Beruflich Dokumente
Kultur Dokumente
AbstractMission critical embedded systems should be coordinated. Therefore, performing cybersecurity analyses on a
capable of performing intended functions with resiliency against system-under-design with incomplete information, if not done
cyberattacks. The methodology of design-for-cybersecurity is properly, could be error-prone, misleading, and even counter-
now widely recognized, in which the effects of cybersecurity, or productive. We thus need to, in addition to subjecting the
lack thereof, on system objectives must be determined. However, finished system to red-teaming assessment, incrementally
developers are often challenged by the difficulty of analyzing a analyze, articulate, and demonstrate the effectiveness of the
system-under-design without complete specifics. In this paper, we cybersecurity architecture while the system is still being
describe a systems design approach, which incrementally models developed. The systems design approach to be described in this
the cybersecurity architecture, components, and interfaces of an
paper has been developed to fulfill this need.
embedded system for analysis and demonstration. We have
applied this approach to analyze the mission resiliency of an This paper is organized as follows. Section II provides the
avionic computer being developed and demonstrate its definitions of security and resilience in our project. Section III
operations in a scenario when the system is under attack. presents a baseline resilient architecture for the mission
computer, currently in its early development phase, and
Keywordssecurity; resiliency; metrics; embedded system; overviews its design principles. The rest of the paper is
systems design; embedded processor; secure processor; separation dedicated to explaining a systems design approach created to
kernel; key management; cryptography; modeling and simulation;
analyze and evaluate, at mission level, the cybersecurity of this
rapid prototyping.
architecture. The use of modeling and simulation to articulate
and demonstrate its cybersecurity operations in a realistic
I. INTRODUCTION scenario is also described.
The defense against cyberattacks is inherently asymmetric.
Despite the use of best practice to protect a system, an attacker II. CYBERSECURITY: SECURITY AND RESILIENCY
can potentially defeat the entire security scheme by exploiting
Numerous publications have discussed topics relevant to
a single system vulnerability. A mission critical embedded
cyber resiliency, for example, cyber resiliency engineering
system must thus be resilient against successful attacks. In this
framework [1] and cyber resiliency metrics [2]. These two
paper we describe the use of a cybersecurity oriented systems
documents have cited a substantial collection of references and
design approach in the development phase of mission critical
provided a wealth of foundational concepts and information for
embedded systems. We have been applying this approach in
our work. Perhaps the research lineage of resiliency could even
the early development phase of a cyber resilient avionic
be traced back to fault tolerance, as attacks could be considered
mission computer. The overall project goal is to develop,
as intentionally induced faults, which the system must be
prototype, and demonstrate a reference cyber resilient
resilient against along with other faults (e.g., bugs, defects,
architecture, which is capable of detecting and isolating
etc.). However, there is an important difference between fault
intrusions, restoring operations, and evolving to defuse future
tolerance and cyber resiliency. Fault tolerance technologies
attacks.
generally assume faults are independent events. Cyberattacks,
We have adopted an incremental development process in on the other hand, are likely to be coordinated. Cyber
this project, in which the system is designed, implemented, and resiliency analysis thus requires the cautious use of probability
tested by adding a little more features each time until the and statistics, which are popular in fault tolerance research. For
system is finished. Such a process is good for managing the example, the use of conditional probability, such as Bayesian
risks in ambitious R&D (research and development) projects, networks, has been proposed to mitigate this problem [3].
but presents a challenge for the analysis and evaluation of
For the purpose of our research project, we use the term
cybersecurity. Cybersecurity depends not only on the choice of
cybersecurity to cover both security and resiliency. Various
security primitives, but also on how they are assembled and
definitions of security and resiliency exist. We define
This work was sponsored by the Department of the Air Force under Air security as the capability of a system being protected or safe
Force Contract No. FA8721-05-C-0002 and/or FA8702-15-D-0001. Any from attacks. Security design thus aims at preventing attacks so
opinions, findings, conclusions or recommendations expressed in this material
are those of the author(s) and do not necessarily reflect the views of the that a system can be entrusted to perform in support of
Department of the Air Force. Approved for Public Release; Distribution successful missions. We envision, in a highly simplified way,
Unlimited: 88ABW-2016-2047 20160421
1
Attack
Effects CIA Violations
Categories
Fly drone to a
Modify Mission different site; Availability and
Control Miss waypoints; integrity
Steal or destroy
UAV;
Disrupt Make drone
Fig. 4. Mission objective: reaching multiple waypoints. Command and unavailable; Availability
Control Delay reaching
waypoints;
B. Attacks
Warn targets to Confidentiality;
Security designs count on accurate threat models as it is move or take
impractical to target all possible attacks. In our systems design Exfiltrate potentially also
methodology, we create and apply threat models with respect Mission Plans actions; availability and
to attack categories. Raising threat models to a level higher is Reduce waypoint integrity
necessary as we need to consider resiliency to failures caused significance;
by attack categories, rather than individual attacks. For
example, we will consider resiliency in a scenario when
communication is lost, which could have been the result of C. System Operations
many causes, including unpredictable ones. In this example, we consider a highly simplified resiliency
Threat models are determined by mission objectives and scheme in which the system is equipped with both a main
CONOPS. Attacks could be directed at either the drone or the APM and a resilient APM as a backup. The system operates as
GCS and may come from many known and unknown channels, follows: The radio receiver receives C2 from the pilot and/or
such as data links, insider threats, etc. In this simple example, the CGS. During normal operations, the main APM interprets
we assume that attacks will be directed at the drone from a flight instructions to control the drone motors. In the event that
malicious control, which injects malicious commands into the the main APM has been compromised by a successful attack, it
drone Auto Pilot Module (APM) and steer it away from its begins to issue malicious flight instructions. The monitoring
intended waypoints. service detects the attack and directs the resilient APM to take
over the propeller control. The recovering service then directs
The systems design approach uses the information the main APM to reload (its code) and restart. When the main
assurance (IA) CIA triad (confidentiality, integrity, and APM acknowledges that it has successfully rebooted, the
availability) to guide the thought process of resiliency recovering service directs main APM to retake the control of
requirements. In our example, the confidentiality requirement the motors.
is violated if waypoint information is accessed by the attacker.
The integrity requirement is violated if waypoint information is The details of monitoring (e.g., how attacks are detected),
modified in any way. The availability requirement is violated if and recovering (e.g., how continuity is maintained when
positive flight control cannot be maintained to reach control is being switched) will be included for analysis
waypoints. incrementally as they are being developed. The resiliency
modeling and simulation in the next section considers two
Table 1 shows a few example attack categories derived by parameters. The first one is the time latency of attack detection
considering the CIA triad and its effects. Each of the attack and the second one is the time required for reload and restart.
categories should be interpreted broadly and liberally. For The importance of these high level parameters does not change
example, in addition to literally modifying flight control by for with the specifics of monitoring and recovering.
example, issuing fake commands (e.g., the land command),
similar effects could also be achieved by GPS spoofing. In the D. Modeling and Simulation
case of mission plan exfiltration, even though a simple model
We use modeling and simulation as a tool for analysis. Fig.
may consider them as mere confidentiality violations, we treat
5 shows a Simulink [14] model of the resilient architecture,
them as potentially violations of availability and integrity.
Targets with this intelligence could prepare to hide, or take which includes an attack module. In simulation at random
actions that would confuse or cause the UAV to deliver times determined by a user selectable attack probability model,
incorrect information. The attack categories derived from this the attack module generates and sends malicious flight
Approved for Public Release; Distribution Unlimited: 88ABW-2016-2047 20160421
instructions to the drone mission computer.
4