Unmanned systems vulnerable to the enemy, which makes trusted computing a critical cyber design challenge
By David Sheets
ASHBURN, Va. – Trusted-computing is a difficult concept to implement, even in some of the best scenarios. Implementing adequate cyber security and other protections becomes even more challenging when the system being protected will be deployed into the harsh world without a trusted service member nearby to operate the system.
The first challenge when designing a deployable solution for an unmanned platform is the lack of constant supervision from a trained and trusted human operator. While supervision is typically available on manned systems, unmanned systems may only have periodic contact with an operator.
What’s more, an unsupervised system may need to make autonomous decisions based on minimal and potentially untrustworthy sensors. Another important issue is that, compared to manned systems, unmanned systems are more prone to falling into the hands of potential adversaries. One example is the seizing of a U.S. unmanned underwater drone by China at the end of 2016.
The availability of reliable, secure communications becomes much more critical when dealing with unmanned systems. While a manned system that loses communication still can operate, as long as the onboard operators can work to restore communications or complete the mission, a communications failure is much more critical for an unmanned system. If communications are lost, the unmanned system may need to throttle back, proceeding with much more limited functionality. Loss of communications also means that the unsupervised system won’t be able to quickly respond to changing circumstances.
For all of these reasons, systems designers must ensure that their unmanned systems are well protected. These protections must take into account the possibility of an attacker gaining physical access to the system, and must include adequate cryptographic protection of stored data and appropriate cyber security protections to maintain communication integrity and confidentiality.
To help system designers meet the challenge, there are specific documents that provide guidance on how to maintain trusted operation on unmanned systems.
One such document is the Committee on National Security Systems Policy 28 (CNSSP-28), “Cybersecurity of Unmanned National Security Systems." Much of the guidance in this document references other guidance documents from which to pull information (e.g. CNSSP-7). Much of the guidance that CNSSP-28 provides indicates particular technologies that must be employed (e.g. encryption for all command and control data links). In addition, CNSSP-28 indicates guidance on which processes must be adhered to. This includes, for example, describing required aspects of the risk-mitigation framework that must be applied to unmanned systems.
When applying risk-mitigation framework to unmanned systems, designers must take care to ensure that their system has been appropriately analyzed so that all controls have been selected to provide protection across all potentially compromised environments, not just nominal operating environments.
The NIST 800-53 security controls document describes the set of controls that might need to be applied to unmanned systems. Another document, CNSS Instruction 1253, provides guidance on the overlay of controls that are mandated to be applied to national security systems.
This guidance is based on selecting the level of protection required (low, medium, or high) across three protection categories (confidentiality, integrity, and availability). System designers should select the appropriate level of protection for each of these three categories so that their programs don’t under-protect or over-protect their system based on its unique system level risks.
Similarly, there are also policies that provide guidance on cryptographic standards for unmanned systems. One example, the “Policy on the Use of Commercial Solutions to Protect National Security Systems” (CNSSP-7), also available on the CNSSP policy page, provides guidance on using Commercial Solutions for Classified (CSfC) for national security systems.
While CSfC has gone through multiple revisions of the Data at Rest (DAR) Capability Package (CP), the latest version, v4.8, which is currently in review and accepting comments, provides additional guidance on unattended operation.
Related: Trusted computing and the challenges of cryptographic algorithms in quantum computing
In this document, the unattended Use Case defines the operational parameters for unattended operation. Requirements at the end of the document allocate from the set of potential CP requirements to the Unattended Operation use case. Since the document is now in the review period, interested programs that may want to use approved CSfC DAR solutions, such as Curtiss-Wright’s DTS-1 Rugged Network Attached File Server, on unmanned systems, are advised to review the draft document and provide feedback on applicability of the requirements to their specific platforms and systems prior to the deadline of December 5, 2019.
Beyond the guidance on protecting unmanned systems that is available from publicly available documents, additional guidance for ensuring complete protection can be obtained from leading, experienced COTS vendors.
Programs can work with their vendors to ensure that the products they plan to integrate into an unmanned system have been engineered to meet stringent security requirements and can provide protection in the face of all potential attack vectors. System designers should verify that their COTS vendors are actively involved in appropriate trusted computing communities to ensure that they maintain awareness of and follow appropriate guidance from current documents across their product lines.
David Sheets is senior principal security architect at Curtiss-Wright Defense Solutions. Contact him by email at [email protected].