To identify potential cyber exploitations, Peraton’s Advanced Cyber Effects (ACE) team members put themselves in the mindset of U.S. adversaries.
“Looking at embedded systems from a different perspective is what I enjoy doing most,” said cyber analyst Erwin K.
To become the enemy, the team must be up to date with cyber threat behavior and system security design. They also must have the creativity to design and plan for attacks that have not yet been attempted.
“We basically get paid to break stuff,” said Erwin. “Every system we assess, we also improve. We are strengthening national security every day.”
The ACE team specializes in assessing cyber resiliency, a system’s ability to continue operating during a cyberattack. The process for evaluating weapon systems and embedded systems differs from standard IT-based systems because the former systems are configured to communicate with different protocols and run non-standard software.
The Peraton team provides input to customers’ cyber resiliency score by assessing a system for vulnerabilities, demonstrating the potential damage to the system if a discovered vulnerability was exploited, and providing mitigations to address discovered vulnerabilities.
“As we’re testing, we also look to see how a system responds to our attacks,” said cyber analyst Joshua H. “Can the system function at a diminished capability or can it continue to operate long enough to shut down gracefully? This is critical, life-saving information to know about military technology.”
A part of this cyber resiliency assessment is analyzing possible attack paths an adversary may take. Using reverse engineering, the ACE team can prove the possibility of certain threats. Peraton then adds mitigations to patch and harden the system.
For example, by reverse engineering common hardware and software used in weapon systems or embedded systems, Peraton can discover vulnerabilities in weapon systems that have not yet been disclosed or discovered.
“Current compliance requirements for weapon systems are ineffective against stopping determined adversaries, especially nation-state adversaries,” said Joshua.
Getting a program certified as compliant requires going through a checklist. Customers can install various scans for protection, but because of the specific nature of weapons systems and embedded systems, teams like Peraton must do manual source code assessments.
The ACE team has developed a standard solution for weapons systems based on issues frequently encountered. But customers should not rely on a blanketed one-size-fits-all solution.
“Automation cannot ensure a system is survivable against cyberattacks,” said Joshua. “You can’t automate protecting against something that hasn’t been discovered yet, such as zero-days.”
“Cyber resiliency is definitely a growing market,” said Virginia C., ACE program lead. “We have been involved in this work for the last seven years.”
For example, recent high-profile incidents like the Colonial Pipeline ransomware attack have revealed the importance of having cybersecure critical infrastructure.
“Evaluating critical infrastructure resiliency requires a specialized skillset from both cyber and physical domains,” said Erwin. “And the involvement and participation of key stakeholders is critical in executing comprehensive assessments.” Erwin sees cyber resiliency work heading in that direction as more companies see the need to identify and mitigate the risk to their critical infrastructure.
Cyber resiliency is a continual process. As attacks continue to become more advanced, securing everything from weapon systems to critical infrastructure requires more than automated scans and security control compliance. ACE evaluations bridge that gap.
Evaluations can not only help fix weaknesses, but also increase military and civilian preparedness by knowing how a system responds to an attack that it may potentially face once. Understanding those worst-case scenarios is just as valuable as patching a zero-day vulnerability.