Vectors for cyber attacks on military vehicles keep increasing

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

The ransomware wave of cybersecurity attacks is bad enough. But what if hackers were able to interrupt military airplanes or tanks? Such platforms present their own challenges for data gathering and protection. For how this might work, long-term cybersecurity executive and Chief Revenue Officer of Shift5, Ralph Kahn, spoke to Federal Drive with Tom Temin.

Interview transcript:

Tom Temin: Ralph, good to have you back.

Ralph Kahn: Hey, great to be here, Tom.

Tom Temin: And you are working with a company called Shift5. And you are specializing in this idea of platform operational cybersecurity. And it’s really nothing like cybersecurity for databases and communications networks running business applications, is it?

Ralph Kahn: No, it’s a series of systems and networks that really have not been designed with security in mind and are running technology that tends to be older. And as the technology has been modernized, a lot of additional conductivity and connection points have been added, making those systems even more vulnerable. So they’re understudied. They’re not really visible to the operators. And because of modernization, the risk is increased as the connectivity is increased.

Tom Temin: Because for a lot of SCADA type systems, which is still another class here, the argument has always been well, if they’re not connected to the internet, they’re safe. But now with business systems getting intelligence from SCADA systems, somewhere there’s a connection that involves the internet. Is that true of operational platforms like tanks, planes, trains, and buses?

Ralph Kahn: Yeah, I think it’s true of almost all technology today, I agree with you. I think the saving grace for many years of a lot of these systems was, hey, we’re not connected. But two things have changed I think that have made that thesis not tenable anymore. One, they all have become connected, right? For maintenance, or for operational reporting, or a variety of things, conductivity has been added incrementally. And even for those systems that haven’t, the supply chain hacks that we’ve seen recently have impacted things like maintenance systems. So if somebody is going to put what they think is a valid update onto a tank, or even a commercial airliner, or train, it may not be valid. The adversary may have hacked that laptop or hacked into your supply chain somewhere, supplanted that piece of code with something that is malicious and nefarious. And your unwitting maintenance person may sidle on up to the airplane, plug in, and deposit that malicious code for them. And so there are a lot more attack vectors than there used to be. And those attack vectors, the adversary has demonstrated they know how to use them. From Colonial Pipeline to various other supply chain hacks — the water treatment system hacked down in Florida — lots of them have happened over the last four or five years. And I look at this as the reconnaissance and testing phase of this kind of stuff, right? We’re going to see from time to time a few of those events, and that is interested adversaries testing out the capability. The real problems are going to happen when they’re in, they’ve controlled the network, and they decide they want to demonstrate a real physical effect to achieve a political or military goal.

Tom Temin: And there’s also the insider threat for these systems, even if they’re old. Like I remember when the Metro got flooded, or maybe it was in New York, they still had a relay operated logic system, which I guess you could call a primitive computer. Alright, you can’t hack that with C++ tools. But someone that wanted to do harm could reprogram the relays in some way. Or as you say, even a more modern system, like what Metro is probably running now is still accessible by human hands. And so the insider threat is also real, I imagine.

Ralph Kahn: So insider threat is real. And then when you look at how airplanes, tanks, and trains are constructed, they’re all constructed as a bill of materials of different components from different places in the world, in different companies. And so that really, really vast supplier network opens up lots of risks in terms of the introduction of malicious or at least potentially nefarious communication technologies, operations. You can do stuff…if you are a manufacturer of a critical component, somebody can insert malware that says, hey, if you’re in this geo-fence or going at this speed, I want you to trigger. And that can be done months, if not years ahead. And so those devices if they were flying over the wrong country in Eastern Europe at the wrong time, something bad could happen, right? It’s that kind of complexity that gets really concerning really quickly.

Tom Temin: Yes. When you look at any aircraft really, or military tank, there is a bus on there of communication devices. So it’s one big network that’s controlling it from stem to stern really. Ships also. And that in turn is connected to some kind of a navigation system. The military forces are saying explicitly, they want to be networked in their platforms. So the old argument of isolation is long moot, I guess. How do they need to proceed with these bused and then interconnected systems such that they can have some idea that they’re safe?

Ralph Kahn: I think the first step is visibility, right? The first step is to get some sort of perspective on what’s actually going on on those data buses and what kind of communication is going on between the elements of those data buses. When you do that, and you have that data, you can do a lot of good with it. You can begin to profile what’s normal so that things that look different can be highlighted, flagged, and investigated quickly. As you get more sophisticated, you can begin to apply machine learning, artificial intelligence to almost predictively say, hey, I’m seeing these three or four things that aren’t normal, that usually is the predecessor to some sort of really bad thing, and we want to do something about it. And so visibility is the first step. Begin to collect all the traffic that’s going on that network, analyze it, use it, and then begin to take action on it. And train your defenders, right? The military has invested a tremendous amount of money between the cyber protection teams, the mission defense teams, and the Air Force, to create a core of people who are good cyber defenders. The issue is that those folks don’t have the tools or experience to operate on these OT systems. And so getting them that data and getting the tools that give them that visibility, and integrating that to their existing defense capability is kind of table stakes if you want to defend these systems from adversarial cyber effects. So that would be the first step I’d take.

