Air Force 'white hat' event focused on its REMIS maintenance system
WRIGHT-PATTERSON AIR FORCE BASE, Ohio. U.S. Air Force officials announced at that the Reliability and Maintainability Information System program office at Wright-Patterson Air Force Base, underwent an intentional hack by certified ethical hackers hired under a contract to conduct an analysis of what would happen if an insider “went rogue.”
The white hat or bug bounty event's goal was to identify vulnerabilities into the Air Force’s maintenance system, REMIS.
The project consisted of representatives from the Air Force’s Logistics Integration Directorate, Synack, a hacking contractor team with support from the Defense Digital Service, the REMIS program office, as well as REMIS prime contractor Northrop Grumman Mission Systems.
The objective was to test REMIS’ vulnerability of authorized users in the REMIS system as well assess what “damage” or “malice” they could accomplish. The hack was not intended to test the external security boundary for accessing REMIS.
Over the course of four weeks, 73 hackers spent more than 1,700 man-hours probing REMIS for vulnerabilities and weaknesses. They identified 12 vulnerabilities with varying severities. The REMIS program office and Northrop Grumman were able to immediately remediate 11 of the vulnerabilities, and are taking steps to mitigate the last vulnerability.
The objective of this exercise was not only to assess the strength of REMIS’ cybersecurity posture, but to learn how to most effectively establish an enterprise level bug-bounty for the entire Logistics-Information Technology portfolio.