What can we learn from the GAO report on the US Weapon Systems Cybersecurity
At the beginning of this month the United States Government Accountability Office released a public report titled:
“WEAPON SYSTEMS CYBERSECURITY DOD Just Beginning to Grapple with Scale of Vulnerabilities”
The assessment was performed as the US Department of Defense “(…) plans to spend about $1.66 trillion to develop its current portfolio of major weapon systems. Potential adversaries have developed advanced cyber espionage and cyber attack capabilities that target DOD systems.”
On over 40 pages GAO, without disclosing technical details, depicts how over a period of one year they were able to gain presence and remain undetected in the tested environment and mission-critical systems.
Going through the report one can have an impression of reading a Red Team assessment summary performed on a rather poorly secured organization that has just started looking into its cybersecurity risks.
An example of a system was given where a two person team was able to gain initial access to the organization’s systems in one hour and full access in one day – all too common in many industry assessment reports. GAO names poor password management (including default credentials) and unencrypted communications as one of the key factors that allowed them to gain access and move laterally using what they called “relatively simple tools and techniques”. While for industry specialists these kinds of findings are nothing new, seeing them in an environment that would be a prime target for advanced and state sponsored threat actors is pretty staggering.
“(…)according to the National Security Agency (NSA), advanced threats are targeting national security systems. According to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team and industry reports, advanced threats may conduct complex, long-term cyber attack operations (…)”
Cybersecurity was not prioritized until recently
GAO identifies this as an important historical factor that impacted the security of DOD networks. While security by design may be a key concept in the industry nowadays, the report mentions a lack of clearly defined cybersecurity requirements as the reason why successful cybersecurity implementation was lacking in the weapon system for many years. The report also states that undergoing cybersecurity assessments was consequently avoided by the projects, especially before 2014.
IT world inherited risks
Weapon systems are not exclusively IT devices. They are called “cyber-physical systems” but they share the same vulnerabilities. GAO directly mentions the use of open source and commercial software well known outside of the mission-critical systems world as well as the deeply networked nature of these systems. Examples are given on how most of the systems are, in the end, computer managed for the sake of automation ranging from aircraft life support systems to incoming missile interception.
Air gapped systems can still be accessed physically, and USB or optical drives can be inserted to some of them. GAO also names a significant number of proprietary interfaces that increase the surface area for attack while questioning if they are always developed with security by design principles. This risk is also well known in the world of other industrial control systems.
The interconnected nature of the DOD environment is described as a growing security concern. Accessing some of the networks may result in the risk of adversarial lateral movement to segments containing mission critical systems. While GAO did not publish technical details of discovered vulnerabilities, it’s apparent that poor network segmentation was one of the key facilitators of successful attacks on the weapon systems environment.
Detection and response capabilities were insufficient
The report illustrates multiple situations where the Red Team was able to withdraw 100GB of data and even display a message on operators’ terminal saying “insert two quarters to continue operating”. In many cases this was able to happen without them being detected. On some occasions, existing security controls detected malicious activities but those flags did not receive attention from the Blue Team. In post assessment interviews, Blue Team operators said that occasional system reboots or repeated security alerts were common in normal operations and that they were not expecting them to be a result of an ongoing breach. Again, all too well known across the industry.
The report suggests in several places that findings might have been even more concerning if the scope of the assessment had been larger. The conclusion from all of this would be that the weapon systems, despite being a very specific type of environment comprised of cyber-physical systems, which when compromised can cost someone’s life, not only inherit risks well known to the IT world but also potentially many more specific ones related to IoT devices, cyber-physical devices and automation systems.
This should give a good understanding of the threat surface the DOD need to set out to manage by providing cyber defense for this type of an environment in the years to come.
The original report can be found here: https://www.gao.gov/assets/700/694913.pdf