Enable breadcrumbs token at /includes/pageheader.html.twig

Comprehensive Check Prevents Failure Fallout

Complex systems of systems require multistep security review.

Sgt.1st Class Joshua Shirey, USA, maintenance instructor for the Army’s new Joint Light Tactical Vehicle, teaches a class about suspension to 33 soldiers enrolled in the first-ever iteration of the course at Fort McCoy, Wisconsin. The 96-hour Field-Level Maintenance New Equipment Training course involves classroom and hands-on training for soldiers and contractors. Credit: Staff Sgt. Brigitte Morgan, USAR

A Joint Light Tactical Vehicle engages its independent suspension to a level stop over uneven terrain. Credit: Sgt. Manuel Quiros, USAR

The human systems simulation laboratory at the Idaho National Laboratory is a complete virtual nuclear control room created to safely test new technologies before they are implemented in real commercial reactor control rooms. This type of complete testing is necessary to ensure elements within a system do not compromise the entire platform.

Leaders in multiple military organizations need increased awareness of the dangers that arise from the systems used daily in training, deployment and garrison environments. The attacks these settings face are becoming more advanced and more specific as cyber attackers’ capabilities continue to improve. To mitigate the potential risk to military systems, the networks’ individual components must be identified and understood particularly at a time when component parts are manufactured outside the United States.

The Joint Light Tactical Vehicle (JLTV), manufactured by Oshkosh Defense, is an example of the importance of conducting a comprehensive systems security assessment. While a single vehicle, the JLTV’s main systems not only include individual components manufactured throughout the world, but the systems also are linked. Consequently, a defect in one component could affect an entire communications, weapons or instrument system. A process to check the security of the vehicle across the board is required to ensure mission success regardless of the trustworthiness of the manufacturer that built it.

To address this issue, the Idaho National Laboratory (INL) utilizes the consequence-driven, cyber-informed engineering (CCE) methodology to focus on the cybersecurity of its critical infrastructure. In his Harvard Business Review article “Internet Insecurity,” Andy Bochman, senior cyber and energy security strategist, INL, defines the steps organizations can take to understand both their systems and the potential risks.

In particular, this approach alerts leaders to the risks and vulnerabilities they may not have been aware of because they did not entirely understand how their organization’s systems of systems work. Although his article focuses on using the methodology for critical infrastructure, Bochman’s steps can be used for systems throughout the military.

Using the CCE approach, an organization first identifies scenarios that would lead to critical failures within a system that deem it non-mission capable from a garrison or deployable environment perspective. When done correctly, this assessment can be time-consuming because multiple scenarios generate multiple vulnerabilities, but it is crucial to ensuring networks are secure from a variety of attack types.

Ascertaining all the digital systems within the larger system is the second step in the CCE process. This involves breaking down what hardware, processes and supply chains comprise the system and reviewing the staff members who work on and with the multilayered system to gain an in-depth understanding of its digital footprint.

Once this step is complete, the organization must determine the likely avenues an attacker would take to reach the critical components within the technical system. As Bochman says, leaders must identify and discuss these attack paths to rank the most critical paths into the networks. The level of risk for each path is then quantified based on factors the organization’s leadership identifies when calculating the risk.

The final step in the CCE methodology is to determine how to mitigate these risks by increasing protection to the systems. Some alternatives are to add firmware at a critical component level where multiple systems are linked or to boost the number of personnel monitoring a key mechanical component.

To be effective, the CCE method calls for expertise from more than cyber engineers or higher leadership within an organization. Instead, it requires skills from multiple fields such as electrical and mechanical engineering to take full advantage of the CCE approach. For example, although a cyber engineer understands the coding and logic that runs the system, the electrical engineer is familiar with wire diagrams and the links that allow systems to communicate with each other.

In addition to providing a deeper understanding of an organization’s systems, collaboration among a broad array of experts enables the method to be more effective. Each field can identify vulnerabilities or risk scenarios from its perspective, which can reveal critical issues. Multiple disciplines also help with the integration of risk mitigation because crucial processes within a system may need more than one type of expert to correct an issue.

Having multiple personnel work side by side through the CCE process also enables faster dissemination of information as the process develops. As a result, collaboration when examining a single system ensures that all possibilities are questioned at every step, so security is always considered.

For example, field-grade and flag officers need to understand how easily an entire fleet of vehicles could be deemed inoperable because of cybersecurity concerns. Noncommissioned officers must be aware of how an insider could gain access to and change systems. System defense depends on all personnel understanding how maintenance is conducted so all team members know what to look for when systems go down or are attacked.

This depth of understanding also is needed at all levels of leadership. Checks and balances must be in place to ensure the importance of keeping system security up to date and ensuring new personnel understand it. In addition, the financial implications of changes that systems require to ensure security may entail authorization from leadership.

This close relationship between leadership and staff also ensures full comprehension during emergencies. For example, if flag officers receive reports of problems within systems but don’t understand how they occurred, issue mitigation can be delayed. In the future, risk mitigation must be included within the protocols and procedures, which is the leadership’s responsibility.

The CCE method is still relatively new, and the need to incorporate it in-depth across multiple types of organizations is growing. A few military organizations have begun applying the method; however, a deeper understanding of the impact individual systems have within the systems of systems is needed at all leadership levels.

Understanding this process is a proactive cybersecurity approach that is more effective than patching or changing the system after it has been manufactured or already is in use.

Emphasis on the security of systems the military relies on to complete its missions today should at least equal the emphasis the military placed on physical safety measures in the past. The CCE method aligns with the threats the services face from an operational perspective. If it can be integrated from the lowest to the highest ranks, the approach could bring a greater understanding of both U.S. and adversarial capabilities and limitations now and into the future.

Dalton Burk is a cadet at the United States Military Academy at West Point. He is a computer science major who has held internships through both Idaho National Laboratory in Idaho Falls, Idaho, and Johns Hopkins Applied Physics Laboratory in Laurel, Maryland. Cadet Burk served as a geospatial engineer in the enlisted Army.