Cyber Risk Categorization for Unmanned Vehicle Systems

welcome Steve to the afternoon talk [Applause]

welcome to this talk as you said I'm Steve Griffin um I'm going to be talking about some work I did uh in the last spring and doing some categorization of unmanned systems and doing working through the dod's RMF process for these systems and why you would make certain decisions about what security controls to use for unmanned systems who I am I've got done a lot of work in cyber and OT on the licensed professional engineer and have several certifications in the field most of my experiences have been in the dod specifically in the Navy but none of this stuff that I am going to be speaking about represents any the opinion of the US government this is all

my opinions and I'll make sure that's clear all right anyone who's done an authorization or accreditation um process it'll probably be familiar with the sixth now seven steps of the risk management framework we're going to be going over the first three the preparing the categorizing and selecting that's preparing all the the information that that's the newest thing that they added to the latest iteration of the nist framework it used to be just categorize select Implement assess authorize but preparing is a significant chunk of work and especially when not everyone wants to play in these same set of rules or play nice with each other makes it a little harder and then the other constraint we have

here is that um we're not talking traditional I.T systems you've heard a little bit earlier today the OT playbooks and uh um the criticality of operational technology and the differences but what it comes down to is the OT systems are not designed to manipulate data they use data to manipulate their environment and to operate in their environment and that is why um that's what makes them unique but it also changes our priorities for a control system things like safety come into the Forefront because you're dealing with people and equipment that have to operate in hostile environments and in around people that can be hurt by it and you're unlike in an office environment with a

computer if I crash it and just rebuild it um no harm no foul in the real world where we're dealing with Hardware that can break we're dealing with people that can get hurt and our primary two references are going to be the nist 882 on the second revision is enforce the third revision to that standard is currently in draft and there it will be released soon hopefully um and then the other primary one is the ISA 62443 series which is the industrial equivalent to the government nist publication

now most times you think about a drones and unmanned systems you're usually thinking helicopters quadcopters airplanes well I was not working with airplanes I was working with boats and things like this sail drone Explorer which you've seen it in the news a couple times and just this past week there was some video of one in the middle of Ivan because that's what they're designed for hunting and getting me talk dad weather data from inhospitable areas where you don't want to sail your own pleasure craft into but you can get really good information um the DOD decided to use some and that's and that's why I was tasked with doing a risk management framework on these it's like Pete awesome piece of

tech but never been in the government service before so coming from a very clean slate and then it it's it's a very smart very robust piece of tech but it is ultimately a control system not an I.T computer and that's where we're getting to get into the categorization

so step one prepare the biggest challenge with things one guess maybe read it off the screen intellectual property who owns it who owns the command and control who owns anything that it picks up in its environment and those are different pieces of the puzzle and so making sure that you have all of that documented in writing beforehand is vital we've got that those locks out there and first thing they tell you about picking locks is you either have to own it yourself or have written permission from the person who does own it same with this stuff if you don't have written permission it's not yours and you can't even defend it so and if you want to get all the necessary

documentation the network diagrams the engineering diagrams the code and all that that you need to properly defend it you you first have to get that permission and working through those contracts is why we hire lawyers um so know a good lawyer work with the teams know who to contact contacting their c-suite and then working downward into the technical subject matter experts that you actually who actually know what they're talking about and what you what questions to ask get to you where you can get all of those things and then just remind them of the conditions of the contract they signed and usually that helps bring them to the table and one of the biggest um

overlooked most overlooked people when you're working with this is the industrial engineers they're not I.T guys they don't think like it guys they didn't go to school for computer science or cyber security they went to school for robotics so they spent more time stay studying physics and um mechanics than they did coding so they're going to think differently than you are but without their help you're not going to get your um task done and that's where and they can give you Vital Information that those processing instrumentation diagrams that actually tell you what the robot is doing and what controls what and also if you're halfway around the world making meetings even virtual meetings is challenging

