Cyber attacks are threats that target the combat system’s infrastructure with impacts realized at the mission level. While today’s military aircraft were built to be safe, airworthy, reliable, and survivable, they were not designed with cyber threats in mind. Thus, over the past decade, the U.S. military has spent an inordinate amount of time and treasure attempting to address these cyber threats. Countless dollars have been poured into cybersecurity to achieve Authority to Operate, cyber testing to assess systems for weaknesses, and Defensive Cyber Operations to monitor and protect networks from bad actors. While these efforts have undoubtedly helped improve the cyber posture of legacy systems that were not designed to withstand cyber threats, they haven’t sufficiently answered the question, “What do we do after a cyber attack?” Accordingly, this article discusses the mission, development, and activities of the Army Aviation Cyber Incident Response Team (AA-CIRT), which was established to help address this question.
Focus on Survivability
In the military aviation domain, as with all weapon systems, survivability is paramount. This is why the Joint Requirements Oversight Council mandated inclusion of the System Survivability Key Performance Parameter (SSKPP) into the requirements for all manned systems. While the survivability community has historically focused on kinetic threats, the ability to avoid or withstand nonkinetic threat types, such as cyber and electromagnetic spectrum, has also become increasingly recognized as an important consideration for full-spectrum survivability. This realization led the Joint Staff J6 to develop the Cyber Survivability Endorsement (CSE) to the SSKPP, which broadly aligns cyber survivability with the fundamental tenets of system survivability (as shown in Figure 1). The J6 office published this guidance in the Cyber Survivability Endorsement Implementation Guide (CSEIG) [1]. (For more background/details on the CSE, see Mr. Steve Pitcher’s article in the fall 2022 issue of Aircraft Survivability [2].)
Because cyber is assessed as part of the SSKPP, we have adopted the traditional pillars of Prevent, Mitigate, and Recover (as shown in the familiar “survivability onion” in Figure 2). The CSEIG also added a fourth pillar—Adapt—which is particularly relevant to cyber survivability. Currently, as a general rule for aircraft, prevention activities in the cyber domain happen before the mission, mitigation activities happen during the mission, and recovery and adaptation activities happen after the mission. Cybersecurity activities are primarily geared toward preventing cyber attacks. The pilot and crew can attempt to mitigate system-level effects during the mission, if possible. Recovery and adaptation tend to be executed at maintainer level to restore mission readiness.
The Need for Cyber Incident Response
While aircraft structural/mechanical and safety-related status is routinely monitored and evaluated by maintenance teams to maintain readiness, damage due to hostile acts must be viewed through a different lens. This is where the Joint Combat Assessment Team (JCAT) contributes to aircraft survivability. When combat damage occurs, JCAT assesses this damage to determine the likely chain of events that led to the damage. The team collects significant amounts of data and performs forensic analysis to establish threat parameters, damage to the platform and subsystems, and interactions with countermeasures, if any. The goal is to reconstruct the incident to determine how to adapt the fleet to the operational environment and threat capabilities going forward.
A similar approach is needed when the threat “weapon” is cyber. Cyber attacks can cause system failures or erratic behavior that may affect performance, mission effectiveness, and survivability. As such, we need a mechanism to perform the forensics to understand the event and provide a feedback loop to the system owner in much the same way that JCAT does for other types of damage. And because cyber effects often resemble reliability failures, pilots, crew chiefs, and maintenance technicians need to consider cyber as a potential cause of failures or abnormal behavior. To meet this need for Army aircraft and related systems, the Capability Program Executive (CPE) Aviation established the AA-CIRT.
AA-CIRT Requirement
In 2019–2020, the Headquarters Department of the Army (HQDA) G-3/5/7 and the Assistant Secretary of the Army for Acquisition, Logistics, and Technology worked across the Army to establish the requirements and equities associated with responding to cyber attacks on weapon systems. This work resulted in HQDA Execution Order (EXORD) 251-20, titled Program Mission Assurance Weapon System (CYBER) Incident Response Plan [3], the purpose of which was to establish a standardized response and reporting process and to ensure all stakeholders understand and meet their responsibilities related to cyber incidents on weapon systems. In response to this HQDA EXORD, as well as language in the FY23 National Defense Authorization Act (NDAA) Section 1559 [4], CPE Aviation initiated planning and coordination for AA-CIRT. Under this effort, a draft Concept of Operations (CONOPS) was developed to align CPE Aviation roles and responsibilities with stakeholders throughout the Army. The Joint Aircraft Survivability Program Office (JASPO) then expanded the scope with a requirement to synchronize this approach across the Services.
AA-CIRT Vision
The overall objective of AA-CIRT is to increase aircraft survivability through development of rapid response capabilities for suspected cyber attacks on aircraft and associated ground support equipment. The prospective end state is to field a mature cyber incident response and triage capability for aviation systems that leverages JCAT kinetic threat incident evaluations and provides coordination of platform and cyber subject-matter expertise to mitigate effects and recover operational readiness. As important as it is to respond to specific exploits, the feedback into the operational and acquisition communities is even more so. This is why, much like JCAT, AA-CIRT provides critical data and expertise to enable near- and long-term doctrine, organization, training, materiel, leadership and education, personnel, and facilities solutions.
Development Approach
Rather than initiate a standalone process, AA-CIRT planners chose to closely integrate with existing JCAT, maintainer, and safety teams and processes; cyber assessment and testing capabilities within the CPE Aviation community; and Joint partners in the Air Force and Navy to establish a comprehensive mechanism for responding to malicious cyber activity affecting aircraft operational technologies. Beginning with the Aviation Survivability Development and Tactics (ASDAT) team at Fort Rucker, AL—the Army’s instantiation of JCAT—the first priority was to align with, and adapt where necessary, the procedures laid out in the JCAT Pocket Guide [5]. This included update of the ASDAT Intelink site for incident reporting. Because the ASDAT team is a primary provider of course materials to the U.S. Army Aviation Center of Excellence (USAACE), AA-CIRT materials and aircraft cyber effects in general are being added into the “schoolhouse” curriculum for pilots and maintainers.
We also reached out to our Joint partners at the Naval Air (NAVAIR) Warfare Center Aircraft Division, at Patuxent River, MD, to collaborate with their Cyber Protection and Response Center and Aviation Cyber Forensics Lab. Our counterpart in the Air Force is the Cyber Resiliency Office for Weapon Systems (CROWS), at Wright-Patterson AFB, OH. Both organizations had received a similar requirement for aircraft cyber incident response and have capabilities and CONOPS at various levels of maturity. These collaborations proved to be extremely valuable.
Next, we surveyed weapon system and cyber expertise locally at Redstone Arsenal, AL. CPE Aviation provided leadership and resourcing from across the Office of the Chief Scientist, the Assistant CPE Engineering and Architecture, and the Office of the Chief Information Officer (OCIO). In addition, JASPO provided resourcing, direction, and coordination. The DEVCOM Aviation and Missile Center (AvMC) provided cyber engineering, aviation data bus penetration testing expertise, and cyber threat analysis capabilities. The Redstone Test Center (RTC) supplied aircraft and cyber testing and instrumentation expertise, as well as world-class facilities (via the Aviation Flight Test Directorate), aircraft maintainers, and test pilots. In addition, the Aviation and Missile Command G2 office provided cyber intel analysts, and contractor partners across all these organizations were also instrumental to the work’s success.
Program Phases
CPE Aviation and JASPO also cochaired a monthly AA-CIRT Working Group to maintain an operational tempo and collaboration. Under the group’s auspices, the effort was executed across the following three phases.
Phase 1: Planning, Tool Development, and Lab Testing
The first phase consisted of early planning and coordination among the various stakeholders, development of specialized tools to support forensic investigation, and testing in an aircraft system integration lab (SIL). Early efforts also included decomposing the Army EXORD, establishing roles and responsibilities among the stakeholders and team members, and drafting an initial AA-CIRT CONOPS, which included the basic team structure and external interactions, consistent with the Army EXORD. There were also early interactions with our NAVAIR and CROWS counterparts to benefit from their early lessons learned.
Recognizing the relatively unsecure nature of the MIL-STD-1553b data bus (pictured in Figure 3) and the lack of related data collection, the team leveraged its penetration testing and instrumentation expertise to develop several forensic tools for Army aircraft.
The first tool, developed by DEVCOM AvMC, was a plug-in to its Common Bus Assessment Tool (ComBAT) (pictured in Figure 4). ComBAT has been used for aircraft cyber testing for years, but this effort added a device fingerprinting capability to help identify rogue terminals (leave-behind or otherwise compromised) masquerading as valid bus participants. Because each device has unique characteristics, such as waveform and response timing, the AvMC experts automated the capability to measure, capture, and distinguish these features for use in cyber incident response.
Next, because of the highly consistent nature of the MIL-STD-1553b data bus, the RTC team developed a message visualization tool—Greenlister—to allow an operator to quickly identify unexpected and invalid messages transmitted on a bus. As shown in Figure 5, the Greenlister tool augments the Cybersecurity Vulnerability Assessment Test Environment (CVATE), serving as a quick-look capability to analyze bus behavior to identify where deep-dive forensics may be needed.
These tools and others were used during the first AA-CIRT Exercise in September 2023 at the CH-47F SIL in the CPE Aviation Enterprise Portfolio Integration and Conformance Center (formerly the Combat Aviation Brigade Architecture Integration Lab). This exercise allowed AA-CIRT stakeholders and technical experts to respond to a limited set of injected MIL-STD-1553b cyber effects alongside platform experts, pilots, crew, and ASDAT representatives. It also demonstrated the AA-CIRT tool set in a realistic system environment and served as the culmination of AA-CIRT Phase 1 activities.
The Phase 1 capabilities and accomplishments were demonstrated at the October 2023 Aviation Cyber Initiative (ACI) Cyber Rodeo at Redstone Arsenal, AL, to more than 160 attendees from across the U.S. Departments of War, Transportation (specifically the Federal Aviation Administration), and Homeland Security, as well as industry and academia. In an attempt to raise awareness of cyber effects on military aircraft and to socialize the Phase 1 capabilities to the broader survivability and operational community, AA-CIRT was also presented at the 2024 Threat Weapons & Effects (TWE) Symposium at Eglin Air Force Base, FL.
Phase 2: CONOPS Development, Validation, and Live Testing
During the recently completed second phase, the AA-CIRT team formalized the CONOPS processes and interactions and coordinated closely with the ASDAT team at Fort Rucker and the U.S. Army Cyber Command (ARCYBER) at Fort Gordon, GA.
As shown in Figure 6, the AA-CIRT CONOPS was updated to include detailed incident resolution and reporting interactions, as well as an end-to-end process sequence among the stakeholders and participants. The focus of this CONOPS is exclusively on Aviation platforms, systems, and associated ground support equipment (i.e., “the aircraft and anything that plugs into the aircraft”). The AA-CIRT team coordinated the codified CONOPS processes, roles, and responsibilities with the ARCYBER Information Warfare Operations Center to maintain consistency with its Crisis Action Team Standard Operating Procedures. The JCAT Pocket Guide [5] was also updated to consider cyber as an option during initial event analysis.
The CONOPS established the Cyber Incident Coordination Cell (CICC) to be the “face of AA-CIRT” to the community and the clearinghouse for event management and internal and external reporting. The CICC is also responsible for coordination with system owners and program office(s) and all relevant stakeholders.
For instances where a cyber incident cannot be resolved by preliminary analysis and mitigations, the CONOPS established the Cyber Incident Response Team (Cyber IRT) to perform event triage and categorization, perform detailed forensics to determine root cause, recommend system and process modifications, and support the unit in returning the affected systems to operational status. To staff this team, penetration testers from the AvMC Cyber Threat Assessment Team (CTAT) were tapped due to their detailed knowledge of vulnerability assessments on Army aircraft. To successfully execute this mission, the Cyber IRT must maintain close coordination with ASDAT/JCAT, maintenance and safety teams, and program office subject-matter experts.
The CONOPS also includes multiple appendices with fillable forms for data collection and coordination, helpful lists, frequently asked questions, formats for response plans, and reporting throughout all phases of an incident.
Phase 2 culminated with an exercise on a live CH-47F aircraft in simulated flight at the Aviation System Test and Integration Lab at the Redstone Arsenal Airfield. The purpose of this event was to verify and refine the AA-CIRT CONOPS and to exercise the Cyber IRT on a multifaceted exploit that, while benign in impact, required multiple forensics steps and relied on skillsets across cyber, engineering, hardware, and software domains. This event brought together all CICC stakeholders, Cyber IRT members, program office system engineers and cyber leads, maintenance teams and test pilots, and ASDAT representatives to collectively trace a potential cyber effect from initial pilot reporting, through unsuccessful maintenance attempts, and through multiple onboard and offboard devices and networks. The RTC team developed the novel exploit and built the entire test scenario to be as realistic as possible. The AvMC CTAT team successfully traced the problem “inside out” to find the specific attack surface, attack path, and root cause of the anomaly; removed the offensive software; and returned the affected systems to working order.
Phase 3: Program Documentation, Process Socialization Across the Joint Community, and Coordination With Service Cyber Commands
During the current third phase, the team refined the AA-CIRT CONOPS based on Exercise #2, particularly the appendices, and delivered the Army Aviation Cyber Incident Analysis and Reporting Methodology document to JASPO [6]. The next step for the AA-CIRT CONOPS will be publication through the formal CPE Aviation process.
To socialize the AA-CIRT processes, roles, and responsibilities within CPE Aviation, the team engaged the cyber leads across all aviation program offices to introduce the CONOPS and discuss program accomplishments and the path forward, including an update of all cyber incident response plans to align with AA-CIRT and Army policy. Once this activity is complete, it will supplement Risk Management Framework packages with technical details valuable to Cyber IRT. An example would be Cyber Attack Path Analysis diagrams, which serve as a “cyber roadmap” for our aircraft. There will also be follow-up sessions with the program office engineering teams, as they will be critical to resolving any cyber incident affecting their platforms and systems.
AA-CIRT will continue to maintain coordination and reporting mechanisms with ARCYBER, as well as our Navy and Air Force counterparts and their respective Service cyber commands. The team will also continue to work closely with JASPO and JCAT to develop and implement processes consistent with existing incident response tactics, techniques, and procedures (TTPs). Through the Army ASDAT team, we will provide input to USAACE curricula, including the Fundamentals of Aviation Combat Survivability Course.
In addition, per the age-old Army saying—“you fight the way you train”—we will plan future exercises as testing opportunities present themselves, with the goal of integrating cyber incident response exercises with routine cyber developmental and operational testing (DT/OT), where feasible and approved.
Finally, it will continue to be important to establish feedback mechanisms with the acquisition, operational, and intelligence communities (incident details and recommendations for mitigations and/or requirements and training) to inform the community of threat TTPs and to ensure that our systems are strengthened and protected against future cyber attacks.
Conclusion
While the AA-CIRT mission seems straightforward, cyber incident response for aircraft systems is an area that, until recently, has been largely unaddressed. Only in the past 6–8 years have we begun to see policies requiring cyber incident response for weapon systems and recognized the need for the unique skillsets and collaborations necessary to respond when called. As discussed, the AA-CIRT effort has been a coalition of organizations across the Army Aviation and Joint communities to stand up a new capability to respond to cyber incidents impacting Army aircraft. Inspired by the experts within the JCAT and Safety Center communities—and their “all hands on deck” approach to aircraft incidents—the AA-CIRT team hopes to bring the same level of expertise and professionalism when the root cause of those incidents is cyber in nature. In the end, regardless of the type of threat weapon that caused the failure, the ultimate goal is to return the aircraft to an operational state and to improve survivability for future missions.
About the Author
Mr. Tom Barnett is the Cyber Engineering Lead for the Assistant Capability Portfolio Executive Aviation for Engineering & Architecture, as well as a Cyber Technology Principal Investigator and subject-matter expert for the Combat Capabilities Development Command Aviation and Missile Center, where he established the Cyber Technology Area within the Missile Science and Technology portfolio. With approximately 40 years of systems engineering experience in cyber resiliency, system of systems hardware-in-the-loop and all-digital constructive simulations, radar and infrared sensors, integrated air and missile defense, and short-range air defense, Mr. Barnett also serves as the Technical Director for the Aviation Cyber Initiative (ACI) Cyber Rodeo series and is the Director of the annual ACI Cyber Rodeo-Redstone. He holds a bachelor’s degree in electrical engineering from Christian Brothers University.
References
- Joint Staff/J6. Cyber Survivability Endorsement Implementation Guide. Version 3, Deputy Director for Information Warfare Requirements Division, July 2022.
- Pitcher, Steve. “DoD Systems Need Cybersecurity and Cyber Resiliency to Achieve Cyber Survivability.” Aircraft Survivability, fall 2022.
- Headquarters, Department of the Army. “Program Mission Assurance Weapon System (CYBER) Incident Response Plan.” HQDA Execution Order 251-20, 31 July 2020.
- “James M. Ihhofe National Defense Authorization Act for Fiscal Year 2023.” Section 1599, 2022.
- Joint Combat Assessment Team. JCAT Pocket Guide. 1 January 2025.
- U.S. Army Aviation Cyber Incident Response Team. “Army Aviation Cyber Incident Analysis and Reporting Methodology.” To be published.
