Cybersecurity Operational Tests And Assessments – US Defence can’t check F-35 data due to insecure systems

Cybersecurity Operational Tests And Assessments conducted by the US Defence are essential to improve overall security … and discover that US Govt can’t check F-35 data due to insecure systems.

It is difficult to understand the importance of concept like information sharing when dealing with daily work, but officers at the Pentagon are learning at their own expense. The Pentagon is currently unable to check in on key maintenance of the F-35 joint strike fighter (JSF) because the data are stored in an insecure database managed by the Giant Lockheed Martin.

The precious information related to F-35 components and air-frame maintenance data is contained in the database that is non-compliant with August US Cyber Command security requirements, for this reason, the Government personnel cannot access the archive from government networks.

According to the “FY 2015 Annual Report for the Office of the Director, Operational Test & Evaluation,” the Government staff cannot access non-compliance systems via government networks for security reasons.

Michael Gilmore, Defense Department operational test and evaluation chief, also discovered a number of security issues affecting the Defence architectures, including misconfigured and unpatched systems, and poorly authentication process.

This is disconcerting is we consider the effort of the Department of Defense (DOD) in the Cybersecurity Operational Tests And Assessments In FY15.

“DOD cyber teams include organizations that provide OPFOR aggressors (Red Teams) as well as penetration testers and teams that perform other cybersecurity assessments (Blue Teams). DOT&E guidance establishes data and reporting requirements for cyber team involvement in both operational tests of acquisition systems and exercise assessments. The demand on DOD-certified Red Teams, which are the core of the cyber OPFOR teams, has increased significantly in the past 3 years.” states a report on cyber security and operational tests “In the same timeframe, the Cyber Mission Force and private sector have hired away members of Red Teams, resulting in staffing shortfalls at a time when demand is likely to continue to increase. This trend must be reversed if the DOD is to retain the ability to effectively train and assess DOD systems and Service members against realistic cyber threats.”

Despite the Defence is largely investing in operational tests, it often limits the red teams full scope to operate as opposing forces (OPFOR) during training because it fears possible effects.

“DOT&E believes the reluctance by Combatant Commands (CCMDs) and Services to permit realistic cyber effects during major exercises is due to the requirement to achieve numerous other training objectives in those exercises. Additionally, exercise authorities have stated they fear that cyber attacks could distract from—and possibly preclude—achieving these objectives. “

This is a totally wrong approach, threat actors would attack Defense and mission-critical systems by using any method and in any moment, it is important to stress systems in an attempt to find flaws before the intruders.

Gilmore explained that Defence red teams, read OPFOR (opposing forces in war games), are deployed in only the most security-savvy organisations.

“In order to attain a high state of mission readiness, CCMDs (Combatant Commands) and supporting defenders should conduct realistic tests and training that include cyber attacks and effects representative of those that advanced nation states would execute,” Gilmore writes.

Training effort and cyber security assessments are crucial to have an architecture resilient to cyber attacks, the US government is aware of this and has already planned cyber security tests in 2016.

Pierluigi Paganini

(Security Affairs – F-35, Defence, hacking)