Journal of the Korea Institute of Military Science and Technology (한국군사과학기술학회지)

The Korea Institute of Military Science and Technology (한국군사과학기술학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Security Requirements of Shipboard Combat System based on Threat Modelling

위협 모델링 기반 함정 전투체계 보안 요구사항에 관한 연구

  • Seong-cheol Yun (Department of Information and Communication Engineering, Ajou University) ;
  • Tae-shik Shon (Department of Cyber Security, Ajou University)
  • 윤성철 (아주대학교 정보통신공학과) ;
  • 손태식 (아주대학교 사이버보안학과)
  • Received : 2023.02.18
  • Accepted : 2023.05.05
  • Published : 2023.06.05
Download PDF
⟨ Previous Next ⟩

Abstract

The shipboard combat system is a key system for naval combat that supports a command and control process cycle consisting of Detect - Control - Engage in real time to ensure ship viability and conduct combat missions. Modern combat systems were developed on the basis of Open Architecture(OA) to maximize acceptance of latest technology and interoperability between systems, and actively introduced the COTS(Commercial-of-the-shelf). However, as a result of that, vulnerabilities inherent in COTS SW and HW also occurred in the combat system. The importance of combat system cybersecurity is being emphasized but cybersecurity research reflecting the characteristics of the combat system is still lacking in Korea. Therefore, in this paper, we systematically identify combat system threats by applying Data Flow Diagram, Microsoft STRIDE threat modelling methodology. The threats were analyzed using the Attack Tree & Misuse case. Finally we derived the applicable security requirements which can be used at stages of planning and designing combat system and verified security requirements through NIST 800-53 security control items.

