Mission-Based Cybersecurity Test and Evaluation of Weapon Systems in Association with Risk Management Framework

Abstract

With the advancement of information technology (IT), the importance of cyber security is increasing because of the expansion of software utilization in the development of weapon systems. Civilian embedded systems and military weapon systems have cybersecurity-related symmetry that can increase vulnerabilities in the process of advanced information technology. Many countries, including the United States, are exploring ways to improve cybersecurity throughout the lifecycle of a weapon system. The South Korean military is applying the U.S. standard risk management framework (RMF) to some weapon systems to improve cybersecurity, but the need for a model that is more suitable for the South Korean military has been emphasized. This paper presents the results of a mission-based cybersecurity test, along with an evaluation model that can be applied to South Korean military weapon systems in parallel with the RMF. This study first examined the related international research trends, and proposed a test and evaluation method that could be utilized with the RMF throughout the entire life cycle of a weapon system. The weapon system was divided into asset, function, operational task, and mission layers based on the mission, and a mutually complementary model was proposed by linking the RMF and cybersecurity test and evaluation according to the domestic situation. In order to verify the proposed cybersecurity test and evaluation model, a simulation was developed and performed targeting the Close Air Support (CAS) mission support system, which is a virtual weapon system. In this simulation, the nodes performances by layer before and after a cyberattack were calculated, and the vulnerabilities and protection measures identified in the cyber security test and evaluation were quantified. This simulation made it possible to evaluate and derive protection measures in consideration of mission performance. It is believed that the proposed model could be used with some modifications, depending on the circumstances of each country developing weapon systems in the future.

1. Introduction

The development of IT technology is affecting almost all areas of our lives, including computers and smartphones, as well as automobiles, ships, and aircraft. In particular, the proportion of software is significantly increasing. This is also the case in the field of defense weapon systems. The software in a defense weapon system helps to easily implement its complex and precise functions. However, such software also increases potential vulnerabilities. These vulnerabilities can be exploited by cyber threats and cause great damage. In civil embedded systems and military weapon systems, cybersecurity is developing as a more important factor due to the symmetry between advanced technology and vulnerabilities.

North Korea, which is in a security conflict with South Korea, is attempting cyberattacks from various angles by taking advantage of the potential vulnerabilities of our advanced information and communication technology environment. Attacks using the software vulnerabilities of weapon systems are a risk factor that can cause serious damage to the friendly side not only in peacetime, but also in war situations.

In order to respond to such cyberattacks, research to remove security vulnerabilities in software is being conducted in various fields. In particular, there is active security research to identify and remove security vulnerabilities in the software development stage.

The U.S. Department of Defense operates a cybersecurity system to eliminate vulnerabilities and mitigate risks throughout the entire lifecycle of a weapon system. The integrated operation of the risk management framework (RMF) and cybersecurity test and evaluation (T&E) by the U.S. Department of Defense (DoD) is a representative example of how developed countries consider cybersecurity from the software development stage [1,2]. The U.S. DoD requires RMF compliance from allies operating U.S. weapon systems, such as the F-35, including the United Kingdom, Israel, Australia, Japan, and South Korea [3].

For countries with small defense forces, such as Estonia, Georgia, Singapore, and Jamaica, effective countermeasures against existing cyberattacks are of paramount importance. Accordingly, research to apply the RMF as a suitable cybersecurity measure for small-scale defense forces is being actively conducted [4]. In addition, Australia’s Future Submarine Project emphasized the reliability of their most important strategic weapon system by suggesting compliance with the U.S. RMF process, and cybersecurity test and evaluation as a cybersecurity test between acquisitions [5].

In the oil and gas sector, as well as the defense sector, various risk management frameworks have been developed and applied in many countries, such as the United States, Europe, Canada, and the UAE [6]. Thus, there is a changing perception that risk management for cyber threats must be implemented in fields directly related to national security, such as defense, oil, and gas, regardless of whether the country is an ally or not. Therefore, it can be said that research to develop international standards for the cybersecurity systems implemented by individual countries is required.

In this paper, we present a mission-based cybersecurity test and evaluation method to efficiently manage the cybersecurity risks of weapon systems, and propose a method to strengthen cybersecurity by linking with the RMF.

