DARPA Project Producing Tool to Help Anticipate Military and Industrial Systems’ Cyber Threats 

General Electric Company’s technological development division GE Research recently unveiled it’s developing a cybersecurity tool to examine and subsequently improve critical military and industrial systems’ cyber stature and defenses for a Defense Advanced Research Project Agency project.

The Verification Evidence and Resilient Design in Anticipation of Cybersecurity Threats—or VERDICT—tool aims to work across a range of computer systems, such as those for smart devices, ships, aircraft, power plants and wind farms. The goal is to provide the systems with comprehensive assessments of cyber threats, recommend how to address vulnerabilities uncovered, and predict the potential of forthcoming attacks.

“We hope the VERDICT tool is a tool that any systems engineer, with or without deep cybersecurity expertise, can pick up and use,” Michael Durling, Kit Siu and Abha Moitra, members of GE Research’s project team, recently told Nextgov via email. “The best case scenario is if we can decrease the time and effort it takes for product security experts to do their job, allowing them to analyze and assess the safety and security of a system with accurate and repeatable results, and have the artifacts that come out of our tool be part of an assurance package used for certification.”

The project is being run through DARPA’s Cyber Assured Systems Engineering, or CASE program, which addresses cybersecurity from a systems engineering perspective. The GE Research team wants to develop a tool to help systems engineers evaluate cyber resiliency—the ability to withstand attacks—like they would safety or performance features.

They started the project in 2018, but the officials noted that some of the concepts involved are extensions from previous programs. 

“For example, the model-based framework that generates the backend attack-defense tree is an extension from previous work done with NASA Langley Research Center to generate fault trees for a model-based framework for analyzing safety,” they said. “It’s always nice to see prior efforts take new form!”

Currently, the team is embarking on Phase 2 of DARPA’s CASE program, and “putting in as much functionality” as they can before Phase 3 launches in September. At that point, their team, as well as other CASE program performers, will “turn [their] tools over to the platform providers to use on real, live products they are developing.” 

Part of what makes VERDICT special, according to the team, is the fact that it aims to mechanize Mitre’s Common Attack Pattern Enumeration and Classification and the list of Security and Privacy Controls in NIST 800-53. Both of those items take a great deal of time and effort to distill down to what is needed, the team said. 

“Because we included a security practitioner on our development team right from the start, we were always guided by principles of applicability to real world problems and usage,” they said. “At the same time, the tool is backed by rigorous analysis methods, built by formal methods and semantics experts on the development team.” 

Many of these power systems VERDICT aims to improve are operated separately from the cloud to reduce their risks of cyberattacks—but they still face threats. At the same time, the Defense Department and other relevant government entities are adopting more and more commercial-off-the-shelf items, amplifying the need to rigorously check and track cyber vulnerabilities. Further, the researchers added that, recently, attempts to attack these critical systems are becoming “more sophisticated in nature.”

“An example of increased sophistication by attackers is their ability to bridge air gaps,” the GE Research team explained. They noted that for a long time, physical air gaps were thought of as a defensive strategy, that is, having no connection to a public network meant systems were likely protected from attackers. There are confirmed cases of cyber actors “bridging that gap” and due to high dependence on interconnectivity in the modern age, not having a system online also essentially means making it nearly inoperable.

“The idea with our tool is to identify possible vulnerabilities by knowing which part of your system communicates outside your trust boundaries,” the team said. “[VERDICT] is also capable of telling users something about their system even in the event of unknown or future attacks. We do this by analyzing attack effects instead of the attacks themselves.”

The research team emphasized that the work is being done in collaboration with the University of Iowa and they said it all stands as a “strong example of the types of innovative tools” that can be built through public-private partnerships.

“A key goal is accelerating the development of new ideas like the VERDICT tool, where industry and government are aligned and after the same objective,” they said. “We hope it will not only be a great solution for protecting military systems, but also be applied to the type of critical infrastructure in the power and transportation sectors that industrial companies like GE are manufacturing.”