2014-2406 19 May 2014
AFLCMC… Providing the Warfighter’s Edge
... so I connectedthe unclassified black & classified red wires
for ONE com & datachannel...
Aircraft System Cybersecurity
2DISTRIBUTION A. Approved for public release: distribution unlimited
Case Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
What is Cybersecurity?
• Prevention of damage to, protection of, and restoration
of computers, electronic communications systems,
electronic communications services, wire
communication, and electronic communication,
including information contained therein, to ensure its
availability, integrity, authentication, confidentiality,
and nonrepudiation.
Source: DoDI 8500.01
• Cybersecurity replaced Information Assurance (IA)
• Requires independent assessment & authorization
• Cybersecurity required by law, DoD & USAF instruction
• AFLCMC mandatory process
3
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
4
Cybersecurity Applicability
Cybersecurity applies to all IT that receives, processes, stores, displays, or transmits DoD information
Note 1: PIT = Platform IT: aircraft, weapons, C2, medical, industrial control systems, etc.Note 2: Only an appointed Authorization Official can authorize operation of a system
AFLCMC… Providing the Warfighter’s Edge
Threats
• Insider Threat (Often under-estimated)
– Disgruntled personnel
– Unintentional actions of user
– Trusted insider
• Hacker/Cracker
• Malicious Code/Viruses/Worms– Via link or HW/SW upgrades
• State Sponsored Cyber Attack
• DOS (Denial of Service) Attacks– Self imposed
– Deliberate actions of others
5
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
Domain Expertise
Threat Actors
• Cybercriminals: stealing or corrupting
data for financial gain
• Script kiddies: curious & fame seeking
• Computer Spy: hired to steal
information
• Insiders: disgruntled over job
termination
• Cyberterrorists: defacing web sites to
spread propaganda or critical
infrastructure outages and corrupt vital
data
• Nation State: cyber warfare
Targets of Attack
• Banks & commercial
enterprises
• Easy targets and
unprotected systems
• Corporate competitors and
affiliates
• Former employers
• Critical infrastructures and
high profile web sites
• DoD Weapon Systems
6
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
Malicious System Exploitation Attacks
Representative Attacks and Vectors for Malicious Exploitation of Fielded Systems
Denial of Service (embedded malware)
Kill Switch Activation (embedded malware)
Mission Critical Function Alteration (embedded malware)
Exfiltration (by adversary)
Network Threat Activity (host discovery)
Compromised Server Attacks (on clients)
Malicious Activity (disruption, destruction)
Auditing Circumvention (evading detection)
Web Based Threats (disclosing sensitive info)
Zero Day Vectors (vulnerabilities without fixes)
Improper File/Folder Access (misconfiguration)
Configuration, Operational Practices
Supply Chain (penetration, corruption)
Malware (downloaded, embedded)
External Mission Load Compromise
DNS Based Threats (cache poisoning)
Applications (built-in malware)
E-mail Based Threats (attachments)
Data Leakage (via social media)
Password Misuse (sharing)
7DISTRIBUTION A. Approved for public release: distribution unlimited
Case Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
Example Aircraft Attack Surface
Key
Loader
Support
Equipment
Mission
Planning
Memory/Loader Verifier Backshop
Test Station
Removable
Media
SW
Development
LRUs
Data
Recorder
1553 Bus Data
Recorder
HW SW
LRUs
Depot &
contractors
Contractor
Laptop
Legend
Classified
Unclassified
NIPR/
SIPR
IFF Data
Links
GPSUHF/VHF
SATCOM
HF ACARS ADS-B
8DISTRIBUTION A. Approved for public release: distribution unlimited
Case Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
Risk Based Approach
RMF replacing DIACAP
9
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2014-2406 19 May 2014
AFLCMC… Providing the Warfighter’s Edge
Roots of DoD Policy
10
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
Unified Framework
Before After
DoD is aligning cybersecurity and risk
management policies, procedures, and
guidance with Joint Transformation NIST
documents, the basis for a unified
information security framework for the
Federal government.