Following the introduction in Section 1, this paper examines the related research in Section 2, and the mission-based cybersecurity test and evaluation method linked to the RMF of a weapon system in Section 3. Section 4 shows how a limited simulation was performed on the CAS mission support system to verify its effectiveness. Finally, Section 5 presents the contributions of this study, along with its limitations and future research directions.

2. Related Work

The mission-based cybersecurity test and evaluation study of weapon systems linked to RMF is a study to more effectively carry out cybersecurity throughout the entire life cycle of a weapon system. In this paper, in connection with RMF, we propose a test and evaluation model suitable for the domestic weapon system acquisition phase procedure. Therefore, the understanding and international application of RMF will be examined, and the characteristics of the U.S. and domestic weapon system test and evaluation frameworks will be examined.

2.1. RMF

The U.S. DoD developed the RMF as a next-generation cybersecurity framework to improve the DoD information assurance certification and accreditation process (DIACAP), which has been applied since 2007 to meet the requirements of the Federal Information Security Management Act (FISMA). It is a U.S. defense standard that has replaced the DIACAP to improve information security and strengthen risk management processes. The RMF is designed to be technology-neutral to perform cybersecurity risk management for all types of information systems. Therefore, it has the advantage of not requiring modifications for specific technologies. The RMF process includes the following six steps [1].

• Step 1. Categorize: Categorizes systems and information that is processed, stored, and transmitted.
• Step 2. Select Controls: Based on the risk assessment, draft security controls for the system are selected and optimized to reduce the risk to an acceptable level.
• Step 3. Implement Controls: Implement security controls and document how they are used in systems and operating environments.
• Step 4. Assess Controls: Evaluate whether the system is implemented correctly, works as intended, and produces the desired results according to the security controls in relation to meeting security and privacy requirements.
• Step 5. Authorize: The use of the system is approved based on the results of the risk assessment.
• Step 6. Monitor Controls: Evaluate the effectiveness of the security control items, record changes to the system and operating environment, conduct risk assessment and impact analysis, and continuously monitor system security, personal information protection, and related security control items.

Although the RMF is a cybersecurity system developed by the United States, ref. [6]

Table 1. Cyber risk management frameworks.

Article	Model/Framework
USA, 2015	“DoD Program Manager’s Guidebook for Integrating the Cybersecurity Risk Management Framework (RMF) into the System Acquisition Lifecycle”
International Standard, 2018	ISO 31000/IEC 31010
EU, 2019	EU Cybersecurity Law (EU/881/2019 Directive)
UAE, 2012	Standard Information Security Policy

shows that there are similar international cyber risk management frameworks that provide international standards for risk management to improve security in countries other than the United States, including the European Union and UAE. They claim that they are developing their own frameworks. As a related study, ref. [7] proposed a new integrated cybersecurity risk management framework that predicts risks by applying machine learning technology. In addition to the existing technical aspects of security, ref. [8] proposed a cybersecurity framework model that considered vulnerabilities due to social disparities.

Recently, the United States has been actively trying to apply the Mission Partner Environment (MPE), which is a new coalition C4I policy, to the theater of the Korean Peninsula. To this end, the U.S. CENTRIXS-K (Combined ENTerprise Regional Information eXchange System-Korea), which is currently in operation, will be converted into a new coalition C4I policy in the future, and the RMF is being applied to strengthen security. The United States is also demanding that the RMF be applied to the Allied Korea Joint Command and Control System (AKJCCS) of the Korean military, which is linked to the CENTRIXS-K of the United States [9]. It can be said that it is urgent to prepare for the application of the RMF in the defense field based on these changes in the environment. In addition, the U.S. National Institute of Standards and Technology (NIST) is expanding the application of the RMF to all areas of IT, and recently presented a draft AI RMF [10]. In South Korea, as the advanced defense industry develops and weapons system R&D is activated, the risk management requirements for cyber threats are expected to continuously increase.

