Air Force Life Cycle Management Center - OMG. Raju Patel, Senior Leader AFLCMC/EN Aircraft Systems...
Transcript of Air Force Life Cycle Management Center - OMG. Raju Patel, Senior Leader AFLCMC/EN Aircraft Systems...
AFLCMC… Providing the Warfighter’s Edge
Managing Cybersecurity
Risk in Weapon Systems
OMG Cybersecurity
Workshop - 21 March 2017
Dr. Raju Patel, Senior Leader
AFLCMC/EN
Aircraft Systems Authorizing Official
Air Force Life Cycle Management Center
DISTRIBUTION STATEMENT A. Approved for public release: distribution unlimited.
Case Number: 88ABW-2017-0927, 14 March 2017
AFLCMC… Providing the Warfighter’s Edge
2
Agenda
• Who we are
• What we do & why
• Our current challenges
• Overcoming challenges
• Summary
AFLCMC… Providing the Warfighter’s Edge
3
Air Force Mission
“The mission of the United States Air Force
is to fly, fight and win – in air, space and
cyberspace. We are America’s Airmen.”
AFLCMC… Providing the Warfighter’s Edge
Increasing Reliance on Software& Digital Infrastructure
AFLCMC… Providing the Warfighter’s Edge
4Christian Hagen and Jeff Sorenson; DAU Defense AT&L: March-April 2013
AFLCMC… Providing the Warfighter’s Edge
Failing to understand ALL threats…
5
Effective threat mitigation can only be achieved through identifying, analyzing,
classifying and understanding the threat and related risk: Cause & Effect
AFLCMC… Providing the Warfighter’s Edge
Possible Cyber Effects on Aircraft
Systems
• Communication Systems• Connect with “rogue” frequency/channel/link without user
knowledge
• Broadcast out voice/data over non-secure or secure
frequency/channel/link without user knowledge
• Force “hot mic” on
• Inject false messages into system/link
• Inject cyber payload through datalink targeting particular
system
• Navigation Systems• Disable, falsify or degrade GPS accuracy/reading
• Corrupt aircraft orientation indicators to mislead
pilot (indicate straight/level on 180 heading, but
making slight left turn)
6
AFLCMC… Providing the Warfighter’s Edge
Possible Cyber Effects on Aircraft
Systems (continued)
• Radar/Electronic Warfare (EW) Systems• Add/remove/change location of friends/foes
• Re-label friend to foe or foe to friend
• Overload with “noise” data to make unusable
or of degraded use
• Corrupt onboard mission data files to interfere with functions
• Identify Friend or Foe (IFF) Systems• Add/remove/change location of friends/foes
• Re-label friend to foe or foe to friend
• Corrupt IFF indicators to mislead pilot (IFF says
system is off, when actually transmitting)
• ADS-B (Next Generation ATC signal) turned on
(instead of off for mission)
7
AFLCMC… Providing the Warfighter’s Edge
Possible Cyber Effects on Aircraft
Systems (continued)
• Flight Control Systems• Inject flight control inputs to roll/pitch/yaw
(malware takes over flight controls)
• Deny or limit responsiveness to user flight control inputs to
roll/pitch/yaw (malware prevents/reduces responsiveness to
user input to flight controls)
• Collision Avoidance System (CAS)/Separation
Assurance System (SAS)• Add/remove/change location of aircraft
• Add/remove/change location of ground obstacles
• Overload with “noise” data to make unusable
• Corrupt CAS/SAS indicators to mislead pilot (indicator says
systems on, when actually off)
8
AFLCMC… Providing the Warfighter’s Edge
Possible Cyber Effects on Aircraft
Systems (continued)
• Life Support Systems• Limit/cease oxygen flow/temp/pressure
control to pilot
• Increase oxygen flow/temp/pressure control to pilot
• Adjust gas mixture to pilot
• Corrupt life support gauges to mislead pilot/maintainers
• Health and Usage Monitoring Systems• Indicate repairs required when none are necessary
• Indicate lower/fewer, higher/more, or different repairs are
required than necessary
• Indicate aircraft OK when repairs are necessary
9
AFLCMC… Providing the Warfighter’s Edge
The Problem Illustrated
• $26 Software is Used to Breach Key Weapons in Iraq; Iranian
Backing Suspected
– Intercepting Live Video Feeds on Unprotected Communications Links -
SkyGrabber
• Computer Virus Hits US Drone Fleet
– Virus Infected Predator and Reaper Drones, Keystroke Loggers over Covert
Missions, Hits both Classified and Unclassified Systems, GPS Spoofing
Exploits
• FAA’s Air-Traffic Networks Breached by Hackers
– Air-Traffic Control Systems Compromised, Passwords Stolen, Malware
Installed, False Messages to Pilots, Fake Distress Calls, etc.
