Article by AL.com – April 2021- Cybersecurity may mean something very different to the average person. It is often thought of as a barrier between your computer or account and outsiders in cyberspace—think antivirus software, a financial account login with optional two-factor authentication, and encrypted backup files for peace of mind. Unfortunately, this purely static, castle-with-drawbridge conception is shared by many businesses, industries, even agencies. The more serious the assets involved, the more dire the consequences to only protecting the obvious important entry points:
- The Equifax data breach of 2017 occurred when a customer complaint page gave hackers access to other systems that included personal information from up to 40% of the US population. Four members of the Chinese military were formally charged for the hacking in 2020.
- In February 2021, a water treatment facility in a suburb of Tampa was left vulnerable to a hacker who was able to increase amounts of a poisonous chemical by 10 times.
- Just weeks ago, in March 2021, the Israeli secret service, Mossad, may have been responsible for shutting down the power to an Iranian uranium enrichment facility in a strategic cyber attack, setting the program back by nine months.
Technological advances often expand the threat surface—or new points of potential security weakness. Cyber is much more pervasive than anyone outside of the business can fully understand. We turned to some of Huntsville’s veteran aerospace and defense systems cybersecurity experts from Intuitive Research and Technology Corporation (INTUITIVE) to appreciate the true scope of cybersecurity.
Today’s Cyber is Multi-Domain
Cyber attacks entail much more than a few thousand dollars lost because you gave away a login, and it’s more still than paying off a ransom to resume business operations. It can get physical. Did you know that a Jeep Cherokee was demonstrated as being hackable by Wired magazine in 2015? Through a small internet-connected computer in the entertainment system, the hackers were able to disable the brakes and turn the car off while it was on a freeway! Any system that is connected wirelessly, even to private networks, is vulnerable to some degree. For instance, the near production-ready F-35 fighter jet has over 20 million lines of code and is tied to two private military networks. One of its biggest strengths is its connectivity to intelligence sources for missions.
“Cybersecurity is relevant across the entire digital fabric, comprising digital threads that start at all of our edge devices and travel through the internet, cellular networks, clouds, firewalls, hardware networks, software systems, routers, servers…and all the way back.” said INTUITIVE Program Manager, Lane Odom. “When we say cybersecurity should be ‘all-domain,’ we mean that almost all critical infrastructure and businesses’ physical assets extend through multiple threads.” Odom noted that the cyber realm is so expansive that new custom software, automated tools, big data insights, and artificial intelligence are needed to keep up.
The DoD is highly concerned about less obvious aspects of its cyber footprint—the supply chain. Around 300,000 private contractors are included in the defense industrial base. In January 2020, the DoD released the Cybersecurity Maturity Model Certification (CMMC). CMMC levels are determined by third-party certification and determine which companies can bid on contracts. The push is to make sure all contractors and subcontractors take responsibility for new and evolving cyber threats.
CMMC doesn’t mean that all companies need to be cybersecurity experts with their own teams of software and network engineers, AI experts, and systems analysts. It does mean that the expertise will be sought and taken seriously. “Cyber risks are best mitigated with an organizational culture and discipline that takes it seriously—passing an audit is not enough,” said Odom.
Active Defense Strategy
The average time between a cybersecurity breach and detection is well over 200 days. Hackers will often not do anything to alarm security analysts, content to collect data for years. Shoring up cyber defense resources around past attacks is reactive, and a serious attack counts on some sort of novelty for success. INTUITIVE advises its customers that an active defense strategy must be built on the latest threat intelligence and integrated into the entire system lifecycle. This approach requires the adoption of a security-minded culture that goes beyond the adoption of the latest technology solution.
“Our approach to security threats is built around the collection and operationalization of the latest in closed and open-source intelligence. We combine that intel with an ‘Adversarial Mindset’ where we think and act like an attacker to defend and mitigate a determined and resourced adversary,” said INTUITIVE Senior Program Advisor, Chuck Speaks.
Knowledge Networks
“The cyber community has made good progress in broadly sharing information on vulnerabilities, threats, and mitigation techniques, and this approach coupled with cloud software, can be sufficient for systems that are widely proliferated and common in their configurations, such as your typical computing systems,” said Odom. He noted that more unique systems must build their defense from the ground up. They rely more on testing and Red Team assessments.
