"Cyber hardening" DoD networks, sensors, and systems for mission resiliencyStory
July 27, 2016
BAE Systems, Lockheed Martin, and Raytheon are all leveraging automation and analytics to "cyber harden" military networks, sensors, and systems.
The U.S. Department of Defense (DoD) is currently in the process of “hardening” its networks, sensors, and systems against cyberattacks. This includes real-time operational systems such as aircraft, unmanned aerial vehicles (UAVs), and ships, which all must undergo cyber hardening to enhance mission resiliency against system manipulation, hijacking, or destruction.
What is cyber hardening?
Lockheed Martin defines cyber hardening as a broad concept that addresses securing various threats and challenges across multiple domains. Cyber hardening involves “assessing platforms, mission systems, network systems, and other at-risk solutions, and then applying multiple cyber models to help clients defend their networks, mitigate threats, protect their platforms, and continuously assess their systems – both from an internal and external perspective,” explains Doug Booth, business development director for Lockheed Martin Cyber Solutions.
Raytheon is taking its cue from the DoD’s definition, and Brian Stites, cyber hardening campaign program manager for Raytheon Intelligence, Information, and Services, describes cyber mission resiliency as “the confidence and assurance for systems to function as expected, and for forces to accomplish their missions within a contested environment in the face of sophisticated, capable adversaries.”
The ultimate goal of DoD’s cyber mission resiliency is to reduce the consequences of attacks. “An important aspect of resiliency is ‘cyber hardening’ or reducing the attack surface of a system and increasing the difficulty of system access and exploitation,” Stites adds.
Raytheon applies a four-step methodology to harden systems. The first step involves an architectural review to seek out security flaws that an attacker could exploit to disrupt normal operation. Once these flaws are identified, they’re prioritized from moderate to critical, based on how much damage they can inflict. Next, layered risk-management techniques – such as fixing vulnerable software, adding security tools, tightening policies, adding hardware and or training customer personnel – are applied. Finally, tests are run to ensure that the mitigation is effective and hasn’t introduced new flaws.
The use of penetration testing by “red teams” is an incredibly valuable aspect of security assessments. “Large-scale enterprise and platform systems are increasingly based on a mix of government off-the-shelf/commercial off-the-shelf (GOTS/COTS) software, which increases the cyberattack surface,” says Kevin M. McNeill, vice president and chief scientist of Intelligence and Security for BAE Systems.
“Tapping into the attacker’s viewpoint and understanding their approaches for analyzing the attack surfaces of these complex systems can help to identify vulnerabilities that may be hidden within COTS environments,” McNeill adds. “Any system that uses COTS has an ever-changing attack surface that requires frequent, thorough testing.”
Automation and analytics
Artificial intelligence and automated systems are both being tapped for cyber hardening. Cyberattackers are increasingly using more complex attack patterns, “leveraging speed via scripts and automation, and exploiting insider access with social-engineering attacks such as spear phishing or password guessing,” says McNeill.
BAE Systems is working with its customers to enhance defense-in-depth strategies with solid system-administration practices – also known as cyber hygiene – supported with automation and analytics. “It’s difficult for customers to scale up their staff to mitigate evolving attack techniques,” notes McNeill. “Adding more expert cyberanalysts or system administrators to protect their networks would be ideal, but it isn’t always feasible. There’s a shortage of skilled personnel, and competition for them is high. For our government customers, competing with the private sector for skilled staff isn’t easy.”
One cost-efficient way to maneuver around the shortage in skilled personnel is to defend against attacks by leveraging automation tools and analytics as force multipliers for cybersecurity, which significantly raises the costs involved for attackers. “This approach requires robust and scalable governance methods, which is an active area of cyber research for BAE Systems,” McNeill says.
Automation has become a critical tool in recognizing and responding to threats. Raytheon, for example, uses what it calls electronic armor to prevent adversaries from digitally penetrating and potentially disrupting missions on vehicles and other systems from anywhere around the world. “This technology is capable of detecting system penetrations regardless of the source,” Stites says. “Electronic armor takes a snapshot of what a system looks like when it’s secure. If that picture changes, even the slightest, it triggers a warning that the system may be compromised and it allows the vehicle to ignore malicious commands.”
BAE Systems recently unveiled an automated cyberthreat intelligence solution developed in partnership with Fujitsu that “actively transforms raw cyberthreat data into actionable intelligence,” McNeill says. “We view cybersecurity as an intelligence problem rather than simply a problem of compliance, patching, and configuration management.”
For this collaboration, the two companies leveraged their cyberthreat intelligence (CTI) expertise and model-based software-engineering technologies to create and demonstrate an automated CTI-sharing system based on secured threat information expression (STIX) and trust automated exchange of indicator information (TAXII) standards.
“Think of STIX as a universal ‘cyber language’ for cyberthreats,” McNeill explains. “Our models can translate the ones and zeros of STIX data to answer valuable cyberintelligence questions regarding specific threats. For example, analysts can flag distinct patterns in the data – akin to a cyberattacker’s fingerprints – to give us key information about the kind of threat we’re looking at, when it was identified, where it originated, how the attacker attempted to enter a network, and eventually even who is likely behind the threat. This solution saves analysts valuable time.”