• Challenges and Efforts to Secure Control Systems
– ICS Hacked (Power, Water, Communications, Transportation, Sanitization)
10
AFLCMC… Providing the Warfighter’s Edge
Attacking Automatic Dependent
Surveillance (ADS)-B/ADS-A
● Can create phantom aircraft
● No security in protocol
● Could create fake weather reports
● Could be jammed
● Not likely to affect TCAS (Traffic Collision and Avoidance System)
- ADS-B (broadcast)
● Intended to improve flying where RADAR coverage is limited
● Provides traffic and weather where available
● Used by small planes to broadcast position information
- ADS-A (addressable)
● What the airlines use (contrary to what you may have heard)
● Related to ACARS
● ADS-B == cable-ready TV ● ADS-A == addressable cable box with pay-per-view,
etc. – Allows specific airplanes to send/receive messages – Allows lower separation
outside of RADAR coverage (FANS) – Airliners use neither ADS-B or ADS-A for
collision avoidance – Can be VHF, HF, or Satellite based
11
AFLCMC… Providing the Warfighter’s Edge
Attacking ACARS
Aircraft Communications Addressing and
Reporting System (ACARS)● Can be used to send messages to/from ground
● Messages to/from people or systems
● Used for – Weather – Delays – Updated flight plans – Maintenance
information
● Could create a bogus flight plan update
● Could create bogus weather
● Hypothetically could create fake messages from plane to ground
● Not a practical way to take over an airplane
12
AFLCMC… Providing the Warfighter’s Edge
13
Military Aircraft/Avionics Cyber Threat
The Problem Illustrated
2012 report by the Senate Armed Services Committee: “We do not want a $12 million missile
defense interceptor’s reliability compromised by a $2 counterfeit part,” Gen Patrick O’Reilly,
Dir. Missile Defense Agency
March 2014, C-130J operated by the Indian Air Force crashed, killing its five-person crew --
counterfeit parts are suspected
Hong Dark Electronic Trade of Shenzhen, China, supplied ~ 84,000 suspect counterfeit
electronic parts to USAF: C-5 AMP, C-12, and Global Hawk TCAS, and P-3, Special Operations
Force A/MH-6M assemblies.
Counterfeit chips in over 500 display units on U.S. Air Force C-130J and C-27J, “creating grave
risks for military personnel.” DoD was not alerted for over a year after problem was discovered.
Failure could cause the display unit to go blank, lose data, or show a degraded image. Traced
the counterfeit chips to Shenzhen, China
AFLCMC… Providing the Warfighter’s Edge
Attacks on Fielded Systems
Denial of Service (embedded malware)
Kill Switch Activation (embedded malware)
Critical Function Alteration (embedded malware)
Exfiltration (by adversary)
Network Threat Activity (host discovery)
Compromised Server Attacks (on clients)
Malicious Activity (disruption, destruction)
Auditing Circumvention (evading detection)
Web Based Threats (disclosing sensitive info)
Zero Day Vectors (vulnerabilities without fixes)
Improper File/Folder Access (misconfiguration)
Wireless Interface (bad data, unauthorized access)
Configuration, Operational Practices
Supply Chain (penetration, corruption)
Malware (downloaded, embedded)
External Mission Load Compromise
DNS Based Threats (cache poisoning)
Software (built-in or update malware)
E-mail Based Threats (attachments)
Data Leakage (via social media)
Password Misuse (sharing)
The list goes on…C2, Networks
and
infrastructure
14
AFLCMC… Providing the Warfighter’s Edge
... so I connectedthe unclassified black & classified red wires
for ONE com & datachannel...
