A Cost Effective High Assurance Layered Solution …– 4 red traffic channels (TS-U), 1 Ctl (U) – 3 black traffic channels (U) • MILS SK hosts KM & control • IP/Ethernet I/O

© 2014 Rockwell Collins. All rights reserved.


A Cost Effective High Assurance Layered Solution for MLS Test Training and LVC 2014 Layered Assurance Workshop 8-Dec, 2014 James Marek


Introduction

• Solution space to address modern test and training and LVC interoperability issues is an ideal application of layered assurance – Significant security-related scope as well as safety issues – High assurance/robustness is critical to address these issues

• Cost and schedule viability are a serious consideration • This presentation describes a solution which is based on the

principles of layered assurance and composability at multiple levels in the architecture

• All of the elements described herein have completed their individual certification efforts (e.g. NSA Type 1, Common Criteria, etc.)

• The system-level solution is rapidly maturing and is in the process of completing accreditation as part of its fielding

2


Overview of Problem Space

• Testing – Modern military ranges testing platforms that can each host and

share information at a wide range of classification / caveat / compartment levels

• Training – 3rd, 4th, and 5th gen platforms & UAS, Weapon/Threat sims with

different security levels and requirements for exchange – Coalition partners – Current environment results in reduced training effectiveness

• Common Problem – Need for security enforcing MLS information exchange solution – Enables effective/efficient testing and training to be performed – Affordably control the flow of timely information exchange – Low impact scalable solution that supports

• System-high (at a single-level) through certified MLS operation

3

Presenter

Presentation Notes

Testing: e.g. 5th gen platforms (e.g. F-35) and 4th gen platforms (e.g. F-18) have communications links, weapons, and sensors that are processing data at different levels of security Clearance limits on Staff working with and in these platforms Multiple simultaneous test missions at a range Training: Weapons and threats being simulated with range of classification levels Platform datalinks and sensors have a variety of performance parameters and capabilities which span a number of class levels


Elements of the solution

• Modular building blocks for layered solution • Composibility at the component and system levels • Mobile/Airborne based elements

– MLS Participant Interface Module (PIM) – Multi-Channel MLS NSA Type 1 End Cryptographic Unit (ECU) – High-Throughput Data-Link (HT-DL) – High Accuracy Time Space Position Information (HA-TSPI) – User Interface (UI) with high capacity Data Recorder Device (UI-DRD)

• Ground based elements – Multi-Channel MLS Mission/Debriefing Room Cross Domain Guard (MMMDR-

CDG) – Multi-Channel MLS NSA Type 1 End Cryptographic Unit (ECU) – Data Link Controller (DLC) – System Controller Workstation (SCW) – Mission/Debrief Room Workstation (MDRW) – Portable Test Set (PTS) – Remote Ground System (RGS) – Range Gateways

4


MLS Participant Interface Module (PIM)

• Multi-Level MILS processing environment

– Configurable at boot time • Works synergistically with ECU &

MMMDR-CDG • Configurable interfaces

– Fibre Channel, 1553, Ethernet, Serial

• CC EAL6+ MILS RTOS – Hosts Multiple SL enclaves & CDG – TS-U info processing, MAC, & flow

control – System-high (single or multiple

channels) & MLS operation • Modular NSA-evaluated CDG

– Flexible user generated rules – e.g. C2, BIT, Status, RTKN

• NSA-evaluated Labeler (“L”) – Bind & check packet labels

• Composed security policy – SK + FE + Labeler

• 1.5”x 3.5” x 6.4” package for easy embedment

– Demonstrating that MLS can be packaged in a constrained pkg

5


Multi-Channel MLS NSA Type 1 End Cryptographic Unit (ECU)

• MILS-based multi-channel MLS ECU

– 4 red traffic channels (TS-U), 1 Ctl (U)

– 3 black traffic channels (U) • MILS SK hosts KM & control • IP/Ethernet I/O abstracts

encryption from red & black sides – Datalink-agnostic encryption

• Data-In-Transit encryption for off board communication

• Data-At-Rest encryption for on board storage of mission data

• Classification level packet label checking on each channel

• Classification levels configurable based on boot load

• Key and Algorithm agility per channel

• Leverages NSA Type 1 certified Janus cryptographic engine

• 1.5” x 3.5” x 6.4” package

6


Multi-Channel MLS Mission/Debriefing Room Cross Domain Guard (MMMDR-CDG)

• Based on PIM processor – Significant SW reuse

• Scalable, rack mounted version of the PIM – Cfg’d to filter for mission

& exercise debriefing – Currently on class level /

caveat and mission #

• Open/Modularity supports direct connection of PIM and MMMDR-CDG – Ease system integration,

testing, and debug – Isolation from ECU’s,

datalinks, infrastructure • Note: ECU’s can also be

directly connected – Isolation from the

datalinks, infrastructure

7


Participant Sub-System

8


Ground Control System

9

ECU

Guard

DataLink

UI-DRDUI-DRD

UI-DRD

Mission/Debrief RoomMission/Debrief

Rm(s)

