air force life cycle management center - omg. raju patel, senior leader aflcmc/en aircraft systems...

AFLCMC… Providing the Warfighter’s Edge

Managing Cybersecurity

Risk in Weapon Systems

OMG Cybersecurity

Workshop - 21 March 2017

Dr. Raju Patel, Senior Leader

AFLCMC/EN

Aircraft Systems Authorizing Official

Air Force Life Cycle Management Center

[email protected]

DISTRIBUTION STATEMENT A. Approved for public release: distribution unlimited.

Case Number: 88ABW-2017-0927, 14 March 2017


2

Agenda

• Who we are

• What we do & why

• Our current challenges

• Overcoming challenges

• Summary


3

Air Force Mission

“The mission of the United States Air Force

is to fly, fight and win – in air, space and

cyberspace. We are America’s Airmen.”


Increasing Reliance on Software& Digital Infrastructure


4Christian Hagen and Jeff Sorenson; DAU Defense AT&L: March-April 2013


Failing to understand ALL threats…

5

Effective threat mitigation can only be achieved through identifying, analyzing,

classifying and understanding the threat and related risk: Cause & Effect


Possible Cyber Effects on Aircraft

Systems

• Communication Systems• Connect with “rogue” frequency/channel/link without user

knowledge

• Broadcast out voice/data over non-secure or secure

frequency/channel/link without user knowledge

• Force “hot mic” on

• Inject false messages into system/link

• Inject cyber payload through datalink targeting particular

system

• Navigation Systems• Disable, falsify or degrade GPS accuracy/reading

• Corrupt aircraft orientation indicators to mislead

pilot (indicate straight/level on 180 heading, but

making slight left turn)

6



Systems (continued)

• Radar/Electronic Warfare (EW) Systems• Add/remove/change location of friends/foes

• Re-label friend to foe or foe to friend

• Overload with “noise” data to make unusable

or of degraded use

• Corrupt onboard mission data files to interfere with functions

• Identify Friend or Foe (IFF) Systems• Add/remove/change location of friends/foes

• Re-label friend to foe or foe to friend

• Corrupt IFF indicators to mislead pilot (IFF says

system is off, when actually transmitting)

• ADS-B (Next Generation ATC signal) turned on

(instead of off for mission)

7



Systems (continued)

• Flight Control Systems• Inject flight control inputs to roll/pitch/yaw

(malware takes over flight controls)

• Deny or limit responsiveness to user flight control inputs to

roll/pitch/yaw (malware prevents/reduces responsiveness to

user input to flight controls)

• Collision Avoidance System (CAS)/Separation

Assurance System (SAS)• Add/remove/change location of aircraft

• Add/remove/change location of ground obstacles

• Overload with “noise” data to make unusable

• Corrupt CAS/SAS indicators to mislead pilot (indicator says

systems on, when actually off)

8



Systems (continued)

• Life Support Systems• Limit/cease oxygen flow/temp/pressure

control to pilot

• Increase oxygen flow/temp/pressure control to pilot

• Adjust gas mixture to pilot

• Corrupt life support gauges to mislead pilot/maintainers

• Health and Usage Monitoring Systems• Indicate repairs required when none are necessary

• Indicate lower/fewer, higher/more, or different repairs are

required than necessary

• Indicate aircraft OK when repairs are necessary

9


The Problem Illustrated

• $26 Software is Used to Breach Key Weapons in Iraq; Iranian

Backing Suspected

– Intercepting Live Video Feeds on Unprotected Communications Links -

SkyGrabber

• Computer Virus Hits US Drone Fleet

– Virus Infected Predator and Reaper Drones, Keystroke Loggers over Covert

Missions, Hits both Classified and Unclassified Systems, GPS Spoofing

Exploits

• FAA’s Air-Traffic Networks Breached by Hackers

– Air-Traffic Control Systems Compromised, Passwords Stolen, Malware

Installed, False Messages to Pilots, Fake Distress Calls, etc.