Aircraft System Cybersecurity
AFLCMC… Providing the Warfighter’s Edge
Domain Expertise
Threat Actors
• Cybercriminals: stealing or
corrupting data for financial gain
• Script kiddies: curious & fame
seeking
• Computer Spy: hired to steal
information
• Insiders: disgruntled over job
termination
• Cyberterrorists: defacing web
sites to spread propaganda or
critical infrastructure outages
and corrupt vital data
• Nation State: cyber warfare
Targets of Attack
• Banks & commercial
enterprises
• Easy targets and
unprotected systems
• Corporate competitors
and affiliates
• Former employers
Critical infrastructures
and high profile web
sites
• DoD Weapon Systems
16
AFLCMC… Providing the Warfighter’s Edge
Defense in Depth
• Confidentiality –Assurance that information is not disclosed to unauthorized persons
• Integrity – Data, processes, material is what is expected
• Availability – Timely, reliable access to data and information services for authorized users
17
AFLCMC… Providing the Warfighter’s Edge
Threat, Risk and Vulnerability
Analysis (TRV)
18
How system can
be attacked?
What is the impact
of successful attacks?
What are the
Vulnerabilities that
are exploited by
successful attacks?
Goal:
Risk Assessment Methodology
within the Risk Management
Framework (RMF) that is
systematic, objective and
allows automation and that can
answer a tough question:
How do we know that all threats
have been addressed?
Risk
It Starts by Understanding …
AFLCMC… Providing the Warfighter’s Edge
Vulnerabilities are Everywhere
19
AFLCMC… Providing the Warfighter’s Edge
20
• A cyberattack against Polish flagship carrier LOT
grounded more than 1,400 passengers at Warsaw’s
Frederic Chopin Airport (June 2015)
– The airline said in a statement on its website that the “IT
attack” meant it was unable to create flight plans and flights
were not able to depart from Warsaw
• The International Civil Aviation Organization last year
highlighted long-known vulnerabilities in a new
aircraft positioning communication system, ADS-B,
and called for a working group to be set up to tackle
them
– Researchers have shown that ADS-B, a replacement for radar
and other air traffic control systems, could allow a hacker to
remotely give wrong or misleading information to pilots and
air traffic controller
Example:
Undiscovered Vulnerabilities
AFLCMC… Providing the Warfighter’s Edge
Risk Management Framework (RMF)
21
Categorize
Select
Implement
Assess
Authorize
Monitor
RMF
Initiate
Design
Implement
O&M
Dispose
How important is the
Mission/system/information
What Cyber
requirements apply?
Requirements analysis
Design in Cyber requirements
via Systems Engineering and
Test & Evaluation
How effective are the cyber
requirements. What are the risks?
Acceptable risks and/or
plans to reduce risks to
acceptable levels. Issue
authorization?
Monitoring risk,
managing change,
reporting progress
AFLCMC… Providing the Warfighter’s Edge
Weapon System Security Requirements
Platform IT Sys
Cybersecurity
Mx Sys
Cybersecurity
Tng Sys
Cybersecurity
Depot Sys
Cybersecurity
Msn Pln Sys
Cybersecurity
Confidentiality
Integrity
Availability
22
Operational
Requirements
Design
Requirements
Systems
AFLCMC… Providing the Warfighter’s Edge
Authorization Boundary Example
23
Mission PlanningACARS message FMC/
Multifunction Control Display
Unit via ACARS CMU
Cryptographic Key DataSKL IFF Transponder
(LRU) via IFF Fill Panel
Navigation
Database /
Avionics
Software
Update DataFloppy Disk
Flight
Management
Computer (FMC)
via Airborne Data
Loader (ADL)
Software Updatesand
Mission Planning Navigation
Communication
