Cyber intrusion detection system will focus on mid-flight actionable intelligence

was a hot topic at the Sea-Air-Space, the Navy League’s Global Maritime Exposition. In this Q&A, ’s Government Solutions Director William E. Leigher discusses the challenges that the Department of Defense () faces when implementing cybersecurity measures to platforms and how the military services need to build high-end cybersecurity measures into a . Leigher also discuss Raytheon’s research and development (R&D) project to build a that will enable aviators to one day receive an alert and actionable intelligence of mid-flight.

MIL-EMBEDDED: Raytheon is involved in a research and development (R&D) project aimed at helping Naval aviators counter potential cyberattacks mid-flight. Can you give us a little background to that project and the current challenges engineers are facing?

LEIGHER: This is an R&D project that we’ve been working on for the past year. We took the MIL-STD 1553 and built an intrusion detection system. In the same way we would have a virus checker or a firewall in our IP system, we developed software that would detect an anomaly. MIL-STD 1553 is a basic network that you’d find on most military aircraft and most commercial aircraft. One of the good things about it is its predictability. For example, the signals that go to the weapons station should be the same every time. With that in mind, when there is a signal that isn’t right, it’s pretty easy to see that anomaly. Our solution works to find signal anomalies that might be a cyberattack.

After detection comes the hard part. What do you do about it? Currently this system is the same as some of the early radar warning receivers in that it provides an alert, but doesn’t provide context for the threat in terms of, “Is this debilitating to the mission?” or “Is it something that I don’t have to worry about?”

We plan to develop more functionality after we get more operator feedback. This is why we bring a demo like this to Sea-Air-Space to start a dialogue with the operators and get a better understanding of what the system needs to do to help the pilot.

21
Figure 1: Raytheon demonstrates its cyber intrusion detection system at the Sea-Air-Space show. Photo courtesy of Raytheon.
(Click graphic to zoom)

MIL-EMBEDDED: How will this cyber intrusion detection program technology help pilots fight a cyberattack?

LEIGHER: The system would help by countering an attack profile, which is meant to reduce mission effectiveness perhaps by distracting the pilot at a very important time in the mission, etc. For example, when a pilot does three things in succession such as changes the altitude of the airplane, arms a particular function of the airplane, and then starts to descend, then you’re probably on an attack profile.

The cyberattack profile might be designed to become active based on these kinds of sequences. The pilot would get a warning and while the alert is on, the detection system would provide the pilot with some judgment needed in order to study the process and provide immediate feedback. We’ll have to add functionality that will improve the pilot’s confidence in the system rather than degrading that confidence.

MIL-EMBEDDED: What is the current status of the project and the next steps that Raytheon will take to fully realize this system?

LEIGHER: The detection system needs more work to get real-time assessment by pilots. We can only put so much information in front of a pilot so we need to do that smartly in a way that will move quickly and give the pilot a sense of what the warning is. These are things that we are going to continue to develop at Raytheon under this R&D program.

MIL-EMBEDDED: What cyberthreats is the Department of the Navy (DoN) most concerned with?

LEIGHER: There are two things that come to mind. One: Network security. Command and control systems, databases, communications, all pose a cybersecurity risk for the Navy. All this goes back to the primary networks security problem because without secure networks, all this is at risk.

Second: Platform cybersecurity. Each network used by the Navy touches operational technology systems that control combat systems, engineering plants, etc. Each of those sub-networks has software and processors that need to be protected as well. We’re seeing a move from what we’ve always done – protecting the network – to actually protecting the system itself.

MIL-EMBEDDED: Cybersecurity was a hot topic at the Sea-Air-Space show, what is an overarching issue that still needs to be addressed by the DoD?

LEIGHER: While the services are building at the platform level, at the combat commander level we’ve got to think about how we put high-end defensive cyber strategy into our war plan.

