{"title":"Measuring and Assessing the Cybersecurity Risk of Support Equipment to Complex Systems","authors":"Christopher J. Guerra, C. Camargo","doi":"10.1109/AUTEST.2018.8532549","DOIUrl":null,"url":null,"abstract":"The vulnerability footprint for complex systems includes many potential vectors for compromising the data integrity, system functionality, flight worthiness, and availability. The point of intrusion could occur years prior to fielding the system through the introduction of hardware with “hooks” for a future attack. For support equipment with common operating systems, the footprint available to those with hostile intent is greater. The quantity of users which have contact or near contact with the support equipment amplifies the vulnerability of the complex system. Not all support equipment has a digital or software component. While purely mechanical fixtures have a lower cybersecurity risk, they are not immune. Often they are manufactured or refurbished using automatic test equipment which could be affected resulting an imperceptible defect in the support equipment's performance. We describe a methodology to measure and assess the cybersecurity risk of complex system or a fleet of complex systems in response to the support equipment footprint, which interfaces with the system. This approach combines information from two key databases. The first database characterizes the information flow and interfaces between the subsystems to include the support equipment. The second database describes the critical, open-ended interface points for an attack against the support equipment. The critical parameters can include the type of operating system, the number of exposed ports and their types, and the presence of wireless interfaces. We define impact parameters for the case where a subsystem is compromised. Similarly, we define risk parameters for the support equipment based on criteria which is a function of the susceptibility of the technology employed within the support equipment. As in reliability analyses, we construct a network of the relationships between the subsystems and the support equipment. We can compute the two-dimensional risk-impact relationship for a given support equipment item to the subsystem or to the complete system. This approach can be extended to compute a fleet level risk and impact for all of the support equipment.","PeriodicalId":384058,"journal":{"name":"2018 IEEE AUTOTESTCON","volume":"73 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE AUTOTESTCON","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/AUTEST.2018.8532549","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1
Abstract
The vulnerability footprint for complex systems includes many potential vectors for compromising the data integrity, system functionality, flight worthiness, and availability. The point of intrusion could occur years prior to fielding the system through the introduction of hardware with “hooks” for a future attack. For support equipment with common operating systems, the footprint available to those with hostile intent is greater. The quantity of users which have contact or near contact with the support equipment amplifies the vulnerability of the complex system. Not all support equipment has a digital or software component. While purely mechanical fixtures have a lower cybersecurity risk, they are not immune. Often they are manufactured or refurbished using automatic test equipment which could be affected resulting an imperceptible defect in the support equipment's performance. We describe a methodology to measure and assess the cybersecurity risk of complex system or a fleet of complex systems in response to the support equipment footprint, which interfaces with the system. This approach combines information from two key databases. The first database characterizes the information flow and interfaces between the subsystems to include the support equipment. The second database describes the critical, open-ended interface points for an attack against the support equipment. The critical parameters can include the type of operating system, the number of exposed ports and their types, and the presence of wireless interfaces. We define impact parameters for the case where a subsystem is compromised. Similarly, we define risk parameters for the support equipment based on criteria which is a function of the susceptibility of the technology employed within the support equipment. As in reliability analyses, we construct a network of the relationships between the subsystems and the support equipment. We can compute the two-dimensional risk-impact relationship for a given support equipment item to the subsystem or to the complete system. This approach can be extended to compute a fleet level risk and impact for all of the support equipment.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