• Challenges and Efforts to Secure Control Systems

– ICS Hacked (Power, Water, Communications, Transportation, Sanitization)

10


Attacking Automatic Dependent

Surveillance (ADS)-B/ADS-A

● Can create phantom aircraft

● No security in protocol

● Could create fake weather reports

● Could be jammed

● Not likely to affect TCAS (Traffic Collision and Avoidance System)

- ADS-B (broadcast)

● Intended to improve flying where RADAR coverage is limited

● Provides traffic and weather where available

● Used by small planes to broadcast position information

- ADS-A (addressable)

● What the airlines use (contrary to what you may have heard)

● Related to ACARS

● ADS-B == cable-ready TV ● ADS-A == addressable cable box with pay-per-view,

etc. – Allows specific airplanes to send/receive messages – Allows lower separation

outside of RADAR coverage (FANS) – Airliners use neither ADS-B or ADS-A for

collision avoidance – Can be VHF, HF, or Satellite based

11


Attacking ACARS

Aircraft Communications Addressing and

Reporting System (ACARS)● Can be used to send messages to/from ground

● Messages to/from people or systems

● Used for – Weather – Delays – Updated flight plans – Maintenance

information

● Could create a bogus flight plan update

● Could create bogus weather

● Hypothetically could create fake messages from plane to ground

● Not a practical way to take over an airplane

12


13

Military Aircraft/Avionics Cyber Threat

The Problem Illustrated

2012 report by the Senate Armed Services Committee: “We do not want a $12 million missile

defense interceptor’s reliability compromised by a $2 counterfeit part,” Gen Patrick O’Reilly,

Dir. Missile Defense Agency

March 2014, C-130J operated by the Indian Air Force crashed, killing its five-person crew --

counterfeit parts are suspected

Hong Dark Electronic Trade of Shenzhen, China, supplied ~ 84,000 suspect counterfeit

electronic parts to USAF: C-5 AMP, C-12, and Global Hawk TCAS, and P-3, Special Operations

Force A/MH-6M assemblies.

Counterfeit chips in over 500 display units on U.S. Air Force C-130J and C-27J, “creating grave

risks for military personnel.” DoD was not alerted for over a year after problem was discovered.

Failure could cause the display unit to go blank, lose data, or show a degraded image. Traced

the counterfeit chips to Shenzhen, China


Attacks on Fielded Systems

Denial of Service (embedded malware)

Kill Switch Activation (embedded malware)

Critical Function Alteration (embedded malware)

Exfiltration (by adversary)

Network Threat Activity (host discovery)

Compromised Server Attacks (on clients)

Malicious Activity (disruption, destruction)

Auditing Circumvention (evading detection)

Web Based Threats (disclosing sensitive info)

Zero Day Vectors (vulnerabilities without fixes)

Improper File/Folder Access (misconfiguration)

Wireless Interface (bad data, unauthorized access)

Configuration, Operational Practices

Supply Chain (penetration, corruption)

Malware (downloaded, embedded)

External Mission Load Compromise

DNS Based Threats (cache poisoning)

Software (built-in or update malware)

E-mail Based Threats (attachments)

Data Leakage (via social media)

Password Misuse (sharing)

The list goes on…C2, Networks

and

infrastructure

14


... so I connectedthe unclassified black & classified red wires

for ONE com & datachannel...

Aircraft System Cybersecurity


Domain Expertise

Threat Actors

• Cybercriminals: stealing or

corrupting data for financial gain

• Script kiddies: curious & fame

seeking

• Computer Spy: hired to steal

information

• Insiders: disgruntled over job

termination

• Cyberterrorists: defacing web

sites to spread propaganda or

critical infrastructure outages

and corrupt vital data

• Nation State: cyber warfare

Targets of Attack

• Banks & commercial

enterprises

• Easy targets and

unprotected systems

• Corporate competitors

and affiliates

• Former employers

Critical infrastructures

and high profile web

sites

• DoD Weapon Systems

16


Defense in Depth

• Confidentiality –Assurance that information is not disclosed to unauthorized persons

• Integrity – Data, processes, material is what is expected

• Availability – Timely, reliable access to data and information services for authorized users

17


Threat, Risk and Vulnerability

Analysis (TRV)

18

How system can

be attacked?

What is the impact

of successful attacks?

What are the

Vulnerabilities that

are exploited by

successful attacks?

Goal:

Risk Assessment Methodology

within the Risk Management

Framework (RMF) that is

systematic, objective and

allows automation and that can

answer a tough question:

How do we know that all threats

have been addressed?

Risk

It Starts by Understanding …


Vulnerabilities are Everywhere

19


20

• A cyberattack against Polish flagship carrier LOT

grounded more than 1,400 passengers at Warsaw’s

Frederic Chopin Airport (June 2015)

– The airline said in a statement on its website that the “IT

attack” meant it was unable to create flight plans and flights

were not able to depart from Warsaw

• The International Civil Aviation Organization last year

highlighted long-known vulnerabilities in a new

aircraft positioning communication system, ADS-B,

and called for a working group to be set up to tackle

them

– Researchers have shown that ADS-B, a replacement for radar

and other air traffic control systems, could allow a hacker to

remotely give wrong or misleading information to pilots and

air traffic controller

Example:

Undiscovered Vulnerabilities


Risk Management Framework (RMF)

21

Categorize

Select

Implement

Assess

Authorize

Monitor

RMF

Initiate

Design

Implement

O&M

Dispose

How important is the

Mission/system/information

What Cyber

requirements apply?