all right now getting into the actual categorization the reason why you want to think of this as a scada which all right as which is a subset of OT is because the architecture you have the architect uh architecture of Escada taken right from the nist pub that they're standard thing okay you've got a control center over a wide area network to a set of nodes and each node do I mean local control there look at how you control a drone control center over a wide area network to a fleet of ships each one doing autonomous control and autonomous operations on their own with supervisory control it's basically the exact same architecture and therefore yeah it is a very good place to start

when you are trying to secure it because the same a lot of the same challenges are you're going to have you're not going to have easy access to the endpoints you're not going to have a standard it protocols you might might not but more likely you're going to be dealing with real time protocols real time um interfaces and you always have to deal with the environment

all right so and that is why we're categorizing it as a skoda but nobody puts a drone anywhere just for its own sake it it will have a payload and that is a typically a standard it looks a lot more like your it database or an I.T system so you're going to have to secure that like a it system and you can't just glob it into one system you have to separate and find that distinction between the bus and the payload um that and you'll and there should be a hard um differentiation so that one doesn't share information with the other um for both security and this organization reasons

now then oh let's get it into that um that bus because a lot of other people have talked about how to secure that payload here we have the our classic Purdue reference architecture which is gonna work it's designed for a manufacturing plant but it kind of does apply here because you still have that control that layer zero which would be your Rudder and propeller um pushing it through the water your layer one your that's your motor controllers and Layer Two supervisory control on the local to the craft and then you have a large gap um to your supervisory control where you have controlling multiple systems at the same time I like the way the ISA does it better

than Mist um Isa breaks it down into zones and conduits where each Zone and each vessel is going to be its own Zone and each of those zones is connected with a secured conduit a secured path to the other parts and by breaking it into that model you have a lot more finite and a lot more discrete control because one drone in one area might have a different risk profile than one in another the risks to a drone going into a hurricane are different from the risks of the Drone sitting in a contested straight

as you can see both recent news photos that top one is a sail drone in Ian doing 35 knots under sale in the middle of a hurricane second one another sail drone getting investigated by our friends in the Middle East um so very different risk profile the physical security of that Sanctus cell drone had to be augmented and you can check the news for that the other one um sorry I just put a random citation in the middle of my slide but these risk trials are different so being able to categorize them differently with different zones is important and that so that is um any questions on why you would use this and how how to

categorize drones and like these things while I was talking about surface vessels it's applicable with any whether it's your little drone or a big Fleet and it's so questions comments

yep

okay yeah so so the payload is going to be it depends on what the payload is and that could that's depending on what the um the the owner or client of that drone wants um like these drones were designed to pick up a lot of weather information so whether a whole bunch of weather sensors and that type of stuff and it's going to process it send it back keep the but because it's an I.T system you're going to look at it from confidentiality Integrity availability whereas on the bus side on the actual vessel you're worried about that safety availability all of much higher than your confidentiality and that's why because there's different risk profiles you have to

deal with them separately okay yes first you then yes right

yeah good question uh your typical scada is a fixed environment either local or even a broad but uh your challenges are going to be more in your transmission path um so here we've got a Radio based set off satellites transmission paths and as long as you're able to maintain that transmission it's going to be similar to a the other challenges of if it's just infrastructure that it's a pass through but um good you just have to be mindful of the just the differences in it yes

well talk to the expert but really you need to get a firm understanding of the um engineering side and then an understanding of the Cyber site though there are two very different fields but having talking to organizations like that information the international Society of Automation and getting the hard engineering training and then go into someone like Sans or uh and getting that cyber and then you can bring them together but trying to just start there you've got too much foundational information on both sides that you can't just start without getting a foundation on first yeah

uh

well

let's see a question for my audience

what are the two primary resources and standards that I touched on

yep good job

and what is the biggest challenge with trying to get information about a system

[Applause]

all right

sure

for the part that I I did not get all the way through authorization I spent about four months working through those three steps so