2.2. Cybersecurity Test and Evaluation

The United States applies cybersecurity testing and evaluation to businesses and systems such as defense business systems, national security systems, weapon systems, and industrial control systems acquired by the U.S. DoD. Cybersecurity testing and evaluation is conducted throughout the entire life cycle from the initial acquisition. The goal of cybersecurity test and evaluation is to identify and mitigate system vulnerabilities that can be attacked that affect the operational resilience of military capabilities prior to system deployment, and include safety, survivability, and security. The early detection of system vulnerabilities can speed remediation and reduce the cost, scheduling, and performance impacts [2]. The cybersecurity test and evaluation process consists of six phases, as follows [2].

• Phase 1. Understand Cybersecurity Requirements: Understand the cybersecurity, cyber-survivability, and operational resilience requirements of a system.
• Phase 2. Characterize the Cyber Attack Surface: Identify vulnerabilities and attack vectors that adversaries can use in cyberattacks to develop an assessment plan.
• Phase 3. Cooperative Vulnerability Identification: Implement an assessment plan in a collaborative environment to identify vulnerabilities and determine necessary mitigation actions.
• Phase 4. Adversarial Cybersecurity DT&E: Assess the cyber viability and operational resilience of systems in hostile environments.
• Phase 5. Cooperative Vulnerability and Penetration Assessment: Use data during operational test and evaluation to evaluate cybersecurity and system resilience from an operational perspective.
• Phase 6. Adversarial Assessment: A certified red team evaluates the protection systems, layered defenses, and defense capabilities for critical missions.

As shown in Figure 1, the U.S. military conducts test and evaluation throughout the entire weapon system acquisition cycle, which is linked to the RMF and mission-based cyber risk assessment [2].

The Australian Department of Defense is pursuing a future submarine acquisition project. One study [5] recommended applying the U.S. cybersecurity test and evaluation guide as a cybersecurity test while applying the RMF process in cybersecurity research related to the project to improve cyber resilience. It was argued that risk understanding and trial evaluation should be prioritized. This can be said to indicate the need for organic cooperation between the RMF and cybersecurity testing and evaluation.

2.3. ROK Weapon System Cybersecurity Framework

The R&D procedure of the ROK military is divided into the preceding research, the search and development stage, the system development stage, and the mass production stage. By stipulating these, the protection measures are reflected in the system development plan [11]. Figure 2 shows the cybersecurity activities of the South Korean military carried out in each phase of weapon system development.

Weapon system protection measures are institutionalized so that they can be implemented in practice by reviewing the protection measures in consultation with the Ministry of National Defense, the Joint Chiefs of Staff, and the required military in case the operational performance or development plan is changed during development in the system development phase.

After the development of the weapon system is completed, it is determined whether it is suitable for combat through testing and evaluation, and the security is measured before deployment [11]. The test evaluation is divided into a development test evaluation and an operational test evaluation. In the development test and evaluation, software reliability is tested, information protection-related test and evaluation items are evaluated, and in-operation test and evaluation only information protection items are evaluated. Information security test and evaluation items consist of information protection level, network information protection, control system establishment, key management system establishment, application system protection, server protection, terminal protection, encryption equipment application, cyber threat response ability, and software vulnerability removal [12].

3. Mission-Based Cybersecurity Test and Evaluation Plan in Connection with RMF

This paper presents a model for performing cybersecurity testing and evaluation while organically sharing information with the RMF in the weapon system acquisition phase. Figure 3 shows the information sharing and collaboration relationship at each step of the RMF and mission-based cybersecurity test and evaluation [2].

The proposed mission-based cybersecurity testing and evaluation consists of a total of four phases: threat modeling, attack surface listing, attack surface-centered vulnerability analysis and evaluation, and simulated penetration based on the rules of engagement. The plan is shared, and the results of a vulnerability analysis and evaluation, as well as simulated penetration, are provided to the RMF to complement its security control items and security plan. In particular, the simulated penetration based on the rules of engagement can verify the effectiveness of the protection measures for the vulnerabilities identified in the attack surface, as well as the implemented security control items. This ensures activities to evaluate and mitigate risks by organically proceeding from the weapon system acquisition phase to the electrification phase.