SCW


Typical Application

10

ConstVirt2

Virt1


Summary

• Presented solution for modern test/training/LVC MLS needs • Applies layering and abstraction • Focus on modularity and composability • MILS building blocks to reduce C&A cost, schedule, and risk • Enables cost effective implementation for range of applications • Supports several modes of operation as needed by users (e.g.

system-high, MSL, MLS) • Not simply a proposed concept but is

– Founded on Technology Readiness Level (TRL) 6+ certified products and technologies

– Currently finishing accreditation through deployment for both domestic and international applications to solve MLS test, training, and LVC challenges

11



Backup

These elements are included in the paper and have a limited role in the layered assurance. However, due to time constraints they are not covered in the main brief

12



Participant Elements


High-Throughput Data-Link (HT-DL)

• Employs uplink, downlink, and peer-peer crosslink services with packet rates roughly 4 to 5 times greater than legacy pod-based range instrumentation

• Relay routes are self-forming, out to 4 hops • Manual routing can be managed between user-selected nodes

– Datalink range for a single-hop route is 100 nmi air-air, and 130 nmi air-ground.

• 6.6 lbs. is miniaturized to roughly half the weight of existing equipment

• Partitioned into a Transceiver Modem (TRM) module (6.6”) and a Power Amplifier (PA) module (11”), each having a 3.5” x 1.4” cross section

• Selectable to use built-in Type 3 encryption • Type 1 encryption is provided external to the datalink to enable

more modularity and support alternate datalinks easy datalink upgrade without NSA recertification


High Accuracy Time Space Position Information (HA-TSPI) • Critical element of any test/training system • Feeds testing exercises as well as on-board weapon and threat

simulations • Enhanced system modularity and composibility due to

independent isolated TSPI function • Leverages the Rockwell Collins high accuracy miniature

Selective Availability Anti-Spoofing Module (SAASM) GPS • Includes state-of-the-art Inertial Measurement Unit (IMU)

technology • Tightly coupled together to provide:

– Real-Time Horizontal (x, y) and Vertical (z) position accuracy of 0.5 meters RMS

– Real-Time Horizontal (x, y) and Vertical (z) velocity accuracy of 0.03 m/sec RMS

– Real-Time Attitude accuracy of 0.1 degrees RMS

15


User Interface (UI) with high capacity Data Recorder Device (UI-DRD) • Modular User Interface to support:

• Remote key loading and zeroization for encryption and GPS

• Hosts user removable solid state storage media for mission

data recording – Storage media is also able to store configuration data and files – Supports over-the-air configuration/loading option

16



Ground Elements


Data Link Controller (DLC)

• Commercial computing platform

• Hosting management software for – Ground-based and participant package datalink modules – Datalink network – Information flow to and from ground and airborne nodes

• Hosts an EAL4 certified OS and conforms to DISA STIG

guidelines for cyber security

18


System Controller Workstation (SCW)

• Commercial computing platform • Hosting mission and participant management software • Supports configuration for ground and airborne elements, as

well as key distribution • Hosts an EAL4 certified OS and conforms to DISA STIG

guidelines for cyber security • Allocated a port on the MMMDR-CDG which filters range traffic

to and from the SCW • Operates in a “blind administration” mode

– Not typically accessing range participant traffic, but primarily focused on command and control functions that manage the range assets participating in exercises

• Plays a part in the layered security architecture – Managing encryption keys – Cfg and control functions for airborne/mobile/ground elements

19


Mission/Debrief Room Workstation (MDRW)

• Commercial computing platform

• Hosting mission management and debrief application software

• Hosts an EAL4 certified OS and conforms to DISA STIG guidelines for cyber security

• Allocated a port on the MMMDR-CDG which filters range traffic (live, recorded playback or a hybrid)

• Functionality reuse from the SCW

• Uses isolation and independent configuration & management with respect to the other elements of the system for added layer of security 20


Portable Test Set (PTS)

• Man-portable miniature ground sub-system

• Capable of being carried around the range to support wired remote operations

• Also supports configuration, test, and debug of airborne equipment spread across the range locale

• Each PTS includes a ruggedized laptop computer that hosts an EAL4 certified OS and conforms to DISA STIG guidelines for cyber security

• Leverages some common software from the SCW and MDRW

21


Remote Ground System (RGS)

• Includes – Datalink – Optional weather sensor – Ability to remotely power manage the RGS elements

• One or more RGS datalinks are used to provide area coverage

(diversity) for the ground-based DLC (Data Link Controller)

• They can also support extended range for airborne platforms through relay functionality

• The weather sensor augments accuracy when operating an RGS in a GPS-denied mode

22


Range Gateways

• A variety of flexible computing and networking equipment and associated protocol translation and formatting software & firmware are also key elements of the range system to enable inter/intra-range operability and bridging to legacy systems

23

Documents

A Cost Effective High Assurance Layered Solution …– 4 red traffic channels (TS-U), 1 Ctl (U) – 3 black traffic channels (U) • MILS SK hosts KM & control • IP/Ethernet I/O