Reflecting an overall push in the Defense Department to harden weapons systems from cyber attacks, the Air Force is investing funds in securing its command and control systems.
The service awarded a $31 million contract to audit more than 100 command, control and battle situation awareness systems over the next five years.
The Air Force will review the systems to make sure they follow the proper National Institute of Standards and Technology security controls are implemented.
“We will make recommendations where we see vulnerabilities in a particular system or a family of systems. As an example, if we are conducting assessments across three or four enterprise level command and control systems, if we see trends in that particular area then we will work with our customer to help make recommendations so the various program managers can implement the correct security controls,” said Floyd McKinney, director for cyber at Engility. The Air Force awarded Engility the contract in the fourth quarter of 2016.
Program managers will work with the company to ultimately obtain the authority to operate certificate for their system. The certificate ensures program managers implemented required security controls, the controls are verified independently and that risks are reduced or mitigated.
The contract is specifically with the Air Force Life Cycle Management Center, which operates under the Defense Technical Information Center.
The audits will be more focused on the hardware and software of the systems.
“Part of this is not necessarily looking at good coding, but secure coding to make sure vulnerabilities are being eliminated,” McKinney said. “What we are seeing now is a much more mature process developing where [the Air Force] is really starting to look very early in the life cycle of these systems and throughout the life cycle of these systems because the threat landscape continues to change and evolve.”
Allan Ballenger, Engility’s vice president for Air Force, said the contract stems from a growing realization within the service that cybersecurity is not relegated just to classic IT systems.
“For a period of time [cybersecurity] was thought of as being isolated to desktop computers or the computing infrastructure, but the Air Force has realized that in today’s modern warfare environment they’re increasingly looking at cyber defense of weapons systems,” Ballenger said. “That includes things like large platform systems, but it also includes command and control systems and other types of things that the Air Force actually manages as a weapons system.”
A 2015 RAND study commissioned by the Air Force Life Cycle Management Center stated, “Weapon systems … present opportunities for designers to build systems that are more inherently secure. Sound system security engineering during the early design phase of a weapon system would be more effective than security controls that are applied as overlays to designs created without cybersecurity as an integral priority.”
The study recommended establishing an enterprise-directed prioritization for assessing and addressing cybersecurity issues in legacy systems.
It also told the Air Force to define its cybersecurity goals. The service ended up doing that last year.
Officials working within the Air Force’s Task Force Cyber Secure settled on seven “lines of attack” for the Cyber Campaign. Among other objectives, they aim to ensure cybersecurity is “baked in” to new weapons systems and that existing platforms are secured as much as possible, deliver cybersecurity training to the acquisition workforce and use threat data from the intelligence community to inform the acquisition process.
Gen. Ellen Pawlikowski, the commander of Air Force Materiel Command, estimated only about $10 million to $20 million has been spent on the campaign in its first year, but all seven areas have shown some signs of progress, including through a new process in which the Air Force is assessing the vulnerability of its systems sorted by “mission threads,” not necessarily by big weapons platforms. The first such analysis is almost completed, she said.
“We have identified certain classes of equipment that we know we need to focus on first, including what I would generically call ‘support equipment,’” Pawlikowski said in September. “That’s not been an area that’s gotten a lot of cybersecurity attention, but almost all aircraft get connected to some kind of automatic test equipment. “
The Pentagon is looking at its weapons systems too. In September, it reorganized $100 million to find flaws in its major weapons systems. DoD already has $200 million authorized for the project. The 2016 defense authorization act requires the department to evaluate holes in weapons systems’ cybersecurity.