The proposed model makes it possible to develop and deploy a safe weapon system by linking, rather than separately implementing, the RMF and cybersecurity test and evaluation targeting weapon systems. This model is also believed to be effective in reducing the costs of vulnerability measures. The details of each phase of the proposed mission-based cybersecurity test and evaluation are as follows.

3.1. Threat Modeling

Phase 1, threat modeling, is performed in conjunction with the RMF from the beginning of weapon system acquisition. The RMF performs system classification as a first step and the selection of security control items as a second step. In this case, threat modeling divides the weapon system hierarchy into assets, functions, operational tasks, and missions; identifies threats from the attacker’s point of view by hierarchy; and provides high probability derived expected threat scenarios. At this time, it receives the security classification results for the weapon system from the RMF and provides threat information.

3.2. Attack Surface Listing

Phase 2, inventorying of attack surfaces, is carried out in the discovery and development phase and system development phase of weapon system acquisition, and is performed in conjunction with the selection of the RMF’s security control items in Step 2 and their implementation in Step 3. At this time, the threat modeling performed in Step 1 is supplemented, and the attack surfaces are listed. The identified attack surface is referred to when selecting the RMF security control item, and the security plan for the identified attack surface can be confirmed through the security control item selection result. The attack surface becomes the entry point of an attacker who approaches the main system of the weapon system from the outside, and the connection relationship is identified by classifying the weapon system’s assets in the order of function, operational task, and mission. At this time, the asset with the identified attack surface becomes the main starting point for the cyberattack.

The identified attack surface can be represented as shown in Figure 4, by identifying the mission of the weapon system, along with the operational tasks, functions, and assets. This will show which assets are associated with which functions, operational tasks, and missions associated with the attack surface.

3.3. Attack Surface-Centered Vulnerability Analysis and Evaluation

Phase 3, attack surface vulnerability analysis and evaluation, is performed in the development test and evaluation phase of acquiring a weapon system, and is performed in conjunction with the RMF’s security control item evaluation in Step 3. It supplements the prepared threat modeling and performs a vulnerability analysis and evaluation using the identified attack surface. When the vulnerability analysis and evaluation of the attack surface is performed, the vulnerable assets are identified in the asset layer, and related functions and operational tasks are identified. Based on this, cyber-dependent missions can be identified.

The vulnerability information on the attack surface can be reflected in the RMF’s Step 4 evaluation. Thus, the implementation of security control items can be practically evaluated, and used to supplement the follow-up action plan.

Figure 5 shows the identification of vulnerable assets, functions, operational tasks, and cyber-dependent missions from the vulnerable attack surface through the vulnerability analysis and evaluation of the attack surface.

If a threat scenario is created at the vulnerability level, it can be said that “a cyber threat that exploits vulnerability V1 of asset A2 through attack surface AS1 is possible for an attacker”. In order to support decision-making from the perspective of the project manager, it is necessary to develop it at the mission level. It can be expressed as follows: “The attacker used the V1 vulnerability of asset A2 through attack surface AS1 to reduce the reliability of function F2 and operational task T2, and the performance of mission M1 is restricted”. Based on the cyber threat scenario specified in this way, the project manager can mitigate the risk by evaluating it and taking protective measures for the identified vulnerabilities.

Figure 6 shows how protection measure PM1, to mitigate vulnerability V1 for vulnerable asset A2, is taken.

By implementing protection measure PM1 for asset A2 with the identified vulnerabilities, cyber-dependent mission M1 will be able to mitigate the risk. Based on these measures, risk assessment can be performed in connection with Step 4 of the RMF, security control assessment, and the result is reported to the decision-making organization and used for quick decision-making, making the weapon system acquisition process effective. In particular, if it takes a long time to acquire a weapon system, it is realistically difficult to completely eliminate all the cyber threats that occur in various ways within a limited project period and budget. Therefore, risk management that mitigates risks through this process is required.

The possible cyberthreat scenarios for all identified attack surfaces can be set as the rules of engagement for a simulated penetration, and become the standard for weapon system cybersecurity testing and evaluation to verify the effectiveness of protection measures for each asset.

