Raise the Bar: Demanding Cybersecurity Excellence for Cross Domain Solutions in the Battlespace

109
Raise the Bar

To enable multi-domain operations across a connected battlespace, it is critical that security it built into the foundation of the solution, meeting Raise the Bar (RTB) standards. The battlespace is under attack at many levels and persistent cyber threats continue to rise. In an effort to thwart advanced and emerging cyber threats, the National Cross Domain Strategy Management Office (NCDSMO), now under the purview of the National Security Agency (NSA), is calling for industry to implement cybersecurity standards for all cross-domain solutions to ensure that they are at the low risk of failing, even when under attack.

Raise the Bar standards were published in late 2018 based on emerging guidance and went beyond the National Institute of Standards and Technology’s (NIST) Risk Management framework controls that many government agencies implement. The standards continue to evolve as cybersecurity threats become more sophisticated and as systems become more interoperable. The next iteration of the guidelines requires more controls to enforce data flow on high-risk networks.

As industry seeks to develop advanced, rugged systems that work in the most extreme environment to enable warfighters to complete missions, cybersecurity controls must be built-in from the start. Sensitive, classified information that flows across systems during military training and real-time scenarios needs to be protected from adversaries trying to access military intelligence.

“As technology evolves, needs arise, attack vectors change, and vulnerabilities are discovered,” Jim Marek, CISSP, Technical Fellow for Mission Systems at Collins Aerospace, explained in a recent interview. “RTB will continue to be updated to reflect the appropriate set of requirements and industry will need to continue to work with NCDSMO to certify the information flow policy of classified data.”

For the past two decades, Collins Aerospace has engaged with NSA and NCDSMO on developing Cross Domain Solutions (CDS) and policies, Marek told us. “We’ve been a leader in developing high assurance solutions for the Intelligence community and the DoD.”

Marek noted that as the military seeks a multi-domain operational environment, where warfighters need to leverage the most advanced technologies to pace the threat, they need data at their fingertips to make real-time decisions. “To that end, Collins is developing next generation CDS that will radically increase speeds and support high assurance information flow policy enforcement from the command centers out to the people and platforms at the tactical edge.”

One example of this is the small form-factor, high-performance, rugged tactical CDS that is being deployed on the U.S. Navy’s Tactical Combat Training System Increment II (TCTS II) program and is targeted for the U.S Air Force’s P6 Combat Training Systems (P6CTS). Those programs leverage technology that securely connects the aircraft to the other elements in the training space including other aircraft, ground, sensors etc., to improve training realism and effectiveness.

Securely controlling the flow of information from the various elements utilizes Multiple Independent Levels of Security (MILS). By leveraging a security hardened operating system, like the one offered by Green Hills Software, the CDS allows for greater access control which enables data isolation between applications, resource sanitation, and fault isolation on a multicore processor. 

“The INTEGRITY-178 real-time operating system has a unique pedigree of meeting the strictest security assurance requirements and has been fielded on numerous multi-level security (MLS) and CDS programs,” said Patrick Huyck, Senior Systems Certification Manager at Green Hills Software. Even before the creation of the RTB standards, Green Hills Software led the way to meeting CDS requirements for an operating system by getting INTEGRITY-178 certified to the NSA-defined Separation Kernel Protection Profile (SKPP) in 2009. The SKPP is the highest assurance set of requirements ever created for an operating system, and INTEGRITY-178 was certified to Common Criteria EAL6+ and “High Robustness.” High Robustness means the OS was determined to be resistant to an extremely sophisticated adversary with abundant resources, such as a persistent threat from a nation-state.

Collins Aerospace recently announced that the U.S. Navy completed the successful first flight of the TCTS II Air Combat Training program on an operational F/A-18E/F Hornet. The platform developed and built by Collins Aerospace and their strategic partner DRS “enables highly secure air combat training between Department of the Navy and Air Force aircraft, both 4th and 5th generation platforms.” Marek pointed out that the integration of Green Hill Software’s INTEGRITY-178 TuMP made this Raise the Bar CDS certification approval possible, by “uniquely meeting the functionality requirements of the Navy’s TCTS II CDS and security assurance requirements of RTB.” It is the first training system on a military aircraft that will achieve the Raise the Bar certification.

“We have worked with the NCDSMO over the past couple years to both enhance RTB policy and develop a compliant solution that will enable training to achieve a whole new level,” Marek said. “Our solution supports the future needs for MILS solutions that are required to achieve the DoD vision to train like you fight and fight like you train which includes full support for all aspects of Live, Virtual, and Constructive training.”

Yet, it’s not only in the training realm where the Raise the Bar cybersecurity standards are applicable, Marek told us. “It applies across the board from training to fight, to battle readiness, to winning today’s fight. We continue to develop solutions for multiple CDS platforms that meet these requirements and enable the military to win today and into the future.”