Local firm develops world-first cyber check
An Australian company has developed the world’s first tool for analysing ‘cyber worthiness’ so planners can invest in protection where it is most needed.
When two Army Blackhawk helicopters crashed in Queensland back in 1996 with the loss of 18 lives, the Australian Defence Force overhauled its air worthiness processes. A decade later the RAN started overhauling its own sea worthiness processes as well.
Now Australia faces a new, ubiquitous “grey zone” threat: cyber attack by malicious players including foreign governments. An Australian company has developed the world’s first tool for analysing “cyber worthiness” so planners can invest in protection where it is most needed.
Achilles is a software package that is designed to measure the cyber worthiness of a piece of equipment or an entire organisation. It was developed by former soldier James Alexander with support from the CSIRO and is now at version 2.0. Achilles is used by Australian commercialisation partner KBR, part of the US-headquartered engineering firm, to identify a ship or aircraft or entire company’s cyber vulnerabilities and then present them graphically in three dimensions.
Krishaan Wright, a former RAAF C-130 Hercules pilot, is KBR’s cyber lead and defines “cyber worthiness” simply. It starts with training people to be “cyber aware”; it embraces the technical defences needed to spot and shut out cyber intruders; and it includes operational defences ensuring an organisation has the policies, processes and procedures in place to close off any identified vulnerabilities. Achilles is designed to detect the hidden vulnerabilities in a system or organisation’s cyber worthiness.
Alexander, who is managing director of Brisbane SME Cognition Analytica, based Achilles on a children’s game featuring the so-called “jenga brick” which sits at the base of a complex structure: when that one brick is removed, it brings down the entire structure.
That’s a perfect analogy for cyber security, Alexander says. Most things or organisations have an unconsidered weakness which can be targeted by the unscrupulous: Achilles creates a 3D model of a subject’s vulnerabilities – including its “jenga bricks” – and therefore shows how it can be protected.
He began developing Achilles in 2019 with CSIRO support, which, at the time, was developing its own 3D visualisation software. In 2020, the first prototype was completed, and Alexander approached KBR in 2021.
“Achilles identified critical vulnerabilities which could bring down an entire system,” Wright says. “Nothing else models vulnerabilities and what we call the cyber ‘kill chain’ in this way.”
KBR invested to quickly turn the prototype into an operational system. Trialling the system with Navy’s Fleet Cyber Unit, KBR used Achilles earlier this year to analyse four separate cyber-vulnerable systems aboard an RAN ship at sea and in dock. The process took just 3½ months and the result was a Software Management Plan for each system that told Navy’s decision-makers where they are potentially vulnerable, and so where to invest.
In consultant-speak KBR delivers “speed to value” and in ADF-speak “Decision Superiority”. If adopted, the Navy would save money by spending less of it more effectively – which is increasingly important as there is now more to protect – and provide a means for the service to think and make good decisions faster than a potential cyber intruder.
The RAAF, Army and Space Command face similar challenges and the beauty of Achilles, Wright says, is that it is “framework agnostic”: it doesn’t matter what technical standards or regulations are used, it can accommodate them all because it doesn’t set out to solve the problems it identifies.
Cyber security has become a ubiquitous requirement for the Defence and national security ecosystem. It is also ubiquitous across the civilian sector, especially where there’s critical infrastructure or significant dollars involved: think electronic banking, the supply of drinking water and online booking sites for airlines. So Achilles has potential applications way beyond the defence sector.
Achilles 2.0 is analytical but also helps put the target ahead of a potential adversary instead of having to react to an attempted cyber breach, Wright says. Unsurprisingly, KBR and Cognition Analytica haven’t shared their world-first with anybody else. Although the system has only been deployed in Australia, it could be used by KBR offices around the world – demonstrations to his overseas colleagues have been warmly received, Wright says.
Meanwhile, Achilles 3.0 is now a twinkle in Alexander’s eye – but he declines to elaborate.
Interoperability key to security of region
Without a high level of interoperability, well-aligned coalitions can face significant hurdles. Australia is committed to strengthening our forces with allies across multiple fronts.
Australia’s key role in developing uncrewed combat jets
During the course of last year, a new term entered the defence lexicon – the Collaborative Combat Aircraft, or CCA. It’s a disruptive technology, it’s new and it’s something that is being introduced into the battlespace.