UltraLog: Securing Logistics Information on the Battlefield
Lieutenant Colonel James C. Bates, USA (Ret.)
Sustaining highly maneuverable forces on a rapidly changing, noncontiguous battlefield requires an agile logistics command and control system. But can such a system prevent compromise of its data by a determined adversary?
Ubiquitous information is a cornerstone of many contemporary visions of future warfare. Programs as diverse as the Office of the Secretary of Defense's Force Transformation program and the Army's Future Combat Systems program envision a tight linking of operations, intelligence, and logistics made possible by extensive, shared, and widely distributed information.
Military logisticians generally accept the potential advantages of a future logistics system that is highly networked and that is able to widely distribute real-time, actionable data on the battlefield. However, the survivability of such a logistics information system has not been demonstrated in practice on the battlefield or tested extensively in the laboratory.
With its UltraLog project, the Defense Advanced Research Projects Agency (DARPA) has taken up the challenge of building and demonstrating just such a networked logistics system. Specifically, the UltraLog project's goal is to build an extremely survivable, agent-based logistics planning and execution information system for the modern battlefield. [An agent, or intelligent agent, is a software program that can perform many functions for a human computer user by applying a certain amount of reasoning.] In UltraLog, intelligent agents can be agents that are embedded in a military unit to perform the automated logistics function for that unit, or they can be agents that perform UltraLog system functions outside of military units. The agent society models combat and support units, equipment, transportation networks, and supply chains. [An "agent society" is an information system composed of networked intelligent agents.]
The survivability of a distributed logistics system is based on three primary components: robustness, scalability, and security. Robustness is the ability of a system to continue functioning when one or more of its components are destroyed or impaired. Scalability is the ability of a system to withstand massive increases in size and workload, such as might be encountered in going from peacetime operations to war. Security is the capacity of a system to maintain integrity and confidentiality, even when it is under directed information warfare (IW) attacks. To be successful, future logistics information systems must be robust, scalable, and secure; in short, they must be survivable under battlefield conditions.
In an article in the November-December 2004 issue of Army Logistician, retired Lieutenant General Leo Pigaty and I examined UltraLog's robustness and scalability and detailed the process for assessing the military usefulness of logistics data produced when UltraLog was attacked along those two vectors. This article discusses UltraLog's security defenses against cyberattack.
Security Threat Environment
Cyberterrorism is a fact of Information Age life. As a form of asymmetrical warfare, an IW attack may result in potential damage that is completely disproportionate to the level of effort the attacker expends to achieve that damage. Attacks can be launched with few resources, without warning, and without regard to geography. They can be originated by pranksters, by adversaries, or by insiders acting either unintentionally or with malice.
IW attacks are almost as varied as the human imagination. However, they can be categorized by the attacker's intent-
. Destroy information system infrastructure or data. Attackers physically destroy computing centers or communications resources or introduce a virus to destroy data.
. Intercept sensitive information. Intruders access operational databases or intercept data moving through the communications pipeline. An adversary, for example, could exploit compromised logistics data to determine a unit's materiel condition, composition, or disposition.
. Corrupt or manipulate logistics information. Logistics transactions and data files are modified, duplicated, erased, or misdirected, potentially disrupting the supply chain and reducing user confidence in the supply system.
. Disrupt service. An adversary floods the system with spurious incoming messages in distributed denial-of-service attacks. Such attacks are designed to effectively paralyze the system by preventing legitimate users from accessing and using the system as intended. This could prevent the processing of logistics transactions and the transmission of requisitions and status information.
UltraLog Security Defenses
Over its 4-year development cycle, UltraLog has evolved a complex matrix of commercial off-the-shelf and uniquely designed security features that provide substantial protection against cyberattack. While the developers of this security framework readily acknowledge the impossibility of knowing or foreseeing the universe of potential assaults, UltraLog's defense in depth provides a significant bulwark against known threats.
UltraLog's security functionality is guided by two overarching concepts: agent system segmentation and dynamically reconfigurable, rule-based protective countermeasures. First, because of its globally distributed nature, UltraLog security is built on a unique framework of distributed trust that segments the agent society. Trust obstacles stand as sentinels between the segments and act to cordon off compromised segments, thus preventing damage from rolling unchecked throughout the system. Second, UltraLog incorporates a tight, policy-based security system. This system comprises a set of rules that is distributed throughout the system. Rules may be flexibly tailored to respond to changes in threat and are strictly enforced.
Policies and rules govern how UltraLog functions and control much of the interaction among agents. Policy is set by subject-matter experts, based on doctrine, and loaded into an UltraLog society. From a logistics perspective, rules might govern stocking objectives at different levels of the supply chain. On the security side, rules might control how many times a user can try to log on before being locked out. Part of UltraLog's strength is large sets of policies and rules that allow the system to modify the rules that are in effect in response to changing conditions.
