Biblio

In a previous article [1] we proposed a layered framework to support the assessment of the security risks associated with the use of autonomous vehicles in military operations and determine how to manage these risks appropriately. We established consistent terminology and defined the problem space, while exploring the first layer of the framework, namely risks from the mission assurance perspective. In this paper, we develop the second layer of the framework. This layer focuses on the risk assessment of the vehicles themselves and on producing a highlevel security design adequate for the mission defined in the first layer. To support this process, we also define a reference model for autonomous vehicles to use as a common basis for the assessment of risks and the design of the security controls.

A critical need exists for collaboration and action by government, industry, and academia to address cyber weaknesses or vulnerabilities inherent to embedded or cyber physical systems (CPS). These vulnerabilities are introduced as we leverage technologies, methods, products, and services from the global supply chain throughout a system's lifecycle. As adversaries are exploiting these weaknesses as access points for malicious purposes, solutions for system security and resilience become a priority call for action. The SAE G-32 Cyber Physical Systems Security Committee has been convened to address this complex challenge. The SAE G-32 will take a holistic systems engineering approach to integrate system security considerations to develop a Cyber Physical System Security Framework. This framework is intended to bring together multiple industries and develop a method and common language which will enable us to more effectively, efficiently, and consistently communicate a risk, cost, and performance trade space. The standard will allow System Integrators to make decisions utilizing a common framework and language to develop affordable, trustworthy, resilient, and secure systems.

In view of the demand for the continuous guarantee capability of the information system in the diversified task and the complex cyber threat environment, a dual loop architecture of the resilient cloud environment for mission assurance is proposed. Firstly, general technical architecture of cloud environment is briefly introduced. Drawing on the idea of software definition, a resilient dual loop architecture based on "perception analysis planning adjustment" is constructed. Then, the core mission assurance system deployment mechanism is designed using the idea of distributed control. Finally, the core mission assurance system is designed in detail, which is consisted of six functional modules, including mission and environment awareness network, intelligent anomaly analysis and prediction, mission and resource situation generation, mission and resource planning, adaptive optimization and adjustment. The design of the dual loop architecture of the resilient cloud environment for mission assurance will further enhance the fast adaptability of the information system in the complex cyber physical environment.

Cyber-physical systems are an integral component of weapons, sensors and autonomous vehicles, as well as cyber assets directly supporting tactical forces. Mission resilience of tactical networks affects command and control, which is important for successful military operations. Traditional engineering methods for mission assurance will not scale during battlefield operations. Commanders need useful mission resilience metrics to help them evaluate the ability of cyber assets to recover from incidents to fulfill mission essential functions. We develop 6 cyber resilience metrics for tactical network architectures. We also illuminate how psychometric modeling is necessary for future research to identify resilience metrics that are both applicable to the dynamic mission state and meaningful to commanders and planners.

Network attacks continue to pose threats to missions in cyber space. To prevent critical missions from getting impacted or minimize the possibility of mission impact, active cyber defense is very important. Mission impact graph is a graphical model that enables mission impact assessment and shows how missions can be possibly impacted by cyber attacks. Although the mission impact graph provides valuable information, it is still very difficult for human analysts to comprehend due to its size and complexity. Especially when given limited resources, human analysts cannot easily decide which security measures to take first with respect to mission assurance. Therefore, this paper proposes to apply a ranking algorithm towards the mission impact graph so that the huge amount of information can be prioritized. The actionable conditions that can be managed by security admins are ranked with numeric values. The rank enables efficient utilization of limited resources and provides guidance for taking security countermeasures.

Cyberspace is ubiquitous and is becoming increasingly critical to many societal, commercial, military, and national functions as it emerges as an operational space in its own right. Within this context, decision makers must achieve mission continuity when operating in cyberspace. One aspect of any comprehensive security program is the use of penetration testing; the use of scanning, enumeration and offensive techniques not unlike those used by a potential adversary. Effective penetration testing provides security insight into the network as a system in its entirety. Often though, this systemic view is lost in reporting outcomes, instead becoming a list of vulnerable or exploitable systems that are individually evaluated for remediation priority. This paper introduces Trogdor; a mission-centric automated cyber red-teaming system. Trogdor undertakes model based Automated Cyber Red Teaming (ACRT) and critical node analysis to visually present the impact of vulnerable resources to cyber dependent missions. Specifically, this work discusses the purpose of Trogdor, outlines its architecture, design choices and the technologies it employs. This paper describes an application of Trogdor to an enterprise network scenario; specifically, how Trogdor provides an understanding of potential mission impacts arising from cyber vulnerabilities and mission or business-centric decision support in selecting possible strategies to mitigate those impacts.