Keywords

References

  1. Soon-Ju Koh, "Development and Direction of Development of Combat System for NetworkCentered Warfare," The journal of Korea Institute of Electronics Engineers, Vol. 37, No. 11, pp. 27-38, 2010.
  2. Young-Keun Go, Chum-Su Kim, "Cryptographic Overhead of DDS Security for Naval Combat System Security," The Korean Institute of Information Scientists and Engineers Proceedings, Vol. 2017, No. 6, pp. 1217-1219, 2017.
  3. Su-won Lee, Jae-yeon Lee, Seok-jun Hong, "A Study on the Cyber Security for Naval Combat Management System," Communications of the Korean Institute of Information Scientists and Engineers Proceedings, Vol. 46, No. 2, pp. 865-866, 2019.
  4. Jae-wook Jang, Hee-gab Sun, Jae-ryong Hwang, "A Reinforcement Methods of Warship's Combat System based on Information Assurance," Journal of Defense and Security Vol. 3-2, 2021.
  5. Neculai Grigore, Todd Bonnar, "Naval Operations - Cyber Security Afloat," CJOS COE, 2020.
  6. J. M. Lanouette, "Naval Cyber Warfare Capability Requirement," Canadian Forces College, pp. 1-9, 2016.
  7. J. M. Lanouette, "Naval Cyber Warfare: Are Cyber Operators Needed on Warships to Defend Against Platform Cyber Attacks?," Master of Defence Studies, Canadian Forces College, 2016.
  8. Doo-Hwan Jung, "A Study on Improving Data Integrity using SHA256 Hash Function for Naval Combat System," CICS Proceedings, pp. 278-279, 2015.
  9. Kwang-yong Hwang, "A Study on SE-based Design Methodology for Next-generation Naval Combat System Architecture," Ph. D. Dissertation, Hannam University in Daejeon, Korea, 2017.
  10. Sang-Min Kwon, "Naval Combat System," Korea, Patent No. 10-2073014, 2019.
  11. Soo-young Kang, "A Study on the CIA-Level based Security-by-Design Development Framework," Ph. D. Dissertation, Korea University School of Cybersecurity, Korea, 2021.
  12. Microsoft, "Security Development Lifecycle - SDL Process Guidance Version 5.2," 2012.
  13. Microsoft, Microsoft Threat Modelling Tool 2016, https://www.microsoft.com/en-us/download/details.asp x?id=49168
  14. Adam Shostack, "Threat Modelling: Designing for Security," https://adam.shostack.org/blog/category/threat-modelling/, Jun. 2019.
  15. Adam Shostack, "Experiences Threat Modelling at Microsoft," Microsoft, 2008.
  16. Adam Shostack, "Threat Modelling: Designing for Security," John Wiley & Sons, Feb. 2014.
  17. Microsoft, "Chapter 3. Threat Modelling," [Internet], https://msdn.microsoft.com/en-us/library/ff648644.aspx, July, 2010.
  18. DistriNet Research Group, "LINDDUN : Privacy Threat Modelling," https://linddun.org/, Jun. 2019.
  19. CERT, Software Engineering Institute, Carnegie Mellon University, OCTAVE [Internet], http://www.cert.org/resilience/products-services/octave/
  20. Trike, http://www.octotrike.org/, Jun.2019.
  21. Tony UcedaVelez, "Real World Threat modelling using the PASTA Methodology," Managing 36 Partner, VerSprite, 2012.
  22. Bruce Schneier, "Attack Tree," Dr. Dobb's Journal, Aug. 1999.
  23. Abdullah Sharaf Alghamdi, Tazar Hussain, Gul Faraz Khan, "Enhancing C4I Security using Threat Modelling," International Conference on Computer Modelling and Simulation, 2010.
  24. Michael T. Kurdziel, "Cyber Threat Model for Tactical Radio Networks," The International Society for Optical Engineering, 2014.
  25. Hyun-ju Kim, Dong-su Kang, "A Design of Risk-Based Security Threat Assessment Process for Fighter-Aircraft Airworthiness Security Certification," KIPS Trans. Softw. and Data Eng, Vol. 8, No. 6, pp. 223-234, 2018.
  26. Jong-in Lim, "Future Cyber Threats and Enhancement of Naval Cyber Operations Capabilities," KIMS Periscope, No. 211, 2020.
  27. Su-won Lee, Jae-yeon Lee, Seok-jun Hong, "A Study on the Cyber Security for Naval Combat Management," Communications of the Korean Institute of Information Scientists and Engineers Proceedings, Vol. 46, No. 2, pp. 865-866, 2019.