Tom Temin: We’re speaking with Ralph Kahn, he’s chief revenue officer of Shift5. And getting back to that visibility question, could the same data collected on behalf of proactive maintenance or predictive maintenance, which is a big trend in these complicated systems, could the same data you’re collecting from your fan blades or your tires or whatever, your gear work, be also used for cyber purposes?

Ralph Kahn: Absolutely, it could. So that data, it’s often difficult to discern the difference between a maintenance event and a cyber attack because they both cause unwanted effects. I’ll give you an example. As we were working with one of our customers, we collected a lot of data and we actually ran through a live attacked exercise and the cyber defense teams were able to defend against it. But as we were going back and analyzing the data, we were able to point out to the maintenance folks that one of the particular navigation components had been having problems that hadn’t shown up in the logs and hadn’t shown up as alerts in the cockpit. And yet, it was having problems during the course of the flight. And so that’s obviously of concern to them, they were able to look into it, remedy the issue, but it’s things like that, that you can find by collecting all the data. And one of the things that I think it’s important to mention is, as we begin to collect more and more data, more and more systems, data is not data is not data. You need to have data enriched by context, like what’s going on around it and with it. So as you’re thinking about collecting data off of these OT serial buses, you need to collect it with context, like GPS, maybe flight speed, maybe, source and destination of message, those kinds of things. So that when it gets to the person actually doing the work and trying to draw the conclusion, it makes it much easier to establish the patterns, find out what’s going on and draw valuable conclusions.

Tom Temin: And what about the data types, because many of the existing, still operating military systems were programmed long ago, there’s some very old languages running in some very old operating systems still running in these systems, can that be integrated? Is there a way to encapsulate the information without the data format?

Ralph Kahn: So in many cases, when you begin the process of creating visibility into these systems, you actually download the old ICDs, the interface control documents, and okay, I’ve got the zeros and ones, what do they mean? And so part of the process is doing that. And then having some really smart people reverse engineer the protocol, because the ICD is usually 80 or 90%. And then the engineers have typically added messages they forgot to put in the ICD. And so that effort needs to happen up front. And it’s one of the things that we’ve experienced at Shift5 of we work with these systems, both commercial and military, we’ll start with the ICD and then our reversers go in and actually look at the data collected, and then can determine what those non documented messages are.

Tom Temin: And then once you have all of this data collected, and you have whatever tools you’re going to apply to it, a lot of the cyber operators are always after that what they call single pane of glass for all of the cyber events rolled up into kind of a dashboard with alerts, can operational data from these types of platforms be integrated into your network and applications data? Can it be and should it be?

Ralph Kahn: So the answer’s it can. The best way to do that is to be able to process that data real time on the weapons platform or on the plane or the train. And the reason for that is there’s usually limited connectivity from those platforms back to a central location. So what you really want to do is only transmit the data that’s critical and relevant. And as you think about putting that cybersecurity status data back into those central dashboards, one of the things that I think both the military and civilian agencies haven’t really thought of is how critical is it for you to know about cybersecurity as part of readiness? Are you ready to fly? Are you ready to achieve your mission? Well, if you don’t have visibility into the cyber terrain, can you really say you’re ready? If you’re flying over enemy territory, and they can take a cyber effect and use it against you and you can’t see it, I would argue that as an impact on readiness. And so taking that critical data because you’ve processed it real time on the platform and sending it back, over limited comms obviously, to a central location really helps folks up echelon make better decisions as they’re conducting operations.

Tom Temin: And we shouldn’t necessarily assume because something is old, the platform is difficult to hack or listen into even if you take something like the B-52, all the electronics are brand new, they’ve been generationally updating that plane, so it’s fully modern in terms of the bus and the data.

Ralph Kahn: Yeah, so even the more modern stuff, there are vulnerabilities. As long as humans are writing code, there are vulnerabilities. And in the past, the trick has been how do you exploit those vulnerabilities. And as you mentioned, there’s so much additional connectivity in so many different places in the supply chain. Exploiting those vulnerabilities are nowhere near as hard as many people have thought they would be in the past.

Tom Temin: And for all we know, China is collecting all this data on every flyover that they can sniff out and just waiting for the right opportunity.

Ralph Kahn: So, I think they can collect the data that way, you’d be surprised at what you can find on eBay, right? A lot of these components are common and commercial. We’ve discovered as we do some of the red teaming analysis and the cybersecurity risk assessments that we do that we can find a lot of the components we need in public places. And we can find them, anybody in the world can find them.

Tom Temin: Ralph Kahn is chief revenue officer of Shift5. Thanks so much.

Ralph Kahn: Tom, always a pleasure to be here.

Related Stories


    A former cyber diplomat says the government needs to refresh its thinking about response to foreign attacks

    Read more
    (AP Photo/Chris Carlson)Tanker trucks are parked near the entrance of Colonial Pipeline Company Wednesday, May 12, 2021, in Charlotte, N.C.  The operator of the nation’s largest fuel pipeline has confirmed it paid $4.4 million to a gang of hackers who broke into its computer systems. That's according to a report from the Wall Street Journal. Colonial Pipeline’s CEO Joseph Blount told the Journal that he authorized the payment after the ransomware attack because the company didn’t know the extent of the damage.   (AP Photo/Chris Carlson)

    CISA under pressure to put more teeth in cyber requirements following Colonial Pipeline attack

    Read more