DRAFT 1-6-20 Ble lending Cyber Effects in into Liv ive, Vir irtual and Constructive Sim imulation April 29, 2020 Presenters Stephen Lopez Daniel J. Lacks, PhD Senior Program Manager Chief Scientist With help from
Introduction • A cursory look at commonly used LVC training simulators and toolkit websites and product brochures surprisingly did not include the word “cyber” [1 -12]. • Many of these tools provide some form of cyber features or the ability to train cyber despite not advertising. Have we not prioritized cyber training for… • Command Staff Training whose adversaries use network-centric digital tactical communications, situational awareness, and planning equipment? • Using, disseminating, or protecting data that could compromise your security or combat effectiveness? • Intelligence collection, fusion and analysis? • Tactical operations that rely on digital systems? • Maintaining digital or networked/networking equipment? • Staff that operates with cyber defense and offense teams in a kinetic environment (CEMA)? • Engaging adversaries using digital or networked equipment? • Training cyber hygiene is just the beginning, take training to the next level by including kinetic and non-kinetic effects in your LVC exercises
Why Train Cyber? Cyber Actions Kinetic and Non-Kinetic Effects • Cyber training is not just how to conduct defensive and offensive cyber operations. It also includes the impacts of stimulating and being affected by cyber actions. • Delay or Deny C2 • Need to train… • Defensive Cyber • Distract and Deter • How to identify Operations • Corrupt and Disrupt • Offensive Cyber • How to report • Fail Equipment • How to react Operations • Cause Fratricide • Incident Response • How to prevent and defend Impacts • Delay Logistics • How to prepare and monitor • Auditing • Forge Information • How to find vulnerabilities • Forensics • Cause Civil Unrest • How to cause cyber actions and • Intelligence • Influence Decisions exploit kinetic effects • Planning, Policy, and • Fail Communications • How to prioritize Leadership • Fail Sensor • Lower Morale
Echelon Based Challenges to Cyber Training • The operational concept for how cyber missions are controlled and executed makes tactical level LVC interoperability challenging TODO Include a graphic of echelons where kinetic LVC training focuses juxtaposed against where operational cyber exists
Classifying Cyber Training Within an LVC Context • TODO Compare and contrast “Kinetic LVC” to “Cyber LC” Simulation Type Kinetic M&S Use Case Cyber M&S Use Case Live A real tank on a training range. Primary Real OCO or DCO tactical kit (HW and SW) operating user interface is the actual tank controls within a cyber range. Inclusive of virtualized instances of physical devices Virtual A tank simulator with physical or virtual Emulated OCO or DCO tactical kits operating within a user interface executing in simulated 3D cyber range graphical environment *Emulated tactical kits offer no training value over operational equipment, and other similarities make this redundant to the live domain Constructive A computer generated forces (CGF) Software models that represent or enable cyber operations. simulation of a tank unit operating on a Includes automated BLUFOR and OPFOR models, user virtual terrain with a desktop based point emulation, traffic generation, etc. and click interface
Approach to Train Cyber in LVC? • NATO MSG-170 offers an approach to introduce cyber effects into C2 simulation including kinetic and non-kinetic effects through interoperability. This research suggests a similar approach for an LVC environment. • Model Cyber, Kinetic, and Non-Kinetic Effects (NKE) • Build kinetic and NKE effects into existing tools • Interoperate • Interoperate with cyber action tools to stimulate the kinetic effects and impact the cyber actions • Implement Cyber Terrain • The systems, devices, protocols, data, software, processes, cyber personas, and other networked entities that comprise, supervise, and control cyberspace • Identify advantages for either side • Link to mission objectives • Bounded by time • Figure out the fidelity needed, interoperate to address gaps
