How Secure are DoD Weapon Systems?
DoD Weapon Systems are choc-full of digital components. They are more networked and software dependent than ever before, but generally these systems were never designed with cybersecurity in mind. Many current weapon systems had no high-level cybersecurity requirements when they began. In recent operational testing, the DoD routinely found mission-critical cyber vulnerabilities. Disconcertingly simple tools and techniques were often enough for penetration testers to take control of weapon systems. Fortunately, the DoD is beginning to take weapon system cybersecurity seriously, but we have a long way to go as a cybersecurity community in developing solutions to address this dangerous new threat frontier.
What is a weapon system?
DoD defines weapon systems as defense acquisition programs within aircraft, maritime vessels, ground combat vehicles, communications equipment, and artillery. In the past, cybersecurity wasn’t an important acquisition consideration and many current weapon systems had no high-level cybersecurity requirements when they began.
Weapon Systems are unique, but they face common vulnerabilities.
Examples of functions enabled by software—and potentially susceptible to compromise—include powering a system on and off, targeting a missile, maintaining a pilot’s oxygen levels, and flying aircraft. An attacker could potentially manipulate data in these systems, prevent components or systems from operating, or cause them to function in undesirable ways.
This is not just theoretical - adversaries have already been in our networks (Solarwinds Attack) and compromised our systems (Florida Water treatment attack). There are examples of persistent threats that have existed on DoD networks as well and the U.S Government Accountability Office (GAO) has been sounding the alarm since the early 1990s.
Risk Factors Include:
- Operators see unexplained crashes as “normal for the system.”
- Existing intrusion detection systems are wrought with false positives
- Contractors are not following up on critical vulnerabilities and program offices are not confirming
- Penetration tests occur over a few days typically and only report the “low hanging fruit” when it’s necessary to have a much more comprehensive approach.
What is being done to strengthen weapon system cybersecurity?
Responsibility for cybersecurity is spread across many stakeholders:
- Authorizing officials oversee program adherence to security controls
- OUSD Research and Engineering advises independent technical risk assessments
- Military test organizations conduct cyber assessments, DOT&E oversees
NDAA 2021 Section 1712:
Section 1712 establishes requirements for each major weapon system to be assessed for cyber vulnerabilities and to identify priority critical infrastructures by broad weapon system mission areas. This section also creates a Strategic Cybersecurity Program to improve systems, critical infrastructure, kill chains, and processes related to nuclear deterrence and strike, certain long‐range conventional strike missions, offensive cyber operations, and homeland missile defense.
There are also numerous policies and guidance updates to improve cybersecurity:
- DoD Cyber Strategy
- Cybersecurity Test and Evaluation Guidebook
- Operation of the Defense Acquisition System - Cybersecurity Enclosure
What challenges does the DoD face?
- Retaining top cybersecurity talent in uniform
- Barriers to information sharing
- limited insight into connected systems (classification)
- problems obtaining attack details
- cross-program information
- system operators without clearances
- Inability to store/obtain classified information abroad
How Shift5 comes into play
Collectively, Shift5 has spent decades living and breathing heavy vehicle data. Our founders were among the first members of the US Army Cyber Command where they were charged with keeping heavy ground vehicles and military aircraft safe from cyber attacks.
We build advanced technology to address the following cybersecurity challenges:
- Toolkits must expand to protect assets. We enable incident response and forensic analysis on OT platforms to defend them from cyberattack.
- Retrofitting Operational Technology is costly. We provide cost effective cyber solutions for military OT platforms that meet Joint requirements for cyber resiliency.
- Personnel require cyber training and field experience. We enable crews, maintainers, commanders, and incident responders to meet the challenge with minimal training.