Other UltraLog security features include-
. User access control service. This feature identifies and authenticates users and protects UltraLog from undesirable corruption caused by unauthorized users accessing the system. A unique user name and user-provided password serve to identify and authenticate individuals seeking to access the system. Access mediators decide whether to grant or deny the requested access and enforce access-control policies whenever someone attempts to enter the system. Once a user is inside the system, access to specific system features is strictly monitored and controlled.
. Message protection service. This mechanism controls the flow of damaging communications by mediating all outgoing and incoming transmissions. It compares messages against policy, stops all disallowed
traffic, reports violations, and, if warranted, isolates the unit transmitting suspect messages.
. Communications security service. Encryption and digital signature of data in the communications pipeline protect data from compromise or unauthorized modification. Encryption ensures confidentiality, and digital signature ensures integrity of data and serves to authenticate the source.
. Monitor and response service. This provides a framework for monitoring the security condition of the logistics information system. It looks for signs of attack, such as denial-of-service flooding, using data collected from a range of sources; analyzes the data; and selects a course of action determined to minimize the security risk. The framework includes UltraLog-developed sensors to monitor such things as unauthorized service requests or denial-of-service probing; analyzers to evaluate sensor input against decision rules; and a policy-management service that provides the ability to manage the security posture of the system. Examples of responses include simply monitoring intruder activities, deactivating portions of the system under attack, updating security policy (strengthening or weakening it as appropriate), and locking out offending users.
UltraLog is a distributed, agent-based software architecture that is inherently survivable even in the most hostile environments. It is a resilient system that can protect and adapt itself under the most harsh and dynamic wartime conditions.
Assessment of Security Defenses
In order to assess the suite of security technologies, an UltraLog society was designed, built, and tested in the computer lab located at DARPA's Technology Integration Center. A battery of over 100 high-speed servers, along with related routers and switches running on a fractional T-3 network connection, were assembled to demonstrate an UltraLog society of over 1,000 military organizations and vehicles.
A scenario was run simulating units of the Army's V Corps fighting a 180-day major regional contingency in Southwest Asia. UltraLog's task was to propagate an operation plan (OPLAN); build an executable transportation plan; plan the sustainment of deploying units; and then, during a simulated execution of the scenario, accept and propagate changes to the OPLAN and revise the transportation and sustainment plans accordingly. All of this was to be accomplished with minimal loss of function while independent assessors attacked the system by such means as cutting or reducing communications, limiting available computer processing and memory, and conducting a variety of IW assaults.
With the testing infrastructure in place, UltraLog security functionality was assessed using a combination of distinct structured experiments and a variety of Red Team hacker attacks. The attacks were designed to probe the ability of UltraLog's multiple security defenses to preserve the confidentiality and integrity of its logistics functions against real-world threats based on the concept of operations scenario. Emphasis was placed on determining if the defense performed as expected and what the likely impact of the success or failure of the defense would be on the resulting logistics plan. A sample of these experiments follows.
Invalid User Log-in
This experiment tested if an unauthorized user could gain entry into the UltraLog system. It involved a nonexistent user with a bad password, a valid user with a bad password, and a valid user with a bad certificate.
UltraLog successfully prevented the breach of this "first-line" security defense. The logistics functionality of the system was protected by successfully deflecting unauthorized users at the log-in screen. This defense is particularly important in a deployed and distributed system, where it may be relatively easy for an unauthorized user to gain access to a processor running an operational UltraLog logistics system.
A trusted user operating as an enemy agent or working with other malicious intentions can be extremely damaging to military operations. Compartmentalizing access to systems and data is a fundamental mechanism for limiting potential damage. An UltraLog user has defined levels of access to various UltraLog services. In an operational context, these levels of access would be used to define the roles of maintenance and supply technicians, logistics planners, and decision and approval authorities at different levels in the chain of command.
The purpose of this experiment was to determine if a user would be allowed access to functions for which permission had not been granted. A valid user with a valid password logged in and attempted to access several unauthorized services. Access to these services was successfully denied in every instance. The runs were repeated with the user attempting to access resources for which use was authorized. In these runs, the user was able to access the authorized services. These experiments were repeated using authenticating certificates, and again the user gained only the appropriate level of access. Messages were generated advising security managers of the attempt to access unauthorized functions. This combination of successful deflection of access and generation of alerts provided a sufficient defense against unauthorized access.
