Security Engineering – FY17 Systems Aware Cybersecurity
Report Number: SERC-2017-TR-114
Publication Date: 2018-04-25
Project: Security Engineering – Design Patterns and Operational Concepts
Dr. Barry Horowitz
Dr. Peter Beling
Dr. Cody Fleming
The 2017 effort in System Aware Cybersecurity extended the RT-156 research to focus on resilience features that sustain operator control of weapon systems and assure the validity of the most critical data elements required for weapon control. The decision support tool research focused on integrating historical threat considerations as well as risk considerations into the planning for defenses. Specifically, research investigated the threat analysis aspects of the integrated risk/threat decision support process and included the development of new threat analysis methods focused on mission-aware security. The principal goal was to create and update decision support tools to help decision-makers understand the relative value of alternative defense measures. The evaluation efforts regarding algorithms for enhanced automation for decision support, led by UVA, have reached an advanced state. Development has continued on a first prototype of the HW, SW, and operational emulation of the weapon system to be evaluated by use of the decisionsupport tools. Results suggest that our “War Room” approach yields SysML representations that both (a) capture mission objectives and system behavior while (b) providing a representative surrogate surface for attack tree application. The team developed both the methodology and associated toolset with the explicit intention of generality and broad applicability. Development is complete on a first prototype of a HW/SW emulation weapon system created for testing the decision-support tools. The system includes emulation of all major components of an actual weapon system while also allowing the exploration of more complex operational scenarios and attack spaces, including system-ofsystems operations and attacks. The cost of the prototype HW/SW emulation was well-suited to the overall project budget. For the weapon system emulation, we derived mission-level requirements using a hierarchical modeling approach through the War Room exercise. This work included reconstructing the hierarchical model of the intelligent munitions systems including: requirements, behavior (activity diagrams), and structure, all the while keeping traceability between the lower levels of the hierarchy and the mission requirements The team made significant progress on developing the architectural decision support tools. The analysis and modeling methodology takes a mission-centric viewpoint, combining inputs from system experts at the design and user levels utilizing Systems-Theoretic Accident Model and Process (STAMP) to identify potentially hazardous states that a system can enter and reason about how transitioning into those states can be prevented. The SysML Parser is a tool that connects general system descriptions with a graph model of the system that can be “virtually attacked” by a cyber analyst using the Cyber Analyst Dashboard tools. The V1 Parser is a MagicDraw plugin that utilizes the OpenAPI to automatically extract Internal Block Diagram (IBD) structures to GraphML. The tool includes a modeling methodology that ensures the SysML blocks have a sufficient set of attributes for performing attack chain queries. Outcomes this year include developing a deeper understanding of open source cyber attack databases (e.g., CAPEC, CWE, CERT, and CVE), as well as defining and develop SysML modeling constructs and a traceability ontology to effectively capture relations between missions and system, components in the presence of attack patterns. Key accomplishments for this phase include: (1) use of several different NLP/querying techniques to characterize relationships between attack classes in CAPEC, CWE, and CVE; (2) refinement of GraphML meta-model; (3) development of CYBOK (Cyber Model of Knowledge) model to guide what information from the cyber domain needs to be present in the SysML mission-aware model; and (4) development of the Cyber Analyst Dashboard – V1. The dashboard presents an interactive view of both the “System” and the “Attack Space” and allows for several different levels of automation as well as human/analyst interaction. Each of the tools is published as a binary and/or executable that can either work independently or jointly. The Dashboard can function directly with CYBOK or independently; for example, the analyst can directly query specific entries in CAPEC, CVE, CWE through the dashboard, without using the automated recommender system that underpins CYBOK. System Aware Cybersecurity Recent work focused on by the Software Engineering Institute (SEI) has been directed toward building on SEI’s previous efforts in 3 threat modeling methods: STRIDE, Security Cards, and Persona-non-Grata (PnG). Current effort centers on (1) merging Security Cards and PnG into a single hybrid threat modeling method (hTTM) and (2) using hTTM and other methods on the emulated weapon system. On July 25th, 2017, UVA hosted ARDEC technical staff and OSD, along with the VCU and SEI team members, for a review of the decision-support methodologies and tools and the prototype HW/SW emulation of the weapon system. This review stimulated interest in developing sentinel applications for the weapon system and in addressing issue in the propagation of resiliency by updating prior information and current operational profiles through networks of sentinels. The OSD, ARDEC and UVA team members all agreed that the HW/SW model and highly simplified rendition of a weapon system developed by UVA provides a useful mechanism for making progress while the selected weapon system data is not yet released to UVA. In the last few weeks, the team conducted the “kick-off” meeting for RT-191. This vehicle will provide UVA with the capability to test the RT-172 decision support tools on a hypothetical, but realistic, weapon system. The following sections cover the principal technical activities and findings of the research.