3.4. Simulated Penetration Based on Rules of Engagement

Phase 4, rules of engagement based on simulated penetration, is carried out in the operation test and evaluation phase of acquiring the weapon system, and is linked with Step 4 of the RMF, assessment of security control. The simulated penetration is performed using the previously identified threat scenario for each attack surface as the rules of engagement.

The threat scenario is to use vulnerability V1 of asset A2 through attack surface AS1 to perform a simulated infiltration and cyberattack to prevent mission M1 from being performed. Therefore, the simulated penetration path becomes AS1 → A2 (V1, PM1) → F2 → T2 → M1. Through this, using the vulnerability of the initially identified attack surface, a simulated penetration is performed following the threat scenario to verify the effectiveness of the devised protection measures.

This verifies the risk mitigation status of assets, functions, operational tasks, and missions through simulated penetration based on the rules of engagement. Then, based on the results, it performs a mission-based risk assessment in connection with Step 4 of the RMF. In this case, if vulnerabilities are continuously identified, protection measures are supplemented and re-verified through retesting to ensure a safe state before electrification.

4. Simulation of Virtual “CAS Mission Support System”

This section shows how the concept of CAS combat is applied in the developed simulation, in which an airborne aircraft bombards friendly ground units and adjacent targets [13]. A mission-based cybersecurity test and evaluation is conducted that targets the “CAS mission support system”, which is a virtual weapon system, and simulates a damage evaluation in a limited manner. The first phase threat modeling derives a threat scenario in connection with the RMF security classification and security control items, and the second stage attack surface cataloging diagrams the relationship between the nodes by layer. The third phase attack surface vulnerability analysis and evaluation is simulated using the performance calculation formula for each layer in [14]. We quantify the vulnerabilities and protection measures by calculating changes in mission performance caused by cyberattacks. The attack path using the vulnerability of the attack surface is presented as four steps for the rules of engagement, and it shows a way to verify the protection measures through the simulated penetration.

The CAS mission support system can be used by the ground/naval combat commander to request close air support according to the battlefield situation. The Tactical Air Control Party (TACP) coordinates the targets and requests a CAS to the Air Support Operation Center (ASOC). The ASOC communicates with ground headquarters and assigns CAS aircraft to issue sortie orders [15].

The following is the step-by-step execution of the mission-based cybersecurity test and evaluation for the CAS mission support system.

4.1. Threat Modeling

In Phase 1, the threat modeling identifies threats by asset, function, operational task, and mission hierarchy, focusing on the wartime and peacetime missions of the CAS mission support system [15].

At this time, in the first step of the RMF, “CAS request information” is classified in consideration of the weapon system power operation characteristics of the CAS mission support system. As a result, confidentiality is judged as “high”, with a “high” integrity and “medium” availability. In addition, the security classification of the CAS mission support system is classified as “high” [16]. In Step 2 of the RMF, security control items are selected based on the information classification. At least 169 security control items can be selected according to the baseline for each of the 17 fields, including access control [17]. The information obtained in Steps 1 and 2 of the RMF is developed in connection with threat modeling.

Table 2. Classification of CAS mission support system by hierarchy.

Division		Content	Threat
Mission	M1	Emergency CAS dispatch order
Operational Task	T1	Request CAS to TACC
	T2	Division CAS Request Review and Request
	T3	Legion CAS Request Review and Request
Function	F1	Operational environment analysis
	F2	Target identification
	F3	CAS decision	A
	F4	Fill out the CAS request form	A
	F5	Request a CAS Request Form	A
Asset	A1	Regiment server
	A2	Regimental commander pc	B
	A3	Division server
	A4	Ally information (interlocking)
	A5	Enemy information (interlocking)
	A6	Target information (interlocking)
	A7	CAS operator PC	B

A: Data Tampering. B: Hacking mail, malware.

lists the threats identified by layer in the CAS mission support system through threat modeling.

The cyber threat scenarios derived through the threat modeling of the CAS mission support system are as follows: “Attackers distribute hacking emails, including malicious code that modifies CAS target information in emails. The PC that reads the circulated e-mail and executes the attached file is infected with malicious code, and the infected PC further infects the PC that can send CAS requests with the security system disabled. When a CAS request is sent from an infected PC, the malicious code automatically modifies the data, and as a result, it interferes with the firepower operation of the emergency CAS”. The threat modeling results created in this way are referred to when selecting and adjusting the second-level security control items of the RMF.

