The vulnerability footprint for complex systems includes many potential vectors for compromising the data integrity, system functionality, flight worthiness, and availability. The point of intrusion could occur years prior to fielding the system through the introduction of hardware with “hooks” for a future attack. For support equipment with common operating systems, the footprint available to those with hostile intent is greater. The quantity of users which have contact or near contact with the support equipment amplifies the vulnerability of the complex system. Not all support equipment has a digital or software component. While purely mechanical fixtures have a lower cybersecurity risk, they are not immune. Often they are manufactured or refurbished using automatic test equipment which could be affected resulting an imperceptible defect in the support equipment's performance. We describe a methodology to measure and assess the cybersecurity risk of complex system or a fleet of complex systems in response to the support equipment footprint, which interfaces with the system. This approach combines information from two key databases. The first database characterizes the information flow and interfaces between the subsystems to include the support equipment. The second database describes the critical, open-ended interface points for an attack against the support equipment. The critical parameters can include the type of operating system, the number of exposed ports and their types, and the presence of wireless interfaces. We define impact parameters for the case where a subsystem is compromised. Similarly, we define risk parameters for the support equipment based on criteria which is a function of the susceptibility of the technology employed within the support equipment. As in reliability analyses, we construct a network of the relationships between the subsystems and the support equipment. We can compute the two-dimensional risk-impact relationship for a given support equipment item to the subsystem or to the complete system. This approach can be extended to compute a fleet level risk and impact for all of the support equipment.
[1]
Thomas M. Chen,et al.
Cyberterrorism after STUXNET
,
2014
.
[2]
Sławomir Wawak,et al.
INFORMATION SECURITY IN LOGISTICS COOPERATION
,
2015
.
[3]
Emilio Iasiello.
Hacking Back: Not the right Solution
,
2014,
The US Army War College Quarterly: Parameters.
[4]
Bogdan Franczyk,et al.
A Reference Architecture for the Logistics Service Map: Structuring and Composing Logistics Services in Logistics Networks
,
2016,
2016 IEEE International Conference on Computer and Information Technology (CIT).
[5]
Andrea Chiappetta.
Hybrid ports: the role of IoT and Cyber Security in the next decade
,
2017
.
[6]
Shahram Sarkani,et al.
An architecture, system engineering, and acquisition approach for space system software resiliency
,
2018,
Inf. Softw. Technol..
[7]
Harsha Ganegoda,et al.
Power Analysis Based Side Channel Attack
,
2018,
ArXiv.
[8]
Ken O'Neill,et al.
Protecting flight critical systems against security threats in commercial air transportation
,
2016,
2016 IEEE/AIAA 35th Digital Avionics Systems Conference (DASC).
[9]
Michael Cheng,et al.
A system for real-time monitoring of cybersecurity events on aircraft
,
2017,
2017 IEEE/AIAA 36th Digital Avionics Systems Conference (DASC).
[10]
R T Anderson.
Reliability Design Handbook
,
1976
.