NIST Special Publication 800-37, Applying the Risk Management Framework to Federal Info Systems
NIST Special Publication 800-30, Guide for Conducting Risk Assessments
NIST Special Publication 800-39, Managing Info Security Risk: Organization, Mission, & Info System View
NIST Special Publication 800-53, Security and Privacy Controls for Federal Info Systems & Organizations
NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Info Systems & Orgs
NIST Special Publication 800-137, Info Security Continuous Monitoring (ISCM) for Federal Info Systems & Orgs
AFLCMC… Providing the Warfighter’s Edge
12
Cybersecurity Systems Engineering
Approach
Concur?
Assessment
Assessment
Verify
Concur?
Certify /
Approval?
Cybersecurity
Design
Verification
Cybersecurity
Design Verification
Test Plan
Review
Cybersecurity
RequirementsAO
SCA
SCA
SCA
SCA
SCA
AO Decision - ATO
SRR
SFR
PDR
CDR
TRR
SVR
Systems
Engineering
Process SCA
Cybersecurity
Functional
Requirements
PIT Cybersecurity
Risk Management
Framework
IATT
AFLCMC… Providing the Warfighter’s Edge
Components of Risk
13
Likelihood Impact
Cause Effect
Means & Opportunity
of the threat
Severity of
vulnerability &
Criticality of the
system/subsystem
VulnerabilityThreat
Risk Analysis
AFLCMC… Providing the Warfighter’s Edge
Impact
5 - Catastrophic
4 - Major
3 - Moderate
2 - Minor
1 - Negligible
Risk Assessment
Example
Risk Likelihood
Op
port
un
ity
O-5 L-2 L-3 L-4 L-5 L-5
O-4 L-2 L-3 L-4 L-5 L-5
O-3 L-1 L-2 L-3 L-4 L-5
O-2 L-1 L-2 L-3 L-4 L-4
O-1 L-1 L-1 L-2 L-3 L-3
M-1 M-2 M-3 M-4 M-5
Means
Impact
Vu
lner
ab
ilit
y S
ever
ity S-5 I-2 I-3 I-4 I-5 I-5
S-4 I-2 I-3 I-3 I-4 I-5
S-3 I-1 I-2 I-3 I-4 I-5
S-2 I-1 I-1 I-2 I-3 I-4
S-1 I-1 I-1 I-1 I-2 I-3
C-1 C-2 C-3 C-4 C-5
Mission Criticality
Overall Risk Factor Matrix
LIK
EL
IHO
OD L-5
L-4
L-3
L-2
L-1 X
I-1 I-2 I-3 I-4 I-5
IMPACT
Likelihood
5 - Near Certainty
4 - Probable
3 - Occasional
2 - Remote
1 - Improbable
Criticality
Analysis
Within risk
tolerance?
Derived from:
NIST 800-30 Risk Assessment
DOD Risk Management Guide
Vulnerability
Assessments
Threat
Assessments
INTEL
TEST
Consequence
of Loss
Likelihood of
Loss
Likelihood= L-1
Impact= I-3
Risk= Low
Risk
High
Moderate
Low
14
Risk Assessment
AFLCMC… Providing the Warfighter’s Edge
Example Risk Reporting Template
Component Control /
Requirement
Risk # Control name Initial risk level
High
Threat: Any circumstance or event with potential to intentionally or unintentionally exploit one or more vulnerabilities in a
system, resulting in a loss of confidentiality, integrity, or availability.
Examples of threat agents are malicious hackers, organized crime, insiders, terrorists, and nation states.
Vulnerability: Flaw or weakness in design or implementation of hardware, software, networks, or computer-based
systems, including security procedures and controls associated with the systems. Be specific
Risk: Combination of the likelihood that a particular vulnerability in an organization’s systems will be either intentionally or
unintentionally exploited by a particular threat agent and the magnitude of the potential harm (consequence) to the
organization’s operations, assets, or personnel that could result from the loss of confidentiality, integrity, or availability.
Likelihood: (Highly Likely) Explain the probability of occurrence due to mission parameters. Make sure this
category designation matches the Matrix category designations.
Impact: (High) Explain the consequence to data, mission, operation, or life in quantifiable terms. Make sure designation
matches consequence column headers on Risk Matrix. Describe in terms of confidentiality, integrity & availability,
Mitigation/Countermeasures:
List actions that are that are implemented and documented relevant to the risk.
