9 June 2017

Army relying on ‘situational understanding’ to secure legacy devices

by Mark Pomerleau

The Army, which continues to field a variety of legacy equipment, knows it is going to get hacked. The solution: provide commanders with information to understand what these compromises will mean to their mission.

The Army is grappling with how to retrofit and make legacy equipment relevant in a 21 century environment, as it’s not going to purchase an entire new arsenal of radios or other legacy equipment it operates.

Acknowledging a common adage, Mike Monteleone, acting deputy director of Space and Terrestrial Communications Directorate (S&TCD) at the Communications-Electronics Research, Development and Engineering Center, or CERDEC, told FifthDomain during an interview at their headquarters at Aberdeen Proving Ground that cybersecurity was never baked into programs. So, with programs or equipment with inherent vulnerabilities that have been out for 20 or 30 years, “There’s nothing you can do, you’re not going to open a radio system and change certain things,” despite the vulnerabilities, “because there are hundreds of thousands of them in the Army’s inventory.”

At the lab level, the Army is testing out several situational awareness and situational understanding tools to help provide commanders more actionable information to be able to discern what a potential intrusion might mean to their mission.

For example, CERDEC is working on the State Change Anomalous Behavior Analysis for Radio Network Defense, or SCABARD, which essentially is an external add-on for tactical radios in the field allowing commanders at a central location to not only be able to see where each radio is located, but which ones might be infected with malware.

The solution observes the behaviors as opposed to the signatures on the radios to see if any anomalous behavior – be it malicious or benign – is occurring as they feed back to the tactical operations center. The solution can see what a particular radio was doing a particular point in time.

One of the key drivers for the solution, Brian Dempsey, chief of tactical network protection within CERDEC’s S&TCD and Cyber Security and Information Assurance Division, told FifthDomain, was reports from recent Network Integration Evaluations said there were known concerns at the lower edge of the network.

The Army recognizes it can touch radios from a network perspective, Monteleone explained. Soldiers should be on the look out for inherent vulnerabilities, specifically in commercial protocols that everyone uses, and ask what they should be looking for in the spectrum environments – what does normal look like, what does contested look like?

The SCABARD interface shows all the radios deployed to a particular area with green icons denoting all radios and red icons denoting bad routes or anomalous behavior on that particular radio.

The solution serves more at the squad level all the way up to the company level. It’s goals could be twofold: prevent radios that were out in the field that were infected with malware from being plugged back into the network and providing commanders with greater understanding of their situation.

For example, armed with the information that a particular set of radios are infected, a commander could be able to tell bad guys are around the squad and their forces might have to change frequencies, or they might have to make a calculation whether or not to continue the mission with infected comms or shut them off entirely.

SCABARD serves the purpose and adage that every soldier is a sensor in the field as it acts as a passive collector of information, specifically electromagnetic spectrum information. While intelligence gathering and analysis of information collected is not a primary goal of SCABARD currently, officials said this was thought of and will be explored in the next phase. The labs look to evolve technology solutions then transition to program offices once matured.

SCABARD would feed into something called CEMA Situational Awareness Tactical Analytic Framework, or C-STAF, another tool the CERDEC labs are working on.

C-STAF, similar to SCABARD, aims to provide analysts and commanders with answers to critical questions to provide context to information for better decision making. Often times, in today’s world of data overload, analysts, warfighters and commanders are inundated with information especially during times of crisis or attack.

Officials explained to FifthDomain that a few focus areas of C-STAF are what data are important/what can commanders or warfighters ignore and what questions drive soldiers’ needs? During a cyberattack, for example, what information is absolutely essential at that time and what can they disregard to be most effective?

To that end, one of the roles C-STAF will play is mission mapping. This works both in pre-mission planning as well as during operations to help answer tough questions analysts might have. The machine sifts through the data and provides a clear set of options to the human.

The program will look at questions such as if a unit is attacked, what impact, if any, will it have on the outcome of the mission? For example, it might help to calculate a risk analysis. If the mission is to assault a hill, what happens if radios or communications are infected? Will that impact the overall mission? The commander might make the call to shut down comms and tell soldiers they’re going to be out of comms for three minutes, be careful. Or they might determine that the breach is not critical enough and the mission can continue.

In terms of next steps, SCABARD will be going to the Cyber Blitz, an exercise that tests cyber capabilities within command posts, for evaluation prior to potential larger integration. Officials explained they are looking to transition C-STAF to the program office side in fiscal 2018.

Putting information in context

The Army is trying to help lessen the cognitive load of its soldiers. No soldier can make sense of the data coming from multiple sources because there’s just too much, Monteleone, said. “How can I take care of my business and keep that fight going when I may be compromised or I don’t know if I’m compromised or I don’t know if my higher echelons are compromised? How do I assure to the best of my ability that I can continue forth on that mission?”

Monteleone explained that one of the takeaways the Army has is the understanding part – not just of data but systems, understanding the components of that make up the missions, those dependencies, the interdependencies between our systems and our networks and our capabilities.

No comments: