In another example of how far the cyber domain is pervading every aspect of warfare, military units are beginning to add cyber protection testing to vehicles before they hit the road.
The Marine Corps recently completed its first-ever adversarial cyber testing of the Light Armored Vehicle, or LAV, looking for vulnerabilities that could put the Marines’ Command, Control, Communications, Computers, and Intelligence–C4I–systems at risk. The Army’s Tank Automotive Research, Development, and Engineering Center–TARDEC–meanwhile, has issued a Request for Information–RFI–to industry, looking for an intrusion defense system to protect ground vehicles against cyberattacks.
Testers at Marine Corps Base Camp Pendleton, California, examined the LAV, which is used mostly for reconnaissance, for vulnerabilities to see how exploiting them could affect operations in what is a digitally connected force. “We looked at how we can disrupt the mission,” said Chim Yee, a cyber engineer for the Marine Corps Tactical Systems Support Activity–MCTSSA. That testing provides crucial lessons in how to manage risk and fix vulnerabilities in the LAV and other vehicles before they set off on a mission.
Successful hacks of commercial vehicles are motivating the Marines and Army to add cyber checks, since the computer architectures of military vehicles are very similar to those in the commercial sector. Hacks of commercial vehicles have affected everything from engines and transmissions to brakes and steering columns. Two researchers in 2015 hacked and disabled a Jeep while it was being driven on the road, and a year later showed up at the Black Hat conference with a new arsenal of attacks that could speed up, slow down, or cause a Jeep to swerve into a tree–and this was after Chrysler had recalled more than a million vehicles and fixed the original vulnerability. Others have also demonstrated hacks of commercial vehicles via wireless or Bluetooth.
“As vehicle platforms change vehicle control from a purely mechanical form to a digital form, the surface area for attacks increases significantly,” said Capt. Brian Greunke, MCTSSA network test engineer.
Vehicle hacking is a particular concern because of the increasing use of unmanned, semi-autonomous, or autonomous vehicles–on the ground as well as in the air and at sea–which rely on wireless communications. But manned vehicles are also essentially mobile computers linked into the command and control structure.
“As vehicle platforms add computing power–think a Windows 10 laptop controlling comms or engine diagnostics–the attack surface will include: Windows attacks, vehicle network attacks, and proprietary hardware attacks,” Greunke said. So, the Marines’ cyber testing teams need to look not only at single vulnerabilities, but also how the systems are tied together to see where potential weaknesses lie.
The Army’s RFI reflects thinking along the same lines, asking for input on a system “to protect against and mitigate cyberattacks on military vehicles.” TARDEC says it would prefer an add-on system that can be adapted to vehicles, either as a single component integrated into the vehicle’s bus network or as a complex set of components. The RFI says it also is willing to consider other options.
The military could find its answers in commercial technology, because hack-proof cars are becoming a priority. The National Highway Traffic Safety Administration is developing a layered cybersecurity approach for vehicles that incorporates the National Institute of Standards and Technology’s Cybersecurity Framework, and encourages the auto industry to adopt best practices.
Industry is also emphasizing a comprehensive approach to cybersecurity both for manned and self-driving cars, and looking to develop autonomous cybersecurity systems that can keep up with the ever-shifting range of attacks.
Please fasten your cybersecurity seat belts.