Requirements analysis

Design in Cyber requirements

via Systems Engineering and

Test & Evaluation

How effective are the cyber

requirements. What are the risks?

Acceptable risks and/or

plans to reduce risks to

acceptable levels. Issue

authorization?

Monitoring risk,

managing change,

reporting progress


Weapon System Security Requirements

Platform IT Sys

Cybersecurity

Mx Sys

Cybersecurity

Tng Sys

Cybersecurity

Depot Sys

Cybersecurity

Msn Pln Sys

Cybersecurity

Confidentiality

Integrity

Availability

22

Operational

Requirements

Design

Requirements

Systems


Authorization Boundary Example

23

Mission PlanningACARS message FMC/

Multifunction Control Display

Unit via ACARS CMU

Cryptographic Key DataSKL IFF Transponder

(LRU) via IFF Fill Panel

Navigation

Database /

Avionics

Software

Update DataFloppy Disk

Flight

Management

Computer (FMC)

via Airborne Data

Loader (ADL)

Software Updatesand

Mission Planning Navigation

Communication

VHF Voice/ACARS Message DataGround Station/ATC/Aircraft VHF R/T (LRU) /

ACARS Communications Management Unit (CMU)

Non-Secure

Voice DataGround Station/Aircraft

E-12/13: HF voice R/T (LRU)

E-14/15: UHF voice R/T (LRU)

Safety and Surveillance

Terrain Database

/ Flight History

Data PCMCIA card

EGPWS Computer

Aircraft/ATC/GS IFF transponder (LRU)

Aircraft Identification Data (IFF)

Military Mode Civil Mode

Air Traffic Advisory DataAircraft/ATC ATC/TCAS

Computer

Radar Reflectivity

Return Data Atmospheric Conditions

Weather Radar (LRU)

E-6

Tactical Air Navigation Data Aircraft/Ground Stations TACAN R/T (LRU)

Position Data Civil/Military GPS

Satellite/Ground Stations/Landing

Systems GPS/ILS Multiple

Mode Receiver

Position Data Ground Terrain

Radio Altimeter System (LRU)

E-1: ADF receiver (LRU)

E-2: DME receiver (LRU)

Navigation Guidance Data NDB Ground Stations/Navigational Systems Unclassified

Classified

E-# External Interface

Legend

Aircraft Flight Parameter DataPCMCIA card Digital Flight Data

Acquisition Unit

E-7

E-19

E-29

E-9

E-12

E-14

E-3

E-2E-1

E-17

E-24

E-27

E-22

E-30

Satellite Voice/ACARS Message Data INMARSAT SATCOM Network Satellite R/T (SAT-906) /

ACARS CMU E-11

E-23

E-20

E-18 E-16

E-13

E-15

E-10

E-8

E-5

E-4

E-25

E-26

E-21

Mission PlanningFloppy Disk FMC via

Airborne Data Loader (ADL)

E-28


24

Analyze External Communications

Impacts on Internal Subsystems

Avionics

subsystem is

comprised of

Communication,

Navigation,

Surveillance,

and Display

subsystems


25

Communications subsystems provide two-way secure/non-secure voice

and data communications between the crew and other aircraft and ground

stations

Communications Subsystem

Impact Analysis

SATCOM

UHF Comms

VHF Comms

HF Comms

Interphone

Comm Mgt Unit


Joint Test

Action

Group

(JTAG)

PC

Board

Components

Mission

Computer

System Access Points and Connections

PC

Test

Equipment

Firmware

Internet

Vendor Web Server

Test

Equipment

Test

SignalsPilot Trainer Avionics Repair

Facility

MIL-STD-1553

Multi-Function Display

(MFD) LeftMulti-Function Display

(MFD) Right

Display

Computer/

Bus Controller

Data Transfer Unit

(DTU)

Comm/Nav

Computer

Control

Panel

ARINC 429

Avionics Full-Duplex

Switched Ethernet

(AFDX) Switch

OFPs,

Mission Data,

MapsLink 16

Common

Data Link (CDL)