VHF Voice/ACARS Message DataGround Station/ATC/Aircraft VHF R/T (LRU) /
ACARS Communications Management Unit (CMU)
Non-Secure
Voice DataGround Station/Aircraft
E-12/13: HF voice R/T (LRU)
E-14/15: UHF voice R/T (LRU)
Safety and Surveillance
Terrain Database
/ Flight History
Data PCMCIA card
EGPWS Computer
Aircraft/ATC/GS IFF transponder (LRU)
Aircraft Identification Data (IFF)
Military Mode Civil Mode
Air Traffic Advisory DataAircraft/ATC ATC/TCAS
Computer
Radar Reflectivity
Return Data Atmospheric Conditions
Weather Radar (LRU)
E-6
Tactical Air Navigation Data Aircraft/Ground Stations TACAN R/T (LRU)
Position Data Civil/Military GPS
Satellite/Ground Stations/Landing
Systems GPS/ILS Multiple
Mode Receiver
Position Data Ground Terrain
Radio Altimeter System (LRU)
E-1: ADF receiver (LRU)
E-2: DME receiver (LRU)
Navigation Guidance Data NDB Ground Stations/Navigational Systems Unclassified
Classified
E-# External Interface
Legend
Aircraft Flight Parameter DataPCMCIA card Digital Flight Data
Acquisition Unit
E-7
E-19
E-29
E-9
E-12
E-14
E-3
E-2E-1
E-17
E-24
E-27
E-22
E-30
Satellite Voice/ACARS Message Data INMARSAT SATCOM Network Satellite R/T (SAT-906) /
ACARS CMU E-11
E-23
E-20
E-18 E-16
E-13
E-15
E-10
E-8
E-5
E-4
E-25
E-26
E-21
Mission PlanningFloppy Disk FMC via
Airborne Data Loader (ADL)
E-28
AFLCMC… Providing the Warfighter’s Edge
24
Analyze External Communications
Impacts on Internal Subsystems
Avionics
subsystem is
comprised of
Communication,
Navigation,
Surveillance,
and Display
subsystems
AFLCMC… Providing the Warfighter’s Edge
25
Communications subsystems provide two-way secure/non-secure voice
and data communications between the crew and other aircraft and ground
stations
Communications Subsystem
Impact Analysis
SATCOM
UHF Comms
VHF Comms
HF Comms
Interphone
Comm Mgt Unit
AFLCMC… Providing the Warfighter’s Edge
Joint Test
Action
Group
(JTAG)
PC
Board
Components
Mission
Computer
System Access Points and Connections
PC
Test
Equipment
Firmware
Internet
Vendor Web Server
Test
Equipment
Test
SignalsPilot Trainer Avionics Repair
Facility
MIL-STD-1553
Multi-Function Display
(MFD) LeftMulti-Function Display
(MFD) Right
Display
Computer/
Bus Controller
Data Transfer Unit
(DTU)
Comm/Nav
Computer
Control
Panel
ARINC 429
Avionics Full-Duplex
Switched Ethernet
(AFDX) Switch
OFPs,
Mission Data,
MapsLink 16
Common
Data Link (CDL)
ADS-B
Live
Mission
Data
Ground Station
Windows-based
Loader/
Verifier
Mission Computer
OFP
Internet
CD Duplicator
Vendor Web Server
Loader Company
Web server
Loader Software,
Company
Network
Avionics Development and
Integration FacilityLoader Development
System
Mission Computer
OFP Secret Internet Protocol
Router Network (SIPR)
Patents and
Technical Papers
Internet
Developer’s
Posts/Profile
Internet
Open Source
Map SoftwareInternet
Internet
Internet
Software
Libraries
Software
Development
Tools
Mailed
CD
CD
Operating
System
Updates,
Loader Updates,
OFP
CD
Duplicator
Duplicator
Firmware,
Loader Firmware,
CD Images
Mapping
Data
Provider
Flash
Cartridge
Mapping
SystemVPN Over the
Internet
Mission
Planning,
Post
AnalysisMaps and
Geo dataMission
Plan
Mission
Results
26
AFLCMC… Providing the Warfighter’s Edge
27
Weapon System Software Update
Process
AFLCMC… Providing the Warfighter’s Edge
Risk Assessment Template
28
Component
System
Subsystem
Control /
Requirement
Risk # Risk name Initial risk level
High
Threat: Any circumstance or event with potential to intentionally or unintentionally exploit one or more vulnerabilities in a system,
resulting in a loss of confidentiality, integrity, or availability.
