Air Force outlines initial steps to protect embedded systems
- By Mark Pomerleau
- Sep 02, 2015
The Air Force relies on embedded systems for a variety of tasks such as aircraft flight control, radar or electronic warfare system operation, munitions interfaces and spacecraft system control. According to a recent study conducted by the Air Force Scientific Advisory Board, however, the inherent cyber risks and vulnerabilities associated with embedded systems is not well understood by the Air Force, which also doesn’t have enough embedded system expertise to provide long-term mitigation.
An abstract of a recent study, titled “Cyber Vulnerabilities of Embedded Systems on Air and Space Systems,” was presented to senior Air Force officials in July. It examined the use of embedded systems across the service, identifying prior attacks, assessing potential vulnerabilities and categorizing risks. The study aims to identify ways to reduce vulnerabilities and develop a roadmap for technology development that will lessen these risks.
The Scientific Advisory Board offered 10 recommendations:
- Employ digital signatures and code signing and require future systems to cryptographically verify all software and firmware as it is loaded onto embedded devices.
- Use software assurance tools, processes and independent verification using appropriate standards.
- Employ hardware and software isolation and randomization to reduce embedded cyber risk and improve software agility.
- Improve and build cyber skills and capabilities for embedded systems.
- Adapt Air Force Life Cycle Management Center cyber-resiliency requirements process to embedded systems.
- Protect design/development information against exfiltration and exploitation.
- Develop situational awareness hardware and analysis tools to establish baseline embedded operational patterns.
- Develop and deploy continuously verifiable software techniques (such as dynamic attestation).
- Develop and deploy software assurance tools and processes specific to USAF embedded systems.
- Work with defense microelectronics agencies to deploy trusted methods compatible with off-shore manufacturing.
The full report will be published in December 2015.
Mark Pomerleau is a former editorial fellow with GCN and Defense Systems.