Residual Risk:
After mitigation/countermeasure have been applied what is the risk level?
Why should the AO accept the risk
Current
Residual Risk:
Moderate
Additional countermeasures needed for Low residual risk: What is needed to meet the requirement or mitigate to
a low risk
15
AFLCMC… Providing the Warfighter’s Edge
Current Challenges
• Legacy assessment backlog
• Legacy systems were not
designed to cyber requirements
• Policy geared toward networks
• Workforce Development LOA3
• Requirements and funding
– Program funds to implement fixes
or upgrades
– No funds for site audits or training
certifications
• Programs access to timely Intel
• Classification Issues
– Program office IPT without access
to threat, vulnerability information
– Tools such eMASS create
classification issues for risk
assessments
16
• Test and Evaluation Resources
– Red/Blue team capability against
weapons systems
• Lack of tools to conduct avionics
cyber analysis
• Software/Hardware assurance &
SCRM– Tools, techniques and expertise for HW
& SW Assurance
– Systems using COTS components built
on foreign technologies and hardware
– Supply chain risk assessment release-
ability/classification.
• ‘Permanent' temporary T-1, 1067,
UON/JUON mods to system
• Process for reporting of incidents
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
Challenges Applying Enterprise
Requirements to Embedded Systems
• Network tools and assessment techniques have limited relevance to
Weapons Systems architecture and interfaces
• Automatic updates and centralized account control not possible due to
connectivity, safety, configuration management and availability
• Weapons systems must decrease attack surface limiting access points
• Form factor, weight, power, and safety preclude many enterprise
implementations in weapons systems
• Embedded firmware, unique internal buses & controllers
• Real-time OS vs Enterprise Network / Desktop operating systems
• Different Operating Environments, CONOPs, Threats & Vulnerabilities
• Focus network related protections at Mission Planning and Maintenance
touch points versus applying requirements internal to real-time systems
• Virus definitions and STIGs irrelevant to Weapons system OS
• Implementation of controls and assessment methods are very different
• Security Classification of Weapons Systems Vulnerability & Threat
PIT was defined due to the unique aspects of real-time embedded systems
17
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
Defense in Depth
• Confidentiality –Assurance that information is not disclosed to unauthorized persons
• Integrity – Data, processes, material is what is expected
• Availability – Timely, reliable access to data and information services for authorized users
18
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
Avionics Cyber Core Competencies
• Mission Analysis
• Failure Mode Effects Criticality Analysis
(FMECA)
• Cybersecurity Risk Management
• Data Flow - Attack Pattern/Threat Modeling
• Requirements Analysis
• Cyber T&E Assessments
• SwA/HwA & SCRM
• Systems Security Engineering
19
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2015-2146 30 April 2015
AFLCMC… Providing the Warfighter’s Edge
Overview of DoDAF 2.0 viewpoints
AFLCMC… Providing the Warfighter’s Edge
Risk Assessment with DODAF 2.0
AV1, AV2, OV1
OV2
OV3, OV5, CV6
DIV1, DIV2
DIV3
OV6(a,b,c)
SvcV1, SvcV2,SvcV3b, SvcV5,CV7
SV1, SV2, SV3, SV5b
SvcV4, SvcV6
SvcV3aSV4, SV5a
SV10(a,b,c)Svc10
(a,b,c)
General information about the mission, context(not sufficient for automated analysis)
Operational resource flow; introduces performers andInformation exchanges; suitable for automated analysis; gives operational overview of the entire enterprise; perfect for threat and risk analysis; but may not be sufficient for human interpretation without additional information, which may come either from informal sources or more detailed views
Operational path
Services pathSystems path
Operational activities
Detailed Operational activities
Physical data
Conceptual and logical data
Service decomposition
Systems decomposition
Service functions
Systemfunctions
Detailed Service functions
Detailed Systemfunctions
Service-System mapping
CV2,CV4Capability views; useful for analysisIn combination with OV views
1
2
3
4
5 6a 6b
6c9a
7
8 9b
10a 10b
AFLCMC… Providing the Warfighter’s Edge
What is “risk”? (ISO 15408)
There are many
categories of risk (e.g.,
financial, systemic,
project). We are
focusing on the
operational risk (ie, any
undesired events that
disrupt the operations
of a system due to
attacks, incidents, or
failures).