Examples of threat agents are malicious hackers, organized crime, insiders, terrorists, and nation states.
Vulnerability: Flaw or weakness in design or implementation of hardware, software, networks, or computer-based systems,
including security procedures and controls associated with the systems. Be specific
Risk: Combination of the likelihood that a particular vulnerability in an organization’s systems will be either intentionally or
unintentionally exploited by a particular threat agent and the magnitude of the potential harm (consequence) to the organization’s
operations, assets, or personnel that could result from the loss of confidentiality, integrity, or availability.
Likelihood: (Highly Likely) Explain the probability of occurrence due to mission parameters. Make sure this category designation
matches the Matrix category designations.
Impact: (High) Explain the consequence to data, mission, operation, or life in quantifiable terms. Make sure designation
matches consequence column headers on Risk Matrix. Describe in terms of confidentiality, integrity & availability,
Mitigation/Countermeasures:
List actions that are that are implemented and documented relevant to the risk.
Residual Risk: A
After mitigation/countermeasure have been applied what is the risk level?
Why should the AO accept the risk. Justification to allocate resources to fix vulnerability
Current
Residual Risk:
Moderate
Additional countermeasures needed for Low residual risk: What is needed to meet the requirement or mitigate to a low risk.
This is a summary of the POA&M.
Mitigating/Compensating Controls
Residual Risk
POA&M Summary
Materiel Solution
Analysis (MSA)
Technology Maturation &
Risk Reduction (TMRR)
Engineering & Manufacturing
Development (EMD)Production &
Deployment (P&D)
Operations &
Support (O&S)
A
ASR SRR SFR PDR CDR TRR SVR OTRR
FRP/
FDD
MDD
DT&E IOT&E
Cybersecurity
Categorize
Select
Implement
Assess Authorize MonitorSP
Select
Implement
AssessSP
SAPIATT
Understand
Cybersecurity
Requirements
Characterize
Cyber Attack
Surface
Cooperative
Vulnerability
Identification
Adversarial
Cybersecurity
DT&E
Cooperative
Vulnerability and
Penetration
Assessment
Test &
Evaluation
Adversarial
Assessment
Modification(s)
Anti-TamperAT
Concept
AT Plan
Initial
AT Plan
CDR
AT V&V
Report
Monitor
SP
SAR
POA&M
Program
Protection
Conduct: Threat Analysis, Vulnerability Analysis Risk Analysis, and Select Countermeasures
Monitor CM, Effectiveness and Report Compromises
ID
stakeholders
Initial
CPI, CC
Asses
CPI, CCAsses
CPI, CC
Update
CPI, CCInitial
PPPUpdate
PPP
STARIntel
Reports
Intel Reports STAR
Intel
Reports
STAR
Intel
Reports
B C
AOAPPP/ Cybersecurity
Strategy, TEMP,
SEP, LCSP, CMP
PPP/ Cybersecurity
Strategy, TEMP, SEP,
LCSP, CMP
PPP/ Cybersecurity
Strategy, TEMP, SEP,
LCSP, CMP
Program
Update
PPP
Update
PPP
ATO
TSN Conduct: Threat Analysis, Vulnerability Analysis Risk Analysis, and Select Countermeasures
Monitor CM, Effectiveness and Report Compromises
Asses
CPI, CCAsses
CPI, CC
Update
CPI, CCSCRM
Plan
SCRM
PlanSCRM
Plan
SCRM
Plan
29
AFLCMC… Providing the Warfighter’s Edge
30
Systems Engineering Approach
Requirements
Coverage
Functional
Allocation
Risk
Assessment
Risk
Assessment
T&E Plans
Sufficient
Risk
Assessment
Design
Verification
Review
Cyber
RequirementsSRR
SFR
PDR
CDR
TRR
SVR
Systems
Engineering
Process
Functional
Requirements
IATT
Assess Cybersecurity at each systems engineering technical review
Categorize
Select
Implement
Assess
Authorize
Monitor
Design
Verification
Test Planning
Red/Blue
AFLCMC… Providing the Warfighter’s Edge
Challenges Applying Enterprise
Requirements to Embedded Systems
• Network tools and assessment techniques have limited relevance to
Weapons Systems architecture and interfaces
• Automatic updates and centralized account control not possible due to
connectivity, safety, configuration management and availability