For decades, embedded systems, ranging from intelligence, surveillance, and reconnaissance (ISR) sensors to electronic warfare and electronic signal intelligence systems, have been an integral part of U.S. Department of Defense (DoD) mission systems. These embedded systems are increasingly the targets of deliberate and sophisticated attacks. Developers thus need to focus equally on functionality and security in both hardware and software development. For critical missions, these systems must be entrusted to perform their intended functions, prevent attacks, and even operate with resilience under attacks. The processor in a critical system must thus provide not only a root of trust, but also a foundation to monitor mission functions, detect anomalies, and perform recovery. We have developed a Lincoln Asymmetric Multicore Processing (LAMP) architecture, which mitigates adversarial cyber effects with separation and cryptography and provides a foundation to build a resilient embedded system. We will describe a design environment that we have created to enable the co-design of functionality and security for mission assurance.

The Air Force is shifting its cybersecurity paradigm from an information technology (IT)-centric toward a mission oriented approach. Instead of focusing on how to defend its IT infrastructure, it seeks to provide mission assurance by defending mission relevant cyber terrain enabling mission execution in a contested environment. In order to actively defend a mission in cyberspace, efforts must be taken to understand and document that mission's dependence on cyberspace and cyber assets. This is known as cyber terrain mission mapping. This paper seeks to define mission mapping and overview methodologies. We also analyze current tools seeking to provide cyber situational awareness through mission mapping or cyber dependency impact analysis and identify existing shortfalls.

Cyber-Physical Systems (CPS) such as Unmanned Aerial Systems (UAS) sense and actuate their environment in pursuit of a mission. The attack surface of these remotely located, sensing and communicating devices is both large, and exposed to adversarial actors, making mission assurance a challenging problem. While best-practice security policies should be followed, they are rarely enough to guarantee mission success as not all components in the system may be trusted and the properties of the environment (e.g., the RF environment) may be under the control of the attacker. CPS must thus be built with a high degree of resilience to mitigate threats that security cannot alleviate. In this paper, we describe the Agile and Resilient Embedded Systems (ARES) methodology and metric set. The ARES methodology pursues cyber security and resilience (CSR) as high level system properties to be developed in the context of the mission. An analytic process guides system developers in defining mission objectives, examining principal issues, applying CSR technologies, and understanding their interactions.

Mission assurance requires effective, near-real time defensive cyber operations to appropriately respond to cyber attacks, without having a significant impact on operations. The ability to rapidly compute, prioritize and execute network-based courses of action (CoAs) relies on accurate situational awareness and mission-context information. Although diverse solutions exist for automatically collecting and analysing infrastructure data, few deliver automated analysis and implementation of network-based CoAs in the context of the ongoing mission. In addition, such processes can be operatorintensive and available tools tend to be specific to a set of common data sources and network responses. To address these issues, Defence Research and Development Canada (DRDC) is leading the development of the Automated Computer Network Defence (ARMOUR) technology demonstrator and cyber defence science and technology (S&T) platform. ARMOUR integrates new and existing off-the-shelf capabilities to provide enhanced decision support and to automate many of the tasks currently executed manually by network operators. This paper describes the cyber defence integration framework, situational awareness, and automated mission-oriented decision support that ARMOUR provides.

We introduce Active Dependency Mapping (ADM), a method for establishing dependency relations among a set of interdependent services. The approach is to artificially degrade network performance to infer which assets on the network support a particular process. Artificial degradation of the network environment could be transparent to users; run continuously it could identify dependencies that are rare or occur only at certain timescales. A useful byproduct of this dependency analysis is a quantitative assessment of the resilience and robustness of the system. This technique is intriguing for hardening both enterprise networks and cyber physical systems. We present a proof-of-concept experiment executed on a real-world set of interrelated software services. We assess the efficacy of the approach, discuss current limitations, and suggest options for future development of ADM.