  28. Cheol-Gyu Yi, Young-Gab Kim, "A Study on Software Security Test of Naval Ship Combat System," The Journal of the Korean Institute of Communications and Information Sciences, Vol. 45, No. 3, pp. 628-637, 2020. https://doi.org/10.7840/kics.2020.45.3.628
  29. Cheol-Gyu Yi, Young-Gab Kim, "Security Testing for Naval Ship Combat System Software," IEEE Vol. 9, pp. 66839-66851, 2021.
  30. Jae-wook Jang, Hee-gab Sun, Jae-ryong Hwang, "A Reinforcement Methods of Warship's Combat System based on Information Assurance," Journal of Defense and Security Vol. 3, No. 2, pp. 147-172, Nov. 2021.
  31. Kyu-baeg Kim, Hong-keu Jo, Dong-seong Kim, "Design and Implementation of Adaptive Naval Gun Fire Simulator on a Naval Combat System," Journal of the KIMST, Vol. 21, No. 5, pp. 630-639, 2018. 
  32. Ki-Tae Kwon, Ki-Pyo Kim, Hwan-Jun Choi, "Design of the Scalable Naval Combat System Software using Abstraction and Design Pattern," Journal of The Korea Society of Computer and Information, Vol. 24, No. 7, pp. 101-108, 2019.
  33. Gang-Soo Park, Byeong-Chun Yoo, Kyeong-taek Kim, Bong-Wan Choi, "A Methodology for the Ship System Integration with Open Architecture : Focusing on the Total Ship Computing Environment based Architecture Building and Validation," J. Soc. Korea Ind. Syst. Eng, Vol. 43, No. 3, pp. 68-76, 2020. https://doi.org/10.11627/jkise.2020.43.3.068
  34. Kun-Chul Hwang, "Anti Air Warfare Analysis & Design of the Patrol Killer Experiment Combat System by the Model-Based-Simulation," JKSS, Vol. 16, No. 4, pp. 23-31, 2007.
  35. Ho-jeong You, Byeong-gon Choi, "Message Analysis and Development Situation on the Tactical Data Link of Combat Management System in Naval," Journal of Satellite Information and Communications, Vol. 12, No. 2, pp. 21-27, 2017.
  36. Young-ran Jung, Woong-gie Han, Cheol-ho Kim, Jae-ick Kim, "On the Development of the Generic CFCS for Engineering Level Simulation of the Surface Ship", Journal of the KIMST, Vol. 14, No. 3, pp. 380-387, 2011. https://doi.org/10.9766/KIMST.2011.14.3.380
  37. Young-il Song, "A Study on the Effectiveness Measures of Ship Combat Systems in the Composite Warfare," JNDS, Vol. 53, No. 1, pp. 163-192, 2010.
  38. Kwang-yong Hwang, Kyoung-chan Ok, Young-jin Kim, Bong-wan Choi, Hyun-seung Oh, Kwan-Seon Choi, "A Study on Development direction of NextGeneration Naval Combat System Architecture," Journal of the KIMST, Vol. 19, No. 1, pp. 105-118, 2016. https://doi.org/10.9766/KIMST.2016.19.1.105
  39. Dong-Seong Kim, Sung-Kil Huh, "Distributed Control Network Technology for Trap Combat Systems," The Magazine of KIICE, Vol. 13, No. 2, pp. 47-53, 2012.
  40. Su-Hoon Lee, Jin-Su Ahn, "A Study on the Three-Dimensional Display of Onboard Training for Naval Combat System," Proceedings of the Korean Institute of Information and Commucation Sciences Conference, pp. 62-65, 2022.
  41. Jae-Geun Lee, "A Study on the Standard Architecture of Weapon Control Software on Naval Combat System," Journal of The Korea Society of Computer and Information, Vol. 26, No. 11, pp. 101-110, 2021.
  42. Hun-Yong Shin, Joo-Yong Kim, "Research of OSD Standardization in Naval Combat System," The Proceedings of KIEE, Vol. 61, No. 9, pp. 354-355, 2012.
  43. Dong-Hee Lee, "A Study on the Establishment and Development of a New Concept of Naval Combat System," Master's Thesis, Hannam University, Korea, 2005.
  44. Jin-soo Ahn, Jeom-soo Kim, Kyu-baek Kim, "Combat Management System using Virtualization Function and Its Operation Method," Korea, Patent No. 10-1744689, 2017.
  45. Y S Kwon, Bang-Pyo Kong, "Development of the Operational Architecture of Korean Navy Fighting Ships with CEC System," Journal of KOSSE, Vol. 2, No. 1, pp. 5-10, 2006.