• Weapons systems must decrease attack surface limiting access points
• Form factor, weight, power, and safety preclude many enterprise
implementations in weapons systems
• Embedded firmware, unique internal busses & controllers
• Real-time OS vs Enterprise Network / Desktop operating systems
• Different Operating Environments, CONOPs, Threats & Vulnerabilities
• Focus network related protections at Mission Planning and Maintenance
touch points versus applying requirements internal to real-time systems
• Virus definitions and STIGs irrelevant to weapon system OS
• Implementation of controls and assessment methods are very different
• Security Classification of Weapons Systems Vulnerability & Threat
Platform Information Technology (PIT) was defined due to the unique
aspects of real-time embedded systems31
AFLCMC… Providing the Warfighter’s Edge
Challenges
• Workforce Development– Inadequate workforce
– People not trained
• Ownership – Cybersecurity is
Everybody’s Business
• SSE Systems Engineering – Incorporate throughout lifecycle
– Validate @ each SETR (SRR, PDR, CDR)
• Requirements & funding
– Lacking funds to implement fixes or
upgrades
– No funds for site audits or training
certifications
• Programs access to timely Intel
• Legacy assessment backlog
• Legacy systems were not
designed to cyber requirements
32
• Test and Evaluation Resources
– Red/Blue team capability against
weapons systems
• Lack of tools to conduct avionics
cyber analysis
• Software/Hardware assurance &
Supply Chain Risk Management– Tools, techniques and expertise for HW
& SW Assurance
– Systems using COTS components built
on foreign technologies and hardware
– Supply chain risk assessment release-
ability/classification.
• Process for reporting incidents
• Policy geared toward networks
• Classification Issues
AFLCMC… Providing the Warfighter’s Edge
33
Comprehensive, Systematic and
Automated Risk Analysis
Overcoming the Challenge
AFLCMC… Providing the Warfighter’s Edge
34
“Ingredients” of risk (ISO 15408)
AFLCMC… Providing the Warfighter’s Edge
Risk Assessment Methodology
35
Assurance
Case
System
Facts
Assurance
Process
Risk
MetamodelAssurance Case
is structured according to
the Risk Metamodel
Assurance Case provides guidance
on how to collect evidence
Risk Metamodel describes evidence
Assurance Process delivers
evidence
Risk Metamodel
describes evidence
System Facts
are evidence to
the Assurance Case
e.g. operational facts from DoDAF/UAF
Supported by inference rules,
Uses generic taxonomies
Enabled by OMG standards:
• Integrating System Assurance into Risk Assessment Methodology
• Utilizing Assurance Case to deliver Risk Assessment
• Automating end-to-end process
AFLCMC… Providing the Warfighter’s Edge
Methodology Describes the
Sequence of Steps
2017-03-15
36
Identified Risks
How ?
Who cares ? Assets and Targets
Owners and criteria
sensitivity
Attack scenarios
Likelihood
What to do about it ?
Controls, mitigation options
By who ? and Why ?
Threat Sources
So what ?
To what ?
We need a methodology that gives us high level of confidence in the Risk Assessment result
Undesired events, Operational
Impact severity
AFLCMC… Providing the Warfighter’s Edge
Tools Currently Used
37
Risk Manager
Engine
Risk
Knowledge
Base
1
DoDAF/UAF
Enterprise
Architecture
Risk
Assessmen
t
Report
Risk Analyst “in a
box”
Manual
Adjustment
s or
Manual
Input
Blade Risk Manager
Automaticall
y extracted
facts
4
5
DoDAF
Analytics
score &
feedback
2 3
7
GUI6
Manual Input option if no
structured data available
1
a
AFLCMC… Providing the Warfighter’s Edge
Summary
• Unique Aircraft System Attack Surfaces
• Domain Expertise needed for Weapon System
Cybersecurity
• Cybersecurity Part of Systems Engineering
• Industry Partnership Essential to Address
Challenges and Requirements
• Cybersecurity is Everybody’s Business
38
AFLCMC… Providing the Warfighter’s Edge
Questions?
39