Cybersecurity in the UTM context has an expansive scope since it touches cyber-physical systems and covers different domains. The threat modelling template conceptualised by the Secure and Resilient UTM Task Force introduces a way of thinking to address the issues of cyber-security of UTM systems to build a secure-by-default UTM system. In the context of the drone ecosystem, UTM is just one component of the stack, and there are others, e.g. the vehicle itself, the command and control link, the identity and authorization of the flights, etc.
During the work of the Secure and Resilient UTM Task Force, a number of task force GUTMA members presented a short summary showcasing their work and technology that covers the broader offering in the context of cyber-secure systems. In this article, we share this “survey of practices” that will familiarize the reader with the broader work and efforts done by task force members.
This second article will focus on the contribution of ANGOKA.
Introduction
ANGOKA specializes in the cybersecurity of IoT devices, with a focus on light weight but high-grade security for different levels of autonomous systems, including UAS. ANGOKA is a world leading company in the development of UAS and UTM cybersecurity solutions.
In developing its Ranger product, ANGOKA has been conducting extensive risk analysis to prove the effectiveness of Ranger as a wide-ranging cybersecurity control. This has so far led to the identification of 156 discrete attack paths based on examining the following architecture:
Figure 1: UAS Architecture in the scope of ANGOKA cybersecurity risk assessment
From this architecture, we can make several observations:
- There is clearly a link between physical safety and cybersecurity risks – the takeover of a drone can become a physical attack vector that could cause severe injury or death.
- There is a disconnect between operational safety and cybersecurity – safety cases appear to lack any regard to cybersecurity and there is a misunderstanding that operations away from people may be safe within an operating perimeter with respect to a cyber attack.
- Conventional security technologies are not fit for purpose – there is a misunderstanding that encryption can protect against all types of C2 or C3 attacks. However, there are attacks such as ‘man-in-the-middle’ or ‘replay’ attacks that can be deployed against even encrypted communications. Indeed, ‘cyber-takeover’ is an emerging Counter UAS (CUAS) approach and can be deployed against encrypted C2.
Methodology
The security risk assessment methodology deployed by ANGOKA comprises three components:
- STRIDE
- MITRE ATT&CK
- Qualitative Risk Analysis (Probability/Impact/Safety)
STRIDE is a core component of Microsoft’s Security Development Lifecycle, and the abbreviation is a mnemonic for Spoofing, Tampering, Repudiation, Information disclosure, Denial of service and Elevation of privilege. STRIDE was originally developed for software development but can be used more widely as done by ANGOKA. In STRIDE, threats are mapped to security properties and the controls needed. For example, spoofing (pretending to be someone or something else) can lead to a loss of CIA properties and a range of impacts with different harms. Spoofing can be mitigated by strong authentication controls such as multi-factor authentication.
The’ MITRE ATT&CK Framework’ is an open resource providing information on adversary groups and their Tactics, Techniques and Procedures (TTPs). The model uses the Lockheed Martin’ Cyber Kill Chain’ to describe the various stages of a cyber attack and the methods used by attackers (e.g. ‘reconnaissance’ to ‘command and control’).
Qualitative Risk Analysis has been used by ANGOKA as a simple first pass of risks. The approach is to use a lookup table of impact and likelihood to calculate risk and further define impact with a safety impact classification.
These methods and more are described in an overview in ‘Cybersecurity in Transport Systems’[1] published by the IET.
To consider the threat vectors for cyber attacks, the following figure sets out the five main connections within the context of U-Space.
Figure 2: Main connections within the U-Space context
Corresponding to these connections are six communication nodes.
Figure 3: Communication nodes
Drawing on the preceding high-level architecture and threat vectors, ANGOKA has analyzed the UAS / U-Space system and identified 156 threats which impact safety critical systems and data flows. To classify the threats, they have been grouped according to the following Safety Priorities:
A: Physical and Cyber operation Hazard
B: Physical operation disruption and Cyber Hazard
C: Cyber operation disruption
Examining the threat landscape for communication in the following figure, we see a variety of threats between the different nodes.
Figure 4: Communication threats between different nodes
Many of these threats are countered by ANGOKA’s Ranger product, but not all. In particular, jamming has proven to be a key issue for both drone communications and GPS navigation systems (GPS may also be spoofed). The point is that the myriad cyber security threats can only be defined through a thorough process of risk analysis, assessment and management and that multiple controls will be needed to defend against cybersecurity attacks.
A second view of threat vectors is those to different nodes, as in the following figure. For example, threats to the UTM node include spoofing, denial of service, data tampering, and backdoor malware, among other things.
Figure 5: Threat vectors to different nodes
Conclusions
ANGOKA’s approach to cyber security is a whole system approach to identify not only the command, control and communications link security that ANGOKA produces, but also the wider system context. Combining STRIDE and the Mitre ATT&CK Framework (including the Lockheed Martin’ Cyber Kill Chain’) enables a broad view of potential threats and attackers. Through research over the last two years, ANGOKA has built up a catalogue of 156 attack vectors that it uses to support Threat and Risk Assessments (TARA) in the AAM industry. The aim is to identify a range of controls, ideally during development, as part of a DevSecOps approach (built in security at every step of the system development life cycle).
If you want to read the full Secure and Resilient Task Force report, click here and download the document.
GUTMA Task Forces are a Members-only initiative. If you wish to become a GUTMA Member contact us at secretariat@gutma.org or fill in this form.
[1] https://shop.theiet.org/cybersecurity-in-transport-systems