ADS-B

Live

Mission

Data

Ground Station

Windows-based

Loader/

Verifier

Mission Computer

OFP

Internet

CD Duplicator

Vendor Web Server

Loader Company

Web server

Loader Software,

Company

Network

Avionics Development and

Integration FacilityLoader Development

System

Mission Computer

OFP Secret Internet Protocol

Router Network (SIPR)

Patents and

Technical Papers

Internet

Developer’s

Posts/Profile

Internet

Open Source

Map SoftwareInternet

Internet

Internet

Software

Libraries

Software

Development

Tools

Mailed

CD

CD

Operating

System

Updates,

Loader Updates,

OFP

CD

Duplicator

Duplicator

Firmware,

Loader Firmware,

CD Images

Mapping

Data

Provider

Flash

Cartridge

Mapping

SystemVPN Over the

Internet

Mission

Planning,

Post

AnalysisMaps and

Geo dataMission

Plan

Mission

Results

26


27

Weapon System Software Update

Process


Risk Assessment Template

28

Component

System

Subsystem

Control /

Requirement

Risk # Risk name Initial risk level

High

Threat: Any circumstance or event with potential to intentionally or unintentionally exploit one or more vulnerabilities in a system,

resulting in a loss of confidentiality, integrity, or availability.

Examples of threat agents are malicious hackers, organized crime, insiders, terrorists, and nation states.

Vulnerability: Flaw or weakness in design or implementation of hardware, software, networks, or computer-based systems,

including security procedures and controls associated with the systems. Be specific

Risk: Combination of the likelihood that a particular vulnerability in an organization’s systems will be either intentionally or

unintentionally exploited by a particular threat agent and the magnitude of the potential harm (consequence) to the organization’s

operations, assets, or personnel that could result from the loss of confidentiality, integrity, or availability.

Likelihood: (Highly Likely) Explain the probability of occurrence due to mission parameters. Make sure this category designation

matches the Matrix category designations.

Impact: (High) Explain the consequence to data, mission, operation, or life in quantifiable terms. Make sure designation

matches consequence column headers on Risk Matrix. Describe in terms of confidentiality, integrity & availability,

Mitigation/Countermeasures:

List actions that are that are implemented and documented relevant to the risk.

Residual Risk: A

After mitigation/countermeasure have been applied what is the risk level?

Why should the AO accept the risk. Justification to allocate resources to fix vulnerability

Current

Residual Risk:

Moderate

Additional countermeasures needed for Low residual risk: What is needed to meet the requirement or mitigate to a low risk.

This is a summary of the POA&M.

Mitigating/Compensating Controls

Residual Risk

POA&M Summary

Materiel Solution

Analysis (MSA)

Technology Maturation &

Risk Reduction (TMRR)

Engineering & Manufacturing

Development (EMD)Production &

Deployment (P&D)

Operations &

Support (O&S)

A

ASR SRR SFR PDR CDR TRR SVR OTRR

FRP/

FDD

MDD

DT&E IOT&E

Cybersecurity

Categorize

Select

Implement

Assess Authorize MonitorSP

Select

Implement

AssessSP

SAPIATT

Understand

Cybersecurity

Requirements

Characterize

Cyber Attack

Surface

Cooperative

Vulnerability

Identification

Adversarial

Cybersecurity

DT&E

Cooperative

Vulnerability and

Penetration

Assessment

Test &

Evaluation

Adversarial

Assessment

Modification(s)

Anti-TamperAT

Concept

AT Plan

Initial

AT Plan

CDR

AT V&V

Report

Monitor

SP

SAR

POA&M

Program

Protection

Conduct: Threat Analysis, Vulnerability Analysis Risk Analysis, and Select Countermeasures

Monitor CM, Effectiveness and Report Compromises

ID

stakeholders

Initial

CPI, CC

Asses

CPI, CCAsses

CPI, CC

Update

CPI, CCInitial

PPPUpdate

PPP

STARIntel

Reports

Intel Reports STAR

Intel

Reports

STAR

Intel

Reports

B C

AOAPPP/ Cybersecurity

Strategy, TEMP,

SEP, LCSP, CMP

PPP/ Cybersecurity

Strategy, TEMP, SEP,

LCSP, CMP

PPP/ Cybersecurity

Strategy, TEMP, SEP,

LCSP, CMP

Program

Update

PPP

Update

PPP

ATO

TSN Conduct: Threat Analysis, Vulnerability Analysis Risk Analysis, and Select Countermeasures