AFLCMC… Providing the Warfighter’s Edge
Systematic Enumeration of Risks
Identified Risks
To what ?
So what ? How ?
Who cares ? Assets and Targets
Owners and criteria
sensitivity
Undesired events, Operational Impact
severityAttack scenarios
Likelihood
What to do about it ?
Controls, mitigation options
By who ? and Why ?
Threat Sources
AFLCMC… Providing the Warfighter’s Edge
JFAC Capabilities
Static Source Code Analysis
Dynamic Binary Analysis
Static Binary Analysis
Web Application Analysis
Database Analysis
Mobile Application Analysis
Incident Response and Forensic Analysis
SME support during the product lifecycle:
• Secure Software Design
• Secure Coding Practice Audit/Review
• Criticality Analysis
• Milestone Review
• Deployment Assistance and Review
• Sustainment Support & Penetration Testing
24
Detection
Techniques
Maturity Level:
Low High
Maturity Level:
Low High
AFLCMC… Providing the Warfighter’s Edge
Directorate Engineering Analysis Tech Hub and
System Training, Analysis & Research (Death Star)
• Death Star 143
– AutoCAD
– BlockSim
– Enterprise Architect
– Fortran
– IMPRINT
– JMP
– LCOM
– MultiSim
– RCM ++
– Weibull++
– AFGROW
– AMESim
• Death Star 145
– Ansys Mechanical
– DARWIN
– Fieldview
– NX
– Pointwise
– Solidworks
– STAR-CCM+
– Tecplot Focus
Allow USAF engineers to work collaboratively with
contractors in problem solving and system enhancements.
Tools enable data driven, fact based engineering to re-
establish a center of technical excellent capable of
independent, timely technical assessment in support of
major USAF and DoD acquisition programs.
AFLCMC… Providing the Warfighter’s Edge
Death Star Cyber Lab
‒ Architectural Risk Assessment Tools
• IBM Rational System Architect
• Sparx Enterprise Architect
• MagicDraw 18.3 FR Personal
– JFAC Software Assessment Tools
• Fortify
• Coverity
• Sonatype
– Cybersecurity Forensics Assessment Tools
• Forensic Recovery of Evidence Device (FRED)
• AccessData’s Forensics Tool Kit (FTK)
Directorate Engineering Analysis Tech Hub and
System Training, Analysis & Research (Death Star)
AFLCMC… Providing the Warfighter’s Edge
Death Star Cyber Lab
– Cybersecurity Protection Tools
• McAfee’s Integrity Control
Whitelisting Tool
• AFRL’s Port Protection Program
for Weapon Systems (P3)
– Software Assessment Tools
• KDM Analytics Blade Tools Output
Integration Framework (TOIF)
• Grammatech Software Assessment
Tool (SWAT)
– Vulnerability Assessment Tools
• DISA’s Assured Compliance
Assessment Solution (ACAS)
• DISA’s SCAP Assessment Tool
Suite, Gold Disk, Retina
• Open Source Tools: NMap,
ZENMap, Cain & Abel, Wireshark,
Metasploit
– Architectural Risk
Assessment Tools
• KDM Analytics Blade Risk
Manager (BRM)
• Microsoft Tools
– Microsoft Security Assessment
Tool 4.0 (MSAT)
– Microsoft Threat Modeling Tool
• DHS Cyber Security Evaluation
Tool 7.0 (CSET)
• Edaptive Risk Analysis
Integration into Architecture-
based Systems Engineering for
Trustworthiness Assessment
(RAISE/T)
AFLCMC… Providing the Warfighter’s Edge
Summary
• Domain Expertise needed for Weapon System
Cybersecurity
• Unique Aircraft System Attack Surface
• Cybersecurity Part of Systems Engineering
• Industry Partnership Essential to Address
Challenges and Requirements
• Unique Avionics Cyber Core Competencies
28
DISTRIBUTION A. Approved for public release: distribution unlimitedCase Number: 88ABW-2015-2146 30 April 2015