weapon systems and cyber testing and evaluation cyber...17 march 2016 elbert michael ruiz, fred...

17 March 2016

Elbert Michael Ruiz,

Fred Wright, PhD,

Ronald Prado, Douglas Woods

Weapon Systems and Cyber Testing and Evaluation

2

Outline

Challenges/Impetus of Weapon Systems T&E

Methodology: Leveraging Systems Engineering

Lessons Learned and Observations

Needs and Technology Gaps

Impetus for Topic

Risk Management FrameworkSystem Development Life Cycle Activities

• Cyber Security Directive now applies to all DoD IT (including Platform IT)

• Confidentially, Integrity, Authorization, and non-repudiation

• Cybersecurity fully integrated into system lifecycles

• Cybersecurity T&E is conducted throughout the acquisition lifecycle

• Two phases:

• 1) Cooperative Vulnerability and Penetration Assessment,

• 2) Adversarial Assessment

• Includes all digital paths, not just Ethernet

IA Focused Cyber SecurityFocused

3

4

Cyber-Physical System Examples

Cyber-physical systems can also be self-contained (condensed System-of-Systems)

Commercial vehicles exhibit heterogeneous types of vulnerability vectors

Natural extension to apply concepts, techniques, and procedures to military Weapons Systems

Multi-stage attack sequences

Vehicle-to-VehicleCommunications

RSU-to-VehicleCommunications

Keyless Entry

Tire PressureSystem

InfotainmentUnit

Telematics

EngineControl

Unit

Transmission Control Unit

CAN Bus Controller

SecuritySystem

Anti-LockBrakes

On-Board Diagnostics

ClimateControl

http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

5

Weapons Systems as Cyber-Physical Systems

6

Outline





Cybersecurity T&E Phases mapped to

Acquisition Life Cycle

Department of Defense

Cybersecurity Test and Evaluation GuidebookVersion 1.0July 1, 2015

Most high-level methodology descriptions call out the the actual assessment phase, but what exactly does it entail?

8

Starting Points - Assessment Methodology

CYBER & RF

Experts

Assessment Report

Attack Tree Analysis

• System Documentation• Block diagrams• Subsystem Detail• Interconnectivity

• Interviews• On-site Examination• Access to system• Risk Man. Framework

documentation

Subsystem Vulnerability Assessment

• Most likely ways in to affect mission

• Ability to Detect,Prevent, React, Recover from Cyber Attack

• Potential vulnerability to disruption, spoofing, malware

• Attack Surfaces• Network Nodes

• Propagation paths

Subsystem Identification

• Delphi Method• Subject Matter Experts

(e.g.)• Embedded SW

Reverse Engr (RE)• RF Protocol RE• Hardware RE

Vulnerability Analysis Deep

Dive

Develop Exploits

Demonstration/Red Team

Events

• Focus on likely paths• System Simulation• System Hardware• System SW• SME capabilities (SW Defined

Radios, fuzzers, spoofers, signal monitors)

• Difficult/Time consuming

• Malware almost exclusively 0-day

• Disrupt/Spoofing easier

• Validates ability of adversary

• Can assess and test mitigations

• Risks and Recommended Actions

T&E CapabilityNeeded

Common Denominator

9

Attack Tree Analysis (ATA)

Paradigm for performing hostile threat risk analysis using a rigorous tree-structured mathematical approach

Techniques first published and described in the early 1990’s

Based on Fault-Tree Analysis methodology developed in the 1960’s/70’s

ATA methods incorporate not only details of the system being defended, but also methods available to the attacker

Attack tree models excel at estimating the risk for situations where events happen infrequently or have never happened before

Attack Tree Example: Backdoor Scenario

10

11

RF links/comms

GPS

Supply chain (hardware and software)

Maintenance interfaces

Reprogramming interfaces

IT enterprise connections

Command and control systems

Mission planning

Training systems

Common Attack Vectors for Weapon Systems

System Cross-Functional Cyber Analysis

12

RF System Vectors

SoftwareVectors

HardwareVectors

Network Vectors

Comms/GPS/etcMaintenance Ports/Anti-Tamper

Auto-pilot/HUDs/Collision Avoidance

TCP-IP/ System Busses

Vulnerability Assessment Methodology for Embedded Systems

13

Operational Assessment

Attack Surface Enumeration /

Risk Assessment

Message Reverse

Engeineering

MessageGeneration

Experiments / Technique

Refinement

Download Code

Initial Disassembly/ Static Analysis

Dynamic Analysis

HardwareReverse

Engineering

Instrument- ation

RF Link Insertion / Propagation

Analysis

Lab or Field Test DemonstrationsSoftware Analysis

Communications Analysis

Software Assessment

Hardware Assessment

Communications Assessment

Exploit Development / Experiments /

Technique Refinement

SDR Development

Phase I Phase II Phase III

Our full 3-phase approach for vulnerability analysis and exploitation

SDR=SW Defined Radio

14

Outline





15

Develop the assessment team Avionics and Electronic Warfare (EW) platform cyber

assessment expertise in developmental stages

Cross-section of embedded system reverse engineering skill-sets

Technically proficient in RF and digital protocol analysis, firmware reverse engineering, embedded vulnerability discovery and exploit

Vulnerability discovery and exploit important step Improves confidence of current and future assessment scoring

Confidence in assessment scoring builds over time (multiple platform assessments)

Commonalities in cross-platform subsystems inform – likely vulnerabilities

Best Practices/ Lessons Learned

16

Start assessments early

System research is inherently time-consuming.

Identification and demonstration of vulnerabilities even more time-consuming

Provide access to the necessary platform experts to the assessment team

Pilots, trainers, maintenance crew, sub-system SMEs

Access to detailed system/subsystem information critical

Message formats, timing, and protocols between platform subsystems

Include all digital paths (1553, serial, Ethernet, RF)

Board schematics and firmware for each relevant subsystem

Best Practices/ Lessons Learned (Continued)

17

Access to System System Integration Labs

Hardware in the Loop Labs

Off-site System/subsystem analysis – Subsystems available to assessors at their facilities

Plan multiple trips for assessors

Reuse past analysis and assessment results and patterns Device evaluations should feed “platform” evaluations

Feed back into hardware and software standards/implementation guides, security patterns and approaches Security is built-in to systems engineering

Best Practices/ Lessons Learned (Continued)

18

Outline





19

Cross-Functional vector tracking/test control (https://kepler-project.org/ & http://ptolemy.eecs.berkeley.edu/ )

Smart Fuzzers

Intelligent protocol/stack reverse engineering tools

Open standards with reference architectures and controls for security (e.g., Future Airborne Capability Environment (FACE™))

Persistent laboratories with these capabilities and weapon systems “stacks” to verify implementations in DT

Including simulations of controlled processes (real-time but not necessarily high-fidelity)

Gaps and Needs

https://kepler-project.org/

http://ptolemy.eecs.berkeley.edu/

Smart Fuzzer and Automated Protocol Reverse Engineering Concepts

Example protocol analyzer structure using machine learning (e.g., deep learning techniques)

Support for thousands of simultaneous tests-Reuse/share environment assets as appropriate

Analysts can make informed decisions on which bugs to target

21

Assessments have been successfully executed and lessons learned are available

Time and cost must be balanced with “depth” of assessment

Need: Integration with systems engineering/design to ensure better security

Need: automation to reduce time and cost

Summary

weapon systems and cyber testing and evaluation cyber...17 march 2016 elbert michael ruiz, fred...

Documents