Mission- and life-critical cyber resilience for military platforms
Cyberattack has become the adversary's first weapon of choice, and military platforms, on land, air, sea, and space, are prime targets. Nation-state cyberattacks against military, contractor, and critical-infrastructure facilities are a daily occurrence, and compelling public demonstrations have recently included attacks against commercial cars and planes. The United States Department of Defense (DoD) is conducting cybersecurity reviews of all major platforms, and U.S. defense contractors are developing embedded capabilities to ensure that U.S. military platforms defend themselves against cyber missiles with just as much finesse as against physical missiles.
When defense companies talk about cyber resiliency for military platforms, what exactly do they mean? The term can mean many different levels of security, whether one is talking about a government network or a platform component. Unfortunately, there is not yet a standard hierarchy, which can make it difficult even to discuss the level of security actually desired. An industry standard, even at a high level, would eliminate many of the semantic hurdles to realizing military cyber resiliency commensurate with the modern threat.
Let’s posit a three-tiered cyber resilience hierarchy to describe the broad levels of cyber resilience available for military platforms. The hierarchy reflects the scale of the cyberthreat, current and emerging requirements, system-development practices across the defense community, and both existing state-of-the-art capabilities and cutting-edge research and development. The hierarchy can be the jumping-off point for evaluating the cyber resilience appropriate for different requirements and price points.
Each tier in the hierarchy builds upon the previous tier. Defensive capability increases from silver to gold, but cost, including the difficulty of retrofitting legacy platforms, also increases. Selecting the appropriate tier, and solutions within that tier, balances cost against platform-specific adversary threats. Threat analysis must include not only the likelihood that the adversary will launch particular types of attacks, but also the impact that those attacks will have on safety and mission outcomes. Solutions might fall naturally into one tier or partially address parts of multiple tiers.
Base tier addresses individual binaries
The initial tier, silver cyber resilience, concentrates on the analysis and protection of individual binaries embedded in the platform. There may be hundreds of binaries on any given platform, and a vulnerability in any binary with bus access risks compromise of every component on the bus. Protecting these binaries includes best-practice processes and technologies, including execution guards and authenticated communication channels when performance and design constraints allow.
To earn silver cyber resilience, however, the platform binaries must go beyond best practice: Each binary’s cybersecurity properties is evaluated against an internal vulnerability scale, which derives requirements and test sets from catalogs of mission requirements, threat actors, and cyberattack types specific to embedded systems. For components with available source code, users can turn to such tools as HP Fortify or Coverity to help identify issues. For third-party binaries delivered without source code, teams at BAE Systems apply a suite of best-of-breed binary analysis tools tied together by the Automated Reverse Engineering (ARE) tool suite. Software developers prioritize and address ARE-identified vulnerabilities during the normal development and test/evaluation processes.
Under the hood, ARE statically and dynamically analyzes the control and data flows of target binaries, and automatically identifies vulnerabilities reachable from external input, including memory-access and arithmetic errors. ARE is now part of a pilot study on the cybersecurity of mission-critical U.S. Navy software.
The gold cyber resilience level adds to the previous one defense-in-depth, in which layers of defenses each build on the one before, to the entire embedded system. The choice of man-on-the-loop, man-in-the-loop, or autonomic response depends on the tradeoffs between the direct impact of an adversary attack and the collateral impact of responding to attacks and false alarms. The key to defense-in-depth is multitiered false-alarm suppression that uses a hierarchy of filters to identify and remove false alarms arising from unusual, but nonattack, activities. Accurately eliminating false alarms prevents collateral damage from defensive response that serves no purpose. This overall approach detects unseen or zero-day attacks based on improper component behavior; provides root-cause analysis for operator situational awareness; acts to correct or contain cyber compromises; and provides intuitive, actionable information to operators modeled after and sometimes integrated into existing fault-diagnostics systems. With this approach in place, the system detects, contains, and recovers from even previously unseen cyberattacks against runtime components.
One way to add defense-in-depth capability is to include a device that plugs into an existing vehicle bus, monitors component data flow for anomalous behavior, and alerts vehicle operator(s) through existing fault-diagnostic interfaces. Such an approach can dramatically increase the end-to-end cybersecurity posture of legacy platforms without having to retrofit existing components.
At the top level
Platinum cyber resilience levels integrates component-level and defense-in-depth characteristics into a clean-slate design paradigm for the development of inherently secure computing technologies. This approach leverages formal methods to ensure that solutions are provably secure against whole categories of security flaws. Platinum-level cyber resilience leverages hardware/software codesign approaches such as SAFE, which leverages hardware support for memory safety, dynamic type checking, and native support for dynamic information flow control. The platinum level of cyber resistance can demonstrate that designs are immune from buffer overflows, cross-site scripting, and code injection, including binary code injection, script code injection, SQL injection, and ROP code injection.
Ideally, all platforms would have platinum cyber resilience covering all possible cyberattack categories. Internal red-team exercises have actually shown that platform security benefits massively from each additional tier of cyber resilience. Realistically, however, each tier involves additional cost; platform-specific analysis of the cost, security, and performance tradeoffs is essential. Silver cyber resilience, for example, requires neither the replacement of legacy system architectures (platinum) nor the pervasive insertion of layered cyberdefenses (gold), but can provide effective defense against common threats and have low costs even when retrofitting legacy platforms.
Ultimately, the levels of the cyber resilience hierarchy guide the discussion of what is feasible and best for both new and legacy military platforms.
BAE Systems www.baesystems.com