Pentagon, industry pursue increased data bus security

The Pentagon and industry are seeking to better protect and modernize MilSTD 1553 data bus cybersecurity and more quickly detect and defend against malicious intrusions.

Decision Zone, a private company, has engineered a new data bus security technology, which the company claims solves this problem. They are now in the process of offering the technology to the U.S. military services.

The thrust of the technology, called dzAudit, is a real-time message bus monitoring of business logic, known as established sequences and data exchanges that pass information to issue commands and perform various functions.

The Pentagon has been working with various vendors for quite some time to address data bus vulnerability, as evidenced by a memorandum last year from the Michael Gilmore, then Director, Operational Test and Evaluation at DOD.

The memo states: “Aircraft using military standard (MilSTD) 1553 data buses or commercial equivalents (such as Aeronautical Radio INC 429 as well as 700 and 800 series high speed avionics data buses), and vehicles using both MilSTD 1553 and commercial Controller Area Network bus protocols are potentially vulnerable to cyberattacks via code and data inserted across these communications protocols.”

Many networks, weapons systems and sensors increasingly rely upon data bus technology, which both massively improves functionality and simultaneously increases the need to fortify cyber defenses as attacks run the risk of having a larger impact.

In the case of a sensitive and crucial weapons system such as an ICBM database, business logic would establish procedures and functions moving the weapon’s platform from one stage of a launch to another. For instance, an initial command might be turning on a booster, activating command and control and then ultimately directing a launch.

“An ICBM has a lot of coding and databases,” said Rajeev Bhargava, CEO, Decision Zone.

Data analytics gathers information and monitors data bus activity for a period of time before cyber defenders can access the information. Faster detection, naturally, could expedite cyber defenses and needed reaction time.

“Data bus integration allows all the different modules to talk to each other. Someone could hack into that message bus and change direction, create specific dangerous actions or change course. Currently there is no technology to monitor business logic on message bus,” Bhargava said.

This technique allowed the Iranians to hack a GPS signal and take over control of a drone, experts and analysts maintain. That event generated worldwide attention several months ago, Bhargava explained.

The principal advantage of the live monitoring, Bhargava explained, is that it can detect threats and potential intrusions faster than currently used data analytics techniques, which operate on  a certain latency or lag time between data bus activity and threat detection.

Decision Zone’s technology follows its own sequence as well, Bhargave explained.

“First dzAudit uses next generation machine learning technology to reverse engineer the business logic running on the data bus in terms of state machines which define the message cause and effect relationships. Secondly, dzAudit uses the state machine to create autonomous cyber defense applications running on the data bus to block malware messages or insider message intrusions,” he said.

Bhargava further stated that with its current state of monitoring and detection, data analytics is not always accurate. This, he said, is because the algorithms are based on probability and are not able to specifically pinpoint problem areas in a 100-percent definitive way.

“What they do today is…after you have sent a command to the module, information is inputted into a big database to collect information and make a decision. In order to monitor a data bus, they perform data aggregation, analyze and then figure out what happened. In this environment, data analytics is ineffective and cannot detect messages from malware,” he said. 

The dzAudit technology uses an algorithm based on statistics and mathematical formulas to detect malware intrusions or problem messages as they happen, Bhargava explained. In order to accomplish this, dzAudit draws from substantial innovations in the area of automation and AI, enabling machine-learning to examine messages and data bus activity.

“We developed our own language to do what we do. It is a product which took years to develop,” Bhargava said.

Tim Kline, Cyber Security Subject Matter Expert at CIRRUS Research Associates, said dzAudit represents an important shift in cybersecurity as hardware server footprints decrease and more information migrates to a cloud environment.

“We have to get rid of this existing paradigm of many layers of imperfect security and replace it with something that actually works,” he said.

Kline, who previously served as the Director General of SIGINT Engineering Communications Security Establishment, the Canadian equivalent to the U.S. National Security Agency, said efforts like Decision Zone’s dzAudit represent a paradigm shift away from perimeter security and toward technologies which embed applications directly into a message bus.

Keeping systems separate through perimeter security as more and more data moves to the cloud no longer works, he explained.

“It goes back to trying to solve cyber security by actually trying to deal with the data in the application as opposed to trying to add a lot infrastructure into the network,” Kline said.

Keeping data separate within the cloud through network segmentation can be useful, Kline explained. It is less efficient but can increase security.

“Instead of building walls around systems, they (Decision Zone) are embedding the applications right into the middleware and doing it in a way that you do not have to change the applications,” Kline said.