Cyber Kinetic Effects Integration (CKEI) • CKEI is a 2016 example of effectively integrating CERT’s STEPfwd cyber simulator with a VBS3 and Kinetics modeled in VBS3 and CyberSAF/OneSAF kinetic simulators • CKEI shows the outcome of modeling complex cyber System and kinetic operations using a simple interoperability State approach with only three elements to conduct a Value Video Feeds variety of missions in the data model: • The system being changed • The cyber state of the system • The new value of the change • Hostage rescue scenario trains assessing cyber terrain, accessing physical facilities, cyber attacking infrastructure and modeling the impacts in the kinetic world, avoiding detection at enemy checkpoints, defending friendly networks and intel assets, defending communications systems, and more. CyberSAF/OneSAF • The training objectives include improved SQL Injection communications between kinetic and cyber forces, realizing the impacts of SCADA attacks, advantages to capturing video feeds, and improving combat power and effectiveness with cyber operations • Gap exists for negotiating cyber terrain pre-exercise SCADA systems modeled in STEPfwd
Distributed Interactive Simulation (DIS) • An industry standard LVC data model exists to • Information Operations (IO) include these interoperate cyber using DIS IEEE Std 1278.1- Warfare Type Enumerations: 2012 PDUs • Electronic Warfare (EW) • Information Operations Action • Computer Network Operations (CNO) • Information Operations Report • Psychological Operations (PSYOPS) • Military Deception (MILDEC) • Influence, disrupt, corrupt, or otherwise affect • Operations Security (OPSEC) enemy information and decision making while protecting friendly information operations • Physical Attack • No Attack • The specification includes approaches to • IO Action Type to identify if attacking data defining the interoperability business logic for IO attackers and targets or computers • Compared to CKEI: • Temporal parameters to define when the • Includes all CKEI elements plus more IO actions attack profile and effects start and end • Reports ground and perceived truth • IO Effects indicate states such as denial, • The same gap exists for negotiating cyber terrain degraded, disrupted pre-exercise
Example DIS Cyber IO Action Interactions Kinetic Cyber Action Simulator Simulator Special Forces maneuver to Landing Zone Doxxing operation exposes PII Special Forces launch UAV PII used to crack password UAV captures video of enemy patrol Access gained to power plant network Controls compromised, power disabled Special Forces plans route to hostage IO Action - MILDEC RED Attack, BLUE Defend UAV feed Street lights disabled, Special Forces move Access gained to warehouse network Updated SA, Special Forces change course IO Action - CNO Warehouse camera feed extracted Special Forces arrive, stay on alert IO Action - MILDEC IO Action - CNO Building layout and hostage location shown SCADA compromised IO Action - MILDEC Special Forces don night vision goggles Warehouse lights out Monitor camera feeds, provide SA Special Forces enter building, engage enemy IO Action - MILDEC IO Action - MILDEC Network closet collaterally damaged Camera feeds denied to RED and BLUE Special Forces kill enemies, rescues hostage
Mapping Cyber Terrain • DIS and CKEI have procedural gaps mapping cyber terrain a priori to simulating • One possible approach to solve this is to reuse the OASIS Topology and Orchestration Specification for Cloud Applications (TOSCA) Language • TOSCA defines the syntax for a “YAML Ain’t Markup Language” (YAML) file that cyber action simulators and cyber training ranges can use to create cyber terrain for L, V, or C simulation • TOSCA defines various topology elements in YAML format, examples include: • Compute power and its attributes (IP addresses, ports, etc.) and capabilities (CPU, disk, memory, operating system, etc.) • Software installations (host type (database server, WordPress), versions, usernames, passwords, links to shell scripts (for configuration), etc.) • Content Deployment (i.e. how to populate a database) • Custom software services with properties and compute requirements • Subsystems define details for constructing elements of an IT architecture by specifying requirements and capabilities • Vendor and non-vendor specific service components may be specified (i.e. firewall rules) • TOSCA defines relationships (WordPress connects to a specific database) • Attributes may be created, for example, to map DIS EntityIDs to attribute_names
Recommend
More recommend