WRIGHT-PATTERSON AIR FORCE BASE, Ohio – This past fall, the Reliability and Maintainability Information System program office at Wright-Patterson Air Force Base, underwent an intentional hack by certified ethical hackers hired under a contract to conduct an analysis of what would happen if an insider “went rogue.”
The event, known as “white hat” hacking, or “bug bounty,” sought to identify vulnerabilities into the Air Force’s premier maintenance system, REMIS.
The project consisted of representatives from the Air Force’s Logistics Integration Directorate, Synack, a hacking contractor team with support from the Defense Digital Service, the REMIS program office, as well as REMIS prime contractor Northrop Grumman Mission Systems.
The objective was to test REMIS’ vulnerability to users who had “inside access” to the REMIS system (authorized users), and assess what “damage” or “malice” they could accomplish. The hack was not intended to test the external security boundary for accessing REMIS.
Over the course of four weeks, 73 hackers spent more than 1,700 man-hours probing REMIS for vulnerabilities and weaknesses. They identified 12 vulnerabilities with varying severities. The REMIS program office and Northrop Grumman were able to immediately remediate 11 of the vulnerabilities, and are taking steps to mitigate the last vulnerability.
The objective of this exercise was not only to assess the strength of REMIS’ cybersecurity posture, but to learn how to most effectively establish an enterprise level bug-bounty for the entire Logistics-Information Technology portfolio.
Overall, senior leaders were pleased with the results.
This effort lays the foundation for a broader friendly hack that will further the cybersecurity of Air Force logistics systems.