DARPA Project Producing Tool to Help Anticipate Military and Industrial Systems’ Cyber Threats 

BeeBright/Shutterstock.com

The VERDICT tool aims to allow systems engineers to assess cybersecurity even without deep expertise. 

General Electric Company’s technological development division GE Research recently unveiled it’s developing a cybersecurity tool to examine and subsequently improve critical military and industrial systems’ cyber stature and defenses for a Defense Advanced Research Project Agency project.

The Verification Evidence and Resilient Design in Anticipation of Cybersecurity Threats—or VERDICT—tool aims to work across a range of computer systems, such as those for smart devices, ships, aircraft, power plants and wind farms. The goal is to provide the systems with comprehensive assessments of cyber threats, recommend how to address vulnerabilities uncovered, and predict the potential of forthcoming attacks.

“We hope the VERDICT tool is a tool that any systems engineer, with or without deep cybersecurity expertise, can pick up and use,” Michael Durling, Kit Siu and Abha Moitra, members of GE Research’s project team, recently told Nextgov via email. “The best case scenario is if we can decrease the time and effort it takes for product security experts to do their job, allowing them to analyze and assess the safety and security of a system with accurate and repeatable results, and have the artifacts that come out of our tool be part of an assurance package used for certification.”

The project is being run through DARPA’s Cyber Assured Systems Engineering, or CASE program, which addresses cybersecurity from a systems engineering perspective. The GE Research team wants to develop a tool to help systems engineers evaluate cyber resiliency—the ability to withstand attacks—like they would safety or performance features.

They started the project in 2018, but the officials noted that some of the concepts involved are extensions from previous programs. 

“For example, the model-based framework that generates the backend attack-defense tree is an extension from previous work done with NASA Langley Research Center to generate fault trees for a model-based framework for analyzing safety,” they said. “It’s always nice to see prior efforts take new form!”

Currently, the team is embarking on Phase 2 of DARPA’s CASE program, and “putting in as much functionality” as they can before Phase 3 launches in September. At that point, their team, as well as other CASE program performers, will “turn [their] tools over to the platform providers to use on real, live products they are developing.” 

Part of what makes VERDICT special, according to the team, is the fact that it aims to mechanize Mitre’s Common Attack Pattern Enumeration and Classification and the list of Security and Privacy Controls in NIST 800-53. Both of those items take a great deal of time and effort to distill down to what is needed, the team said. 

“Because we included a security practitioner on our development team right from the start, we were always guided by principles of applicability to real world problems and usage,” they said. “At the same time, the tool is backed by rigorous analysis methods, built by formal methods and semantics experts on the development team.” 

Many of these power systems VERDICT aims to improve are operated separately from the cloud to reduce their risks of cyberattacks—but they still face threats. At the same time, the Defense Department and other relevant government entities are adopting more and more commercial-off-the-shelf items, amplifying the need to rigorously check and track cyber vulnerabilities. Further, the researchers added that, recently, attempts to attack these critical systems are becoming “more sophisticated in nature.”

“An example of increased sophistication by attackers is their ability to bridge air gaps,” the GE Research team explained. They noted that for a long time, physical air gaps were thought of as a defensive strategy, that is, having no connection to a public network meant systems were likely protected from attackers. There are confirmed cases of cyber actors “bridging that gap” and due to high dependence on interconnectivity in the modern age, not having a system online also essentially means making it nearly inoperable.

“The idea with our tool is to identify possible vulnerabilities by knowing which part of your system communicates outside your trust boundaries,” the team said. “[VERDICT] is also capable of telling users something about their system even in the event of unknown or future attacks. We do this by analyzing attack effects instead of the attacks themselves.”

The research team emphasized that the work is being done in collaboration with the University of Iowa and they said it all stands as a “strong example of the types of innovative tools” that can be built through public-private partnerships.

“A key goal is accelerating the development of new ideas like the VERDICT tool, where industry and government are aligned and after the same objective,” they said. “We hope it will not only be a great solution for protecting military systems, but also be applied to the type of critical infrastructure in the power and transportation sectors that industrial companies like GE are manufacturing.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.