Study: Air Force embedded systems face significant cyber risks

Considering the pervasiveness of embedded computer systems and the growth of sophisticated cyber attacks, securing those systems is a rising priority. That presents a problem for the Air Force, which lacks the expertise to deliver long-term security, according to an abstract of a pending report from the Air Force Scientific Advisory Board.

But there are some concrete steps the service can take now to ensure better-than-basic protection for embedded systems, the report, titled “Cyber Vulnerabilities of Embedded Systems on Air and Space Systems,” said.

The Scientific Advisory Board conducts a series of studies each year on various topics. The topics are announced in the fall of the preceding year, which the studies undertaken in January. While the full report is due in December, senior Air Force officials such as the secretary and chief of staff were briefed in July on what the board found regarding embedded systems.

The study sought to survey the use of embedded systems across the Air Force, identify prior attacks against embedded systems, assess potential cyber vulnerabilities, categorize risks, identify potential mitigation efforts and develop a roadmap for technology development to lessen vulnerabilities in the near, mid and far term. 

The Air Force relies heavily on embedded systems for tasks such as aircraft flight control, control surface actuation, radar or electronic warfare system operation, munitions interfaces and spacecraft system control, to name a few. The board noted that vulnerabilities to such systems can be introduced anywhere from the start of the supply chain through maintenance, as well as by direct attacks or through radio frequency signals, noting that these vulnerabilities exist despite the fact that embedded systems lack Internet connections. 

In the one-page abstract, the board said four elements factored into its recommendations. First, the abstract stated that embedded systems face challenges separate from similar networked IT and commercial systems such as auto, aircraft and industrial control, but lessons learned from those sectors still can be useful. Second, traditional protective strategies won’t work for cyber mitigation. Third, the Air Force doesn’t have enough embedded system expertise to provide long-term mitigation. But fourth, a broad-based set of immediate actions can afford embedded systems protections beyond just basic cyber hygiene.

The Science Advisory Board offered 10 recommendations:

1. Ensure software integrity by employing digital signatures/code signing, and require future systems to cryptographically verify all software/firmware as it is loaded onto embedded devices.
2. Mandate the inclusion of software assurance tools/processes and independent verification and validation using appropriate standards as part of future contracts for all USAF systems. Use best commercial code tools and languages.
3. Employ hardware/software isolation and randomization to reduce embedded cyber risk and improve software agility even for highly-integrated systems.
4. Improve and build USAF cyber skills and capabilities for embedded systems.
5. Adapt Air Force Life Cycle Management Center cyber-resiliency requirements process to embedded systems.
6. Protect design/development information. Implement security procedures sufficiently early that protection against exfiltration and exploitation is consistent with the eventual criticality of the fielded system.
7. Develop situational awareness hardware and analysis tools to establish baseline embedded operational patterns and inform best mitigation strategies.
8. Develop and deploy continuously verifiable software techniques (such as dynamic attestation).
9. Develop and deploy formal-method software assurance tools and processes specific to USAF embedded systems.
10. Work with defense microelectronics agencies to deploy trusted methods compatible with off-shore manufacturing.