This demonstration system is enabling “active bidirectional exchange of CTI between partners and allied organizations, and also provides an innovative model-based data protection framework that enforces sharing policies and ensures removal of private and other sensitive data from the shared CTI,” he continues. “Its CTI management framework prototype provides cognitive assistance to cyberanalysts through graph-based analytics.”
Automated systems appear to be the next evolution in cyberdefense. “Not only are they cost-effective … they’re cyberdefense force multipliers,” McNeill notes. “Think of automated systems as a mechanism for ‘crowdsourcing cybersecurity.’ As a best practice, BAE Systems harnesses all of the data surrounding cyberattack strings, etc. that target our own network.” Once BAE Systems identifies and neutralizes these threats to their own network, they can share this cyberthreat data with customers and industry partners. “Collaboration through crowdsourcing is one way we’ll all share the rewards of a safer cyberspace at a reduced cost,” adds McNeill. “That’s why real-time information sharing is the logical first step toward developing a holistic cyberdefense strategy.”
Cyber hardening challenges
The DoD faces myriad cyber hardening challenges. Among the worst aspects: protecting such a wide variety of platforms, the age of the technology involved, use of COTS, and the ever-increasing threat of global attackers.
“With a low cost of entry into the cyberdomain, the U.S. military faces new adversaries on a daily basis,” says Lockheed Martin’s Booth. “The variety of systems and platforms that must be defended are a challenge. The size, scale, and complexity of these systems – combined with the need to keep them operational and protected – are also a challenge. Legacy hardware and software pose yet another problem.”
COTS systems tend to be designed for interoperability and functionality, but the DoD is finding that any associated cost savings must be balanced with mission assurance. One big problem is that COTS systems “typically don’t include a requirement to harden systems,” points out Raytheon’s Stites. “Any cyber hardening must be added after the initial design review or even after a system becomes operational, during the modernization lifecycle.”
And many existing platforms never had a requirement in the first place for cyber hardening of systems. “As these systems go through modernization, the systems are being upgraded, but these upgrades are required to be hardened, networked digital systems,” Stites adds. “These programs didn’t necessarily include budgets for additional protections and evaluations.”
Increased adoption of COTS, cloud, and mobility technologies across the DoD “provides many benefits and enables cost reductions over GOTS and special-purpose systems,” says McNeill. “But security aspects of technology adoption are a top priority, and the cybersecurity of specialized embedded systems used within weapons platforms must also be assessed.”
For example, a significant cyber hardening challenge for the U.S. Army is that it’s operating “a large, complex, and heterogeneous network of federated systems that are deployed globally, often in areas with limited infrastructure,” McNeill adds. “It doesn’t lend itself well to many commercial cybersecurity tools or methods, so the DoD must assess each solution individually to ensure it enhances cybersecurity without degrading critical mission functions.”
DDoS attacks escalating
Distributed-denial-of-service (DDoS) attacks are an escalating annoyance and constant threat for the DoD. To deal with them, BAE Systems encourages network defenders to leverage automation by blocking IP addresses, shifting services, and changing routes.
“While automation can support rapid recognition and response to DDoS attacks, it should also be used to restore normal operations just as quickly,” McNeill says. “Rapid-strike DDoS attacks can force countermeasures that may remain in place for hours or days beyond the attack, degrading mission functions. This extends the adversaries’ effects rather than minimizing them. So BAE Systems is focusing on providing cyber resilience to enable missions to continue in the midst of cyberattacks.”
DDoS attacks are an information technology (IT) issue, but operational technology (OT) can also be attacked. “DDoS is a cyber hardening concern,” notes Stites. “Industrial-control systems, safety systems, utility systems manufacturing equipment, cameras, and many other devices controlled remotely via the Internet are susceptible to attack. So DDoS concerns are a top driver of innovation to protect the boundary between IT and OT.”
The Internet of Things (IoT) will bring its own special bag of big challenges because every “connected thing” that has an IP address is vulnerable to attacks.
IoT, like all new paradigms, has the potential to break established approaches. “For many of BAE Systems’ customers, there’s an increased focus on more specialized computing platforms with respect to cybersecurity,” McNeill says. “IoT is becoming pervasive and impacts infrastructure used by the government. The DoD’s IoT devices rely on limited resources – CPU, memory, connectivity – and are often difficult to update. This requires a more surgical cybersecurity approach, so we’re encouraging them to augment existing practices with automation and analytics. We’re also working on cyber models to support this and to enable governance of IoT networks and devices.”
Security standards are still largely in the works for IoT devices, and they must be “followed as we already do within IT environments,” points out Stites. “Raytheon has analytics and visualization tools to create knowledge and better controls from the massive amounts of information generated by IoT data. Another technique we use is to remove software glitches from open-source operating systems Linux and Android – to essentially create newer and more secure versions of those systems to use in all manner of devices.”
From Lockheed Martin’s perspective, IoT is “just another challenge in the cyberdefense world,” Booth says. “Using our Cyber Kill Chain methodology, IoT is treated as just another entry point or level of access.”