Addressing Cyber Defense for Vehicles and Weapon Systems: Is Your Onboard Operational Technology at Risk?

By Todd Sabala, COL, U.S. Army, Shift5 Fellow

COL Sabala has had the opportunity to work in Defensive Cyber Operations for all Army networks, and lead the Army’s cyber assessments of weapon systems and defense critical infrastructure. His background, including light infantry and strategic network management, provides understanding of comprehensive cyber solutions and perspective on the intersection of IT and OT systems.

Shortly after aid started flowing to Ukraine, reporting emerged around claims by Russia that they had the ability to cyber compromise those weapon systems provided by the United States. This indicates that our adversaries are actively considering leveraging non-kinetic means to affect the outcome of conflict. In 2018, the U.S. Government Accountability Office published a report stating that the DoD is “just beginning to grapple with the scale of vulnerabilities” in our weapon systems (GAO 19-128). Given the continued focus by industry, policymakers, and decision makers, what can be done to address this problem and reduce cyber risk?

To start, we must understand the uniqueness of the problem: Onboard operational technology (OT) networks, such as those that power military vehicle and weapon systems, falls into a category that is distinct from IT networks, and even distinct from more traditionally-known critical infrastructure OT networks, such as those that power manufacturing environments.

What is Onboard Operation Technology?

Vehicles have employed digital networks since the F-16 and M-1 Abrams were designed in the mid-1970s. These vehicles are powered by serial data networks that communicate using specific protocols, such as MIL-STD 1553 or ARINC429. The data that flows through these networks is essential for nearly any function of vehicle operation.

Cyberattacks were not even a threat when many of these systems were first delivered, but cyber risk has undoubtedly increased over the last several years, as the 2018 GAO report indicates. US Cyber Command is comfortable enough with the idea of weapon system cyber-attacks to solicit for industry ideas on their unclassified website. Most organizations are aware of the cybersecurity risks associated with traditional IT, and therefore spend millions of dollars annually on tools to protect their servers, laptops, and networks from malware and bad actors. But most onboard OT networks continue to operate, frequently without cybersecurity modernization.

Some responsible leaders believe that the systems are disconnected (aka “airgapped”), or somehow secure by their unique nature. But “security by obscurity” is a bankrupt concept (particularly when applied against nation-state adversaries): Vehicle designs and schematics are available to anyone who is resourceful. The Russian MIG-35 uses the same MIL-STD 1553 data bus technology used across US systems, from satellites to ground combat systems, and into civilian industries. The obscurity of systems is reduced with wartime loss and overseas sales: For example, the Iraqi government received nearly 150 Abrams tanks from the US.

The addition of GPS enabled systems, communications, and active protection systems – all leveraging the efficiency of a single internal data bus – also increases cyber risk as the IT and OT systems converge. Given the rising threats and greater exposure as we add new digital capabilities to legacy systems, cyber defense for vehicles is something we should address.

The array of risks is diverse – supply chain poisoning, malicious firmware updates, physical access, malicious insiders, electronic-warfare-generated effects, among others – all present threat vectors. Taken individually, the vectors could consume significant resources to address. But there is little need to mitigate the threat vectors individually when a single defense at the choke point – the vehicle platform itself – can mitigate risk for almost all cyber effects. Therefore, an effective defense on the platform data bus can address multiple threat vectors.

Why IT Security Solutions Do Not Always Apply

Onboard OT systems are real-time, redundant, and often safety critical systems. They are also constrained by Size, Weight, and Power (SWaP) considerations, and the real-time nature of the system places limits on cyber solutions. For example, Intrusion Prevention Systems for IT networks have relatively generous windows of time – sometimes up to a second or two – to review inputs before concluding analysis and adjudicating on network traffic.

But when a pilot receives an inbound missile warning, the next actions should be put into effect as soon as possible. A few seconds – or even a few milliseconds – of delay is not tolerable. Therefore, the traditional concept of a firewall or IPS would not work for such an application onboard a vehicle.

Instead, a material solution for multiple threat vectors could be monitoring and recording all traffic on the bus. In addition to providing visibility into traffic on the operating data bus, this also allows the identification and crew notification of anomalous activity on the data bus. Once such an alert is thrown, remediation – such as re-imaging an offending device on the data bus – could return the overall system to a known-good status.

Deployment of such a solution would drive down incentives for adversary cyber attacks into weapon systems. It would also supply mitigation for supply chain attacks that generate digital effects on the platform, thereby easing the supply chain defense task.

How to Use Best Practices of IT SOCs and Incident Response

A capability like the one outlined above would make platforms defendable. Additional capabilities are needed to make the platform defended. Here is where traditional IT capabilities can be applied: In the same way that obstacles on the battlefield are only effective if observed, cybersecurity is only effective if the data captured is transitioned to knowledge and spurs action.

To achieve “defended” status, the data bus traffic needs to be reviewed, anomalies identified, analysis completed, changes proposed, and actions taken. Ideally, organizations with critical OT networks would routinely rehearse, improve and refine their capabilities and OT incident response plan, similarly to their IT Cybersecurity operations.

Rehearsals move plans from “paper deep” to actual capabilities that can be relied on to respond to attacks. Without these “non-material” components of defense, the defense becomes an after-action mitigation support measure. That is not worthless, but early identification of potentially fatal cyber attacks is a good thing and should be the goal of every organization operating life- and mission-critical OT systems.

Conclusion

The time for belief in “security by obscurity” or “airgapping” has passed. The ability to see everything happening on the data bus, to identify, and to respond to aberrations is essential in order to address increasing cyber risk in legacy platforms.

This cyber risk is acknowledged in the DoD, and the same risk is present in the commercial industry. Almost 20 years ago the U.S. Army drove unarmored vehicles into Iraq and faced an enemy armed with IEDs. Similarly, today’s legacy vehicles are going into the fight, in a cyber-contested environment, without defensive measures.

Cyber risk mitigation requires many actions, but the first action necessary is leadership. Let’s provide that leadership. Leadership is the only element that can identify upcoming issues and prepare to overcome identified issues.  A comprehensive solution, from internal weapon system capabilities to identified roles, responders, and reporting for weapon system cyber incident response can build a comprehensive cyber defense for weapon systems. To do less places our mission and our Soldiers at risk. 

For more information about Shift5’s technology and operational intelligence for weapon systems, visit Shift5 for Defense. Follow Shift5 on Twitter and LinkedIn, and sign up for our newsletter for the latest in Shift5 news.