We already think about missile defense, force security, and protection at the base level. We need to think about where cyberdefense fits into this operational level, whether it’s a different level of force security or different training for the cyber protection team to enable more focus on platforms. Whether it’s the aircraft carrier, forward-deployed airbase, or forward-deployed garrison in the Army, we need to know what platform cybersecurity means for the air portion. We also need to identify specific roles for Joint Task Force Commanders and the COCOMs [Combatant Commands] in cyberdefense.

MIL-EMBEDDED: What is the biggest challenge when implementing cybersecurity measures on naval platforms?

In general, with cybersecurity defenders have to be right all the time while the attacker has to be right once. If you read about any platform there are scores of potential ways that a cyber attacker could reach a platform and start to defeat critical software. When you get to that level, we have to find a way to be able to prioritize the risk the same way we prioritize the risk of each mission. Cyber hasn’t done that prioritization on the network security side.

Patching after an intrusion and waiting for the next intrusion on the network is not a workable strategy at the platform level. Just imagine what it would take to replace all the switches in an electrical plan on a ship or replace major components on an aircraft while it’s deployed. It’s not going to happen that way.

We’ve got to have a better risk strategy for networks. You’ve got to be able to detect an intrusion and to do that you need a better risk strategy to understand if that intrusion is a threat or not. On top of that you’ve got to have a way to maintain that level of security in a deployed state.

MIL-EMBEDDED: How do humans fit within the DoD’s cybersecurity plan and do you think they’re the biggest risk factor when implementing cybersecurity measures?

LEIGHER: Humans are one of the hardest pieces in cyber. You can probably automate a lot of cybersecurity measures right now, but as a nation we’ve chosen not to do that. There’s always going to be a human in the loop in the foreseeable future when we’re talking about offensive and defensive cyber actions, some of it will be augmented by our artificial intelligence (AI) and machine learning. However, humans will be an important piece of ensuring cybersecurity like it is in all warfare.

Implementing cybersecurity measures is going to come with a better understanding of risk. In general, plain old cybersecurity didn’t deal with risk very well. It was just a patch and then wait for the next attack mentality by keeping systems as up to date as possible. We assume that occasionally a cyberattack would penetrate the network.

That approach is unlike the way that we defend any other platform and in the long run it’s going to be losing proposition. There has to be a way to build resiliency into these platforms. We do that either through redundant systems, by being able to quickly triage, and by assessing the seriousness of the situation. There will also be defensive cyber weapons to keep our systems from getting attacked.

MIL-EMBEDDED: Do you think the DoD is heading in the right direction as far as cybersecurity?

LEIGHER: The DoD is heading in the right direction. Most of the effort and most of the funding goes toward network security. Platform security, operational technology security is fairly new. The DoD started around the fall of 2015 to look at this and they’re making some good strides.

This past fall, the Office of the Secretary of Defense (OSD) gave the services about $100 million to look at resiliency and platform security. More and more you see during the operational test and evaluation phase that platforms are graded on their cybersecurity. The Naval Air Systems Command (NAVAIR) is a good example as they provide guidance in cyber expertise in programs all across NAVAIR. This is a great approach because it educated the non-cyber engineers at NAVAIR about the principles of cybersecurity.

Bill Leigher is the Government Cyber Solutions (GCS) Director for Raytheon’s Intelligence, Information and Services (IIS). Leigher leads the GCS business that partners with customers to provide cybersecurity and cyber solutions to DoD and the federal government to strengthen critical infrastructure and information systems and execute missions worldwide. Rear Admiral Leigher retired from active duty in January 2014, focusing on the areas of intelligence, cyberspace, electronic warfare, and analytics. When he left active service, Leigher was the director of Warfare Integration for Information Dominance (N2N6F) on the Chief of Naval Operations staff in the Pentagon. His other flag officer assignments included the deputy commander for U.S. Fleet Cyber Command/ U.S. 10th Fleet and the director of Information Operations on the staff of the Chief of Naval Operations. He has a Bachelor of Arts degree in Political Science from the University of Southern Maine and a Master of Arts in National Security and Strategic Studies from the U.S. Naval War College.