Monitor CM, Effectiveness and Report Compromises

Asses

CPI, CCAsses

CPI, CC

Update

CPI, CCSCRM

Plan

SCRM

PlanSCRM

Plan

SCRM

Plan

29


30

Systems Engineering Approach

Requirements

Coverage

Functional

Allocation

Risk

Assessment

Risk

Assessment

T&E Plans

Sufficient

Risk

Assessment

Design

Verification

Review

Cyber

RequirementsSRR

SFR

PDR

CDR

TRR

SVR

Systems

Engineering

Process

Functional

Requirements

IATT

Assess Cybersecurity at each systems engineering technical review

Categorize

Select

Implement

Assess

Authorize

Monitor

Design

Verification

Test Planning

Red/Blue


Challenges Applying Enterprise

Requirements to Embedded Systems

• Network tools and assessment techniques have limited relevance to

Weapons Systems architecture and interfaces

• Automatic updates and centralized account control not possible due to

connectivity, safety, configuration management and availability

• Weapons systems must decrease attack surface limiting access points

• Form factor, weight, power, and safety preclude many enterprise

implementations in weapons systems

• Embedded firmware, unique internal busses & controllers

• Real-time OS vs Enterprise Network / Desktop operating systems

• Different Operating Environments, CONOPs, Threats & Vulnerabilities

• Focus network related protections at Mission Planning and Maintenance

touch points versus applying requirements internal to real-time systems

• Virus definitions and STIGs irrelevant to weapon system OS

• Implementation of controls and assessment methods are very different

• Security Classification of Weapons Systems Vulnerability & Threat

Platform Information Technology (PIT) was defined due to the unique

aspects of real-time embedded systems31


Challenges

• Workforce Development– Inadequate workforce

– People not trained

• Ownership – Cybersecurity is

Everybody’s Business

• SSE Systems Engineering – Incorporate throughout lifecycle

– Validate @ each SETR (SRR, PDR, CDR)

• Requirements & funding

– Lacking funds to implement fixes or

upgrades

– No funds for site audits or training

certifications

• Programs access to timely Intel

• Legacy assessment backlog

• Legacy systems were not

designed to cyber requirements

32

• Test and Evaluation Resources

– Red/Blue team capability against

weapons systems

• Lack of tools to conduct avionics

cyber analysis

• Software/Hardware assurance &

Supply Chain Risk Management– Tools, techniques and expertise for HW

& SW Assurance

– Systems using COTS components built

on foreign technologies and hardware

– Supply chain risk assessment release-

ability/classification.

• Process for reporting incidents

• Policy geared toward networks

• Classification Issues


33

Comprehensive, Systematic and

Automated Risk Analysis

Overcoming the Challenge


34

“Ingredients” of risk (ISO 15408)


Risk Assessment Methodology

35

Assurance

Case

System

Facts

Assurance

Process

Risk

MetamodelAssurance Case

is structured according to

the Risk Metamodel

Assurance Case provides guidance

on how to collect evidence

Risk Metamodel describes evidence

Assurance Process delivers

evidence

Risk Metamodel

describes evidence

System Facts

are evidence to

the Assurance Case

e.g. operational facts from DoDAF/UAF

Supported by inference rules,

Uses generic taxonomies

Enabled by OMG standards:

• Integrating System Assurance into Risk Assessment Methodology

• Utilizing Assurance Case to deliver Risk Assessment

• Automating end-to-end process


Methodology Describes the

Sequence of Steps

2017-03-15

36

Identified Risks

How ?

Who cares ? Assets and Targets

Owners and criteria

sensitivity

Attack scenarios

Likelihood

What to do about it ?

Controls, mitigation options

By who ? and Why ?

Threat Sources

So what ?

To what ?

We need a methodology that gives us high level of confidence in the Risk Assessment result

Undesired events, Operational

Impact severity


Tools Currently Used

37

Risk Manager

Engine

Risk

Knowledge

Base

1

DoDAF/UAF

Enterprise

Architecture

Risk

Assessmen

t

Report

Risk Analyst “in a

box”

Manual

Adjustment

s or

Manual

Input

Blade Risk Manager

Automaticall

y extracted

facts

4

5

DoDAF

Analytics

score &

feedback

2 3

7

GUI6

Manual Input option if no

structured data available

1

a


Summary

• Unique Aircraft System Attack Surfaces

• Domain Expertise needed for Weapon System

Cybersecurity

• Cybersecurity Part of Systems Engineering

• Industry Partnership Essential to Address

Challenges and Requirements

• Cybersecurity is Everybody’s Business

38


Questions?

39

air force life cycle management center - omg. raju patel, senior leader aflcmc/en aircraft systems...

Documents