4.2. Attack Surface Listing

In Phase 2, the attack surface is identified based on the threat modeling of the CAS mission support system, and the relationship by asset, function, operational task, and mission hierarchy is expressed as shown in Figure 7 [14].

4.3. Attack Surface-Centered Vulnerability Analysis and Evaluation (Simulation)

In Phase 3, the vulnerability analysis and evaluation of the attack surface of the CAS mission support system identifies vulnerabilities and performs a simulation to calculate the performance by layer. Performance refers to the impact a node has on a task, and asset performance is calculated by multiplying the number of assets used for a function by the expert evaluation score and dividing it by the asset vulnerability factor. The vulnerability value increases (V value > 1) when a vulnerability occurs based on normal (V value = 1), and decreases by offsetting the effect when protection measures are taken. Functional performance is the sum of the product of asset performance and asset impact as the extent to which a function is used for a task. The operational task performance is calculated as the sum of the product of functional performance and functional impact to the extent that operational tasks are used for missions. The task performance is the ability to perform the task, and the task performance value is calculated as the sum of the task performance [14].

Table 3. Performance calculation formula for each tier.

Division	Performance Calculation Formula
Mission	${\displaystyle \sum }(\mathrm{Operational}\mathrm{task}\mathrm{performances})$ Sum of operational task performance
Operational Task	$\mathrm{Functional}\mathrm{performance}\mathrm{X}\mathrm{Functional}\mathrm{influence}$ Product of functional performance and functional influence Function influence: Product of function execution time influence and accuracy influence (Initial value of accuracy influence is 1)
Function	${\displaystyle {\displaystyle \sum }_{\mathrm{n}=1}^{\mathrm{Function}\mathrm{weight}}}{\mathrm{Asset}}_{\mathrm{n}}{\mathrm{Perform}\mathrm{X}\mathrm{Asset}}_{\mathrm{n}}\mathrm{impactor}$ Function weight: Number of branches connected to a function Asset perform: The number of assets linked to the function Asset impactor: Number of branches attached to the functional layer
Asset	$\mathrm{A}=\frac{\mathrm{F}·\mathrm{a}}{\mathrm{V}}$ Divide the product of the number of times the asset is used in a function (F) and the expert evaluation score (a) by the asset vulnerability value Vulnerability value increases when vulnerability (V) is identified and is offset when protection measures (PM) are taken

shows the performance calculation formula for each layer.

Table 4. CAS mission support system hierarchical attributes.

Division		Evaluation Weight	Connect
Mission	M1
Operational Task	T1		{T1, T2, T3}
	T2		{M1}, {F1, F2, F3, F4}
	T3		{M1}, {F4, F5}
Function	F1	$\overrightarrow{\mathrm{F}1\mathrm{T}1}=\frac{1}{4}$	{T1}, {A1, A4, A5, A6}
	F2	$\overrightarrow{\mathrm{F}2\mathrm{T}1}=\frac{1}{4}$	{T1}, {A1, A5, A6}
	F3	$\overrightarrow{\mathrm{F}1\mathrm{T}1}=\frac{1}{6}$	{T1}, {A1, A2, A4, A6}
	F4	$\overrightarrow{\mathrm{F}4\mathrm{T}1}=\frac{1}{3}, \overrightarrow{\mathrm{F}4\mathrm{T}2}=\frac{2}{3}, \overrightarrow{\mathrm{F}4\mathrm{T}3}=\frac{1}{2}$	{T1, T2, T3}, {A1, A2, A5, A6, A7}
	F5	$\overrightarrow{\mathrm{F}5\mathrm{T}2}=\frac{1}{3}, \overrightarrow{\mathrm{F}5\mathrm{T}3}=\frac{1}{2}$	{T2, T3}, {A1, A3, A4, A5, A7}
Asset	A1	$\frac{16}{5}$	{F1, F2, F3, F4, F5}
	A2	$\frac{3}{2}$	{F3, F4}
	A3	5	{F5}
	A4	$\frac{4.5}{5}$	{F1, F3, F5}
	A5	1	{F1, F2, F4, F5}
	A6	1	{F1, F2, F3, F4}
	A7	$\frac{3.3}{2}$	{F4, F5}

lists the evaluation weights and connections for each layer of the CAS mission support system.