A series of experiments was performed on controlling the transmission of information and instructions between agents. UltraLog agents, whether physical agents such as a combat or support unit or UltraLog functional agents such as the security manager, are required to perform specific tasks with specific communications requirements. Policy establishes with whom an agent may communicate and the nature of that communication. From an operational perspective, this ensures that communications are limited to what is needed and that commands and instructions flow correctly along the military and logistics chains of command. These experiments demonstrated the following successes-
. Agents were prevented from sending messages prohibited by policy. In the experimental runs, UltraLog successfully stopped the message on the sender's node and the message was not delivered to the intended recipient. Security messages were generated documenting the attempted transmission of a message in violation of policy. Operationally, this defense could be used to isolate military units that display suspicious behavior or to compartmentalize the force structure so that the impact of a rogue agent can be limited to a subset of correspondent agents. ["Correspondent agents" are a group of agents with which the bad agent communicates.]
. Agents were prevented from sending disallowed directives. Messages may contain directives that ask or direct that something be done. Policy determines which directives an agent may use and which are prohibited. For example, it might be inappropriate for a signal company to direct that a transportation company move a tank from one location to another. Based on the experimental data, UltraLog's access control service on the send side enforced policies that specify the directives an agent is allowed to send. Operationally, this prohibits a military unit from issuing orders without appropriate authority.
. Receivers rejected disallowed directives. This experiment examined the situation that occurs when a compromised agent successfully sends a message with disallowed directives and determined if the receiving agent detected and rejected the prohi- bited message. In the experimental runs, the message access control service successfully prevented agents from receiving messages containing disallowed directives.
. Receivers rejected disallowed messages. This experiment examined what happens when a compromised agent successfully sends a disallowed message and determined if the receiving agent detected and rejected the prohibited message. The experiment demonstrated that UltraLog agents detected, rejected, and reported when messages disallowed by policy were received. Operationally, this defense effectively isolated a military unit from a rogue agent trying to transmit damaging instructions or orders.
. Unsigned or improperly signed messages were rejected. Operational decisions rely on the accuracy of information contained in incoming transmissions. In UltraLog, information integrity is ensured in part by the digital signature that accompanies incoming messages. This experiment assessed whether or not target agents accepted or rejected unsigned messages. Policy was modified by Red Team hackers so that the agents of one unit transmitted messages without signatures. UltraLog agents successfully rejected 731 of 731 unsigned messages. UltraLog successfully defended against agents receiving and accepting messages of questionable origin. From an operational perspective, logistics functions were protected.
Unsigned or Improperly Signed Code Modules
It is essential that code that is introduced into a deployed and functioning information system be from a trusted source. The ability of an adversary to insert malicious code can be extremely damaging; in UltraLog, this ability could completely compromise operational and logistics functionality. Only code that contains the digital signature of someone known and trusted is supposed to be accepted and loaded into UltraLog. This experiment demonstrated that UltraLog was able to prevent the loading of code that was not accompanied by a trusted digital signature.
Adaptable Security Posture
In the event of multiple security violations, UltraLog is designed to sense the increased security threat environment, increase the threat condition level, and modify security defenses appropriately for the new threat environment. A series of experiments was conducted involving multiple attacks against the system. These attacks included multiple invalid log-ins, invalid and unsigned message transmissions, and invalid code insertions. In each case, UltraLog detected and prevented the disallowed activity, generated alert messages, and increased the system's security posture in response to the heightened threat. The policy enforcement infrastructure also rebuffed denial-of-service attacks by limiting the system interfaces available for attack.
Final Analysis of UltraLog Security
As a group, the tested UltraLog defenses provided significant protection from cyberattack. For the experiments conducted, all UltraLog defenses were rated "green" (acceptable) for completely or nearly completely defending against the intended attack. The overall security functionality of UltraLog was rated green in recognition that significant portions of the threat envelope had been effectively secured.
Improvements over previous years were noted in the areas of preventing unauthorized access to information, securing interagent communications, preventing malicious code insertion, and preventing unauthorized operations. Other enhancements demonstrated that the security services are scalable to support large distributed systems. Progress was made in controlling unauthorized access to data and processes operating in system memory.
Progress also was made in the system's ability to manage security policy and respond to changes in the threat environment. This included the development of templates that enhance the ability of policy administrators to specify and modify enforceable security policies. Overall, UltraLog's security policy framework and the specific policies tested successfully deflected hacker attacks.
As it nears the end of its development cycle, UltraLog has made significant strides in building a security infrastructure sufficient to protect distributed agent-based applications. Clearly, based on assessment-derived data, the integrity and confidentiality of the highly distributed logistics information systems envisioned for the modern battlefield can be protected-even from a determined adversary. ALOG
Commander James C. Workman, USN (Ret.), is employed by Los Alamos Technical Associates, Inc., in Sterling, Virginia. He holds a B.S. degree in financial management from the University of Oregon and an M.S. degree in financial management from the Naval Postgraduate School. Commander Workman served 20 years in the Navy Supply Corps, culminating in joint tours at the Office of the Secretary of Defense and the Defense Logistics Agency.
|Join the GlobalSecurity.org mailing list|