  46. Ji-seop Lee, Soo-young Kang, Seung-joo Kim, "Study on the AI Speaker Security Evaluations and Countermeasure," Journal of The Korea Institute of Information Security & Cryptology, Vol. 28, No. 6, Dec. 2018.
  47. Jae-Hyeon Park, Soo-young Kang, Seung-joo Kim, "Study of Security Requirement of Smart Home Hub through Threat modelling Analysis and Common Criteria," Journal of The Korea Institute of Information Security & Cryptology, Vol. 28, No. 2, Apr. 2018.
  48. Soo-young Kang, Seung-joo Kim, "Analysis of Security Requirements for Secure Update of IVI(In-Vehicle-Infotainment) Using Threat modelling and Common Criteria," Journal of The Korea Institute of Information Security & Cryptology, Vol. 29, No. 3, Jun. 2019.
  49. Paul Hong, Ye-jun Kim, Kwang-soo Cho, Seung-joo Kim, "A Study on Security Requirements for 5G Base Station," Journal of The Korea Institute of Information Security & Cryptology, Vol. 31, No. 5, Oct. 2021.
  50. Hussain Ahmad, Isuru Dharmadasa, Faheem Ullah, M. Ali Babar, "A Review on C3I Systems' Security: Vulnerabilities, Attacks, and Countermeasures," ACM Computing Surveys, 2022.
  51. Federico Maggi, et al., "A Security Analysis of the Data Distribution Service(DDS) Protocol," Trend Micro Research, Inc. Japan, pp. 15-20, 2022.
  52. INTERTANKO, "Jamming and Spoofing of Global Navigation Satellite Systems(GNSS)," pp. 4-9, 2019.
  53. Yong-hyun Jo, Oong-jae Choi, Ji-woon You, Young-kyun Cha, Dong-hoon Lee, "Cyberattack Models for Ship Equipment Based on the MITRE ATT&CK Framework," MDPI Sensors, Vol. 22, No. 5, 2022.
  54. Frank Akpan, Gueltoum Bendiab, Stavros Shiaeles, Stavros Karamperidis, Michalis Michaloliakos, "Cybersecurity Challenges in the Maritime Sector," MDPI Network, Vol. 2, No. 1, pp. 123-138, 2022. https://doi.org/10.3390/network2010009
  55. Hyo-hyun Son, Kwang-jun Kim, Man-hee Lee, "Analysis of U.S. Supply Chain Security Management System," Journal of The Korea Institute of Information Security & Cryptology, Vol. 29, No. 5, pp. 1089-1097, 2019.
  56. Dae-won Kim, et al., "Trends in Supply-Chain Security Technologies," ETRI Electronics and Telecommunications Trends, Vol. 34, No. 4, pp. 149-157, 2020.
  57. Yong-Joon Lee, "Defense ICT Supply Chain Security Threat Response Plan," KOCOSA, Vol. 20, No. 4, pp. 125-134, 2020. https://doi.org/10.33778/kcsa.2020.20.4.125
  58. Eung-kyu Lee, Jung-duk Kim, "A Case Study on ICT Supply Chain Attacks," Journal of Information Technology and Architecture, Vol. 16, No. 4, pp. 383-396, 2019.
  59. KrCERT/CC, "Security Agency_Supply Chain Attack Case Analysis and Response Plan," KISA, pp. 3-31, 2022.
  60. "The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies," Bloomberg Businessweek, Oct. 2018, https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
  61. "Guide to Industrial Control Systems(ICS) Security," NIST SP 800-82 Rev.2, May, 2015.
  62. Industrial Control Systems Cyber Emergency Response Team, "Recommended Practice: Improving Industrial Control System Cybersecurity with Defense-in-Depth Strategies," Department of Homeland Security(DHS), pp. 11-42, 2016.
  63. G. S. Andreas and A. L. Opdahl, "Templates for Misuse Case Description," in Proceedings of the 7 th International Workshop on Requirements Engineering, Foundation for Software Quality, pp. 4-5, 2001.
  64. I. Alexander, "Misuse Cases: Use Cases with Hostile Intent," IEEE Software, Vol. 20, No. 1, pp. 58-66, 2003. https://doi.org/10.1109/MS.2003.1159030
  65. Kim Wults, Riccardo Scandariato, and Wouter Joosen, "LINDDUN Privacy Threat Tree Catalog," CW675, Department of Computer Science, KU Leuven, Sep. 2014.
  66. Asoke K. Talukder; Manish Chaitanya(17 December 2008). Architecting Secure Software Systems. CRC Press. p. 50. ISBN 978-1-4200-8784-0. Retrieved 5 October 2016.
  67. "Security and Privacy Controls for Information Systems and Organizations," NIST SP 800-53 Rev. 5, Dec, 2020.