The above calculation formula and properties are used to simulate the performance of each layer node according to the cyberattack, as shown in

Table 5. Assessing weapon system vulnerabilities and damage caused by cyberattacks.

Division		Performance
		Normal	Cyber Attacked	Damage
Mission	M1	3852.2	1856.2	51%
Operational Task	T1	1715.2	1007.2	41%
	T2	1074.4	348.4	67%
	T3	1068.6	500.6	53%
Function	F1	438	438	0
	F2	288	288	0
	F3	398	382	4%
	F4	543	493	9%
	F5	525.5	477.8	9%
Asset	A1	16	16	-
	A2	3	1	66%
	A3	5	5	0
	A4	4.5	4.5	0
	A5	4	4	0
	A6	4	4	0
	A7	3.3	0.3	91%

[14].

Because of vulnerability V1, the PC, asset A2, was infected with malicious code, and the performance was reduced to 1. In addition, the performance of asset A7 was decreased to 0.3 due to a cyberattack. The data was damaged by tampering, and the performances of functions F3, F4, and F5 were sequentially decreased. As a result, damage occurred to the major operational tasks and missions, and the mission performance value decreased from the normal value of 3852.2 to 1856.2 during a cyberattack, resulting in a reduction in mission performance of approximately 51%.

Therefore, the project manager devised protection measures PM1 and PM2 for assets A2 and A7, where vulnerabilities V1 and V2 were identified. This strengthened the countermeasures against malicious code infection and supplemented the PC protection measures. Complementary protection measures PM1 and PM2 could restore the ability by offsetting the asset vulnerability value.

Table 6. Vulnerability and protection measures (example).

Division	Content		Value
Vulnerability	V1	- PC malware infection and spread	3
	V2	- PC malware infection and information protection system neutralization	11
Protection Measure	PM1	- Block PC malware execution	2
	PM2	- Monitoring of PC abnormal behavior (external URL access attempts, etc.), monitoring of information protection system operation status, and blocking of malicious code execution	7

lists examples of vulnerabilities and protection measures and their effectiveness as values.

The values of vulnerabilities V1 and V2 increased from the normal value of 1 to 3 and 11, respectively, as a result of the cyberattack. To mitigate this, the value of the vulnerability is offset by quantifying the protection measures. The effectiveness of the protection measures is verified in the next step, a simulated penetration based on the rules of engagement.

4.4. Simulated Penetration Based on Rules of Engagement

In Phase 4, the cyberattack path using the attack surface (AS1) and vulnerabilities (V1, V2) identified through the simulation becomes the rules of engagement for the simulated penetration during the test and evaluation of the operation of the weapon system. The effectiveness of the protection measures (PM1, PM2) can be verified using a simulated penetration based on the rules of engagement. For vulnerabilities (V1, V2) that affect missions, the effectiveness is verified through an operational test and evaluation during the weapon system acquisition process. In this case, if the mission is continuously restricted as a result of a cyberattack that exploits the previously identified vulnerabilities (V1, V2), the protection measures are supplemented and re-verified through retesting.

In the weapon system acquisition phase, a mission-based cybersecurity test and evaluation in connection with the RMF is performed, enabling management through mission-based risk assessment according to the cyberattack in the RMF 6-step monitoring process, even after deployment.

4.5. Summary of Simulation Results

Section 4 showed how a mission-based cybersecurity test and evaluation model linked to the RMF could be simulated for a virtual “CAS mission support system”. The first phase threat modeling materialized the threat scenario by linking it with the RMF security categorization and selection of security control items. In the second phase of attack surface cataloging, the relationship for each layer was identified and diagrammed, and in the third phase of attack surface vulnerability analysis and evaluation, the performances before and after a cyberattack on nodes by layer were calculated through a simulation, and the vulnerabilities and protection measures were calculated. The calculated vulnerabilities can be specifically reflected in the RMF security control item evaluation results and authorization. The simulated infiltration based on the fourth phase rules of engagement showed that the previously identified attack path was presented as the rules of engagement of the simulated infiltration to verify the effectiveness of the protection measures.