Testing
Odom said that testing starts with defining the system’s exposure, also known as the “attack surface,” and relating that to the relevant threats in the environment. The teams involved are first the internal staff and engineers, then external teams with fresh eyes. “Simulated threats should follow a model of behavior that is based on an intelligence assessment of the most likely adversary actions, and the most critical adversary actions,” he said. AI and machine learning can play a role in simulating different versions of attacks.
But often real experts will be included to improvise attacks. “These ‘Red Teams’ attack unique systems with any number of methods that go beyond the typical phishing scenario, potentially even taking advantage of physical access, and/or sabotaging the logistics network,” explained Odom. The Red Team involvement will need to be ongoing to be most effective.
Because attack surfaces are always changing and new knowledge is being generated, testing itself is an ongoing process. “This is one of the key reasons that INTUITIVE is helping our customers to implement agile software development and continuous integration/continuous delivery (CI/CD) software pipelines,” said Speaks. “The military has emphasized an ability to ‘defend forward’ to any part of the world where cyber threats are located. And because cyber capabilities are much easier for traditionally non-peer adversaries to deploy against the US, we expect intelligence, threat detection, and a “defend forward” approach will become much more important in the coming years.”
Lifecycle Vigilance
The nature of innovation is that new systems overlap with legacy systems. Older systems are not always actively patched and attack surfaces are forgotten. The recent hack of a Florida water treatment plant’s operational technology is a stark reminder that bolting the door is irrelevant if a window is cracked—or in this case, probably a Windows 7 OS. The only thing that stopped thousands from being poisoned was a watchful supervisor who noticed lye levels skyrocket. The likely single-entry point was a weak password for TeamViewer desktop sharing software.
According to Speaks, “Perhaps the most critical security risks come from legacy systems that have un-supported or un-patched system and software components. These components are critical to the operations of the overall system yet often have known vulnerabilities which need to be mitigated throughout the entire system lifecycle.”
INTUITIVE has a long history of supporting the security of legacy enterprise and weapon systems such as those from PEO Aviation, Missiles and Space, and the Missile Defense Agency. Innovation means outdated systems, so the work of revisiting legacy systems will become all the more important.
Complex Solutions
Operating under the above precepts means implementing a strategy, and not just leaning on tools. The solutions must be complex and include an agile team. Speaks summarized, “State-sponsored bad actors use state-of-the-art programming, computer and software engineering knowledge, and advanced mathematics and cryptography. They present multi-dimensional threat vectors and elaborate attack plans to thwart our nation’s and industry’s cyber defense systems. Modern cyber defense systems, accordingly, require increasingly sophisticated algorithms to monitor, track, analyze, correlate, evaluate, and take action against these types of threats.”
INTUITIVE’s experts believe cybersecurity should take full advantage of today’s cloud computing enterprise solutions. “Cloud-based defensive systems that have access to active current threat descriptions, features, and behaviors, backed by powerful analysis engines using Artificial Intelligence and Machine Learning (AI/ML) have the capability to automatically detect and negate these complex cyber threats,” said Odom.
The teams involved in cybersecurity need to have a cross-functional understanding of the systems in question. “The hallmark of a strong, effective team is diversity. Diversity of background, experience, and expertise enable us to put a lens on things that would, otherwise, be blind spots to a more homogenous team. Some call this ‘Defense in Depth’ – but it is extremely important in interconnected system-of-systems,” said Speaks.
Insider and external breaches inevitably still happen. “We have developed a standard operating procedure that integrates with our customers’ policies and procedures for incident response. We have experienced executing the full incident response process but have also been called in to help a customer remediate another organization’s cyber spill,” said Speaks. This often includes network, server, and user device digital forensics with special care taken to preserve evidence and chain-of-custody records.
Cybersecurity is simply integral to enjoying the fruits of technological advancement, tactical advantages, and freedom itself. Defense and other industries must constantly reassess the bounds of cyber. To learn more about INTUITIVE’s interconnected, comprehensive approach to cybersecurity, please visit irtc-hq.com today.