A similar case study [7], predicted the risk types and evaluated the effectiveness of existing controls using machine learning techniques, while [8] proposed a socio-technological security framework that measured the cybersecurity functions within an organization at the operational stage. On the other hand, in this paper, we propose a mission-based cybersecurity test and evaluation model linked with the RMF from the development stage based on the weapon system acquisition cycle, and calculate a change in performance by layer according to cyberattacks to quantify the vulnerabilities and protection measures. This is a concrete way to manage cybersecurity risks at an appropriate level throughout the entire life cycle of a weapon system.

Table 7. Analysis of characteristics and strengths of similar studies.

Division	Key Features by Model	Strength
[7]	Predict risk types and evaluate the effectiveness of existing controls through machine learning techniques	Suitable for engineering systems, supporting stakeholders with asset materiality assessment
[8]	Measuring an organization’s socio-technical cybersecurity capabilities	Derivation of social vulnerabilities in addition to technical vulnerabilities
Proposal	Linking RMF and cybersecurity test and evaluation to derive vulnerabilities and protection measures, and verify through simulated penetration	Appropriate for testing and evaluation of weapon systems, providing simulation penetration standards

compares the characteristics of similar studies and the proposed model.

The performance comparison between similar studies and the proposed model is shown in

Table 8. Comparison between similar studies and proposed model.

Division	[7]	[8]	Proposal
Risk Prediction	O	X	O
Asset Materiality Assessment	O	X	O
Assess the effectiveness of controls	O	O	O
Deduction of social vulnerabilities	X	O	O

. The proposed model can predict risk in threat modeling; the effectiveness of control is verified through simulated penetration; and social vulnerabilities are derived through attack surface identification.

5. Conclusions

This paper proposed a mission-based cybersecurity test and evaluation model for RMF-linked weapon systems. Cybersecurity was improved in consideration of the symmetry between technologies and vulnerabilities inherent in the advancement of civil embedded systems and military weapon systems. This is consistently utilized in the pre-acquisition phase, providing key information to key decision-making organizations in a timely manner to support decision-making, and to devise and verify protection measures for vulnerabilities identified in terms of cybersecurity. It can facilitate communication between related organizations throughout the acquisition phase, and has the advantage of supplementing vulnerabilities through information sharing, verifying its effectiveness, and institutionalizing it so that retesting is possible in the case of inadequacy.

The effectiveness of the proposed test and evaluation method was partially verified by classifying the weapon system hierarchy of the virtual weapon system, the CAS mission support system, and conducting a simulation by applying the performance calculation formula for each hierarchy. The simulation showed the process of specifying the threat scenario in connection with the RMF in the first step, while the second step determined the relationships between all the nodes by weapon system layer. Based on this, the change in performance of each node before and after a cyberattack was measured in the third phase of the simulation, and the vulnerabilities and protection measures were quantified. In Phase 4, the identified attack path was presented as a rule of engagement to show it could verify the effectiveness of the protection measures.

Therefore, this cybersecurity test and evaluation method is applicable to domestic weapon systems, considering the continuing efforts to strengthen cybersecurity activities and manage risks throughout the entire life cycle of a weapon system in advanced countries, such as the United States. It will contribute to the development of a methodology.

The U.S. RMF is designed to be performed independently of any technology or system. For this reason, this paper also presents a model that is performed in conjunction with RMF. Therefore, the proposed model can be applied to various missions. Although weapon systems have various missions, cyberspace formed by computers and networks has common cybersecurity characteristics that must ensure confidentiality, integrity, and availability. Therefore, the proposed cybersecurity test and evaluation is judged to be applicable to various missions.

The model proposed in this paper improves weapon system cybersecurity by incorporating practical measures, such as simulated penetration, while the importance of development security is increasing in the weapon system acquisition stage.

Future research should focus on detailed methodologies for mission-based risk assessment. Cyber security can be further developed by applying the civilian threat hunting method in the weapon system operation stage.