Blending Cyber Effects into Live, Virtual
and Constructive Simulation
April 29, 2020 Presenters
Daniel J. Lacks, PhD
Chief Scientist
Stephen Lopez
Senior Program Manager
DRAFT 1-6-20
Introduction
•
A cursory look at commonly used LVC training simulators and toolkit websites and
product brochures
surprisingly
did not include the word “cyber” [1-12].
•
Many of these tools provide some form of cyber features or the ability to train
cyber despite not advertising. Have we not prioritized cyber training for…
• Command Staff Training whose adversaries use network-centric digital tactical communications, situational awareness, and planning equipment?
• Using, disseminating, or protecting data that could compromise your security or combat effectiveness?
• Intelligence collection, fusion and analysis?
• Tactical operations that rely on digital systems?
• Maintaining digital or networked/networking equipment?
• Staff that operates with cyber defense and offense teams in a kinetic environment (CEMA)?
• Engaging adversaries using digital or networked equipment?
•
Training cyber hygiene is just the beginning, take training to the next level by
including kinetic and non-kinetic effects in your LVC exercises
Why Train Cyber?
•
Cyber training is not just how to
conduct defensive and offensive
cyber operations. It also includes
the impacts of stimulating and
being affected by cyber actions.
•
Need to train…
• How to identify• How to report
• How to react
• How to prevent and defend
• How to prepare and monitor
• How to find vulnerabilities
• How to cause cyber actions and exploit kinetic effects
• How to prioritize Cyber Actions •Defensive Cyber Operations •Offensive Cyber Operations •Incident Response •Auditing •Forensics •Intelligence
•Planning, Policy, and Leadership
Kinetic and Non-Kinetic Effects
•Delay or Deny C2
•Distract and Deter
•Corrupt and Disrupt
•Fail Equipment
•Cause Fratricide
•Delay Logistics
•Forge Information
•Cause Civil Unrest
•Influence Decisions
•Fail Communications
•Fail Sensor
•Lower Morale
Echelon Based Challenges to Cyber Training
•
The operational concept for how cyber missions are controlled and
executed makes tactical level LVC interoperability challenging
TODO Include a graphic of echelons where kinetic LVC training focuses juxtaposed against where operational
Classifying Cyber Training Within an LVC Context
•
TODO
Compare and contrast “Kinetic LVC”
to “Cyber LC”
Simulation Type Kinetic M&S Use Case Cyber M&S Use Case
Live A real tank on a training range. Primary user interface is the actual tank controls
Real OCO or DCO tactical kit (HW and SW) operating within a cyber range. Inclusive of virtualized instances of physical devices
Virtual A tank simulator with physical or virtual user interface executing in simulated 3D graphical environment
Emulated OCO or DCO tactical kits operating within a cyber range
*Emulated tactical kits offer no training value over operational equipment, and other similarities make this redundant to the live domain
Constructive A computer generated forces (CGF) simulation of a tank unit operating on a virtual terrain with a desktop based point and click interface
Software models that represent or enable cyber operations. Includes automated BLUFOR and OPFOR models, user emulation, traffic generation, etc.
Approach to Train Cyber in LVC?
• NATO MSG-170 offers an approach to introduce cyber effects into C2 simulation including kinetic and non-kinetic effects through interoperability. This research suggests a similar approach for an LVC environment.
• Model Cyber, Kinetic, and Non-Kinetic Effects (NKE)
• Build kinetic and NKE effects into existing tools
• Interoperate
• Interoperate with cyber action tools to stimulate the kinetic effects and impact the cyber actions
• Implement Cyber Terrain
• The systems, devices, protocols, data, software, processes, cyber personas, and other networked entities that comprise, supervise, and control cyberspace
• Identify advantages for either side
• Link to mission objectives
• Bounded by time
• Figure out the fidelity needed, interoperate to address gaps
Cyber Kinetic Effects Integration (CKEI)
Kinetics modeled in VBS3 and
• CKEI is a 2016 example of effectively integrating CERT’s STEPfwd cyber simulator with a VBS3 and CyberSAF/OneSAF kinetic simulators
• CKEI shows the outcome of modeling complex cyber and kinetic operations using a simple interoperability approach with only three elements to conduct a variety of missions in the data model:
• The systembeing changed
• The cyber stateof the system
• The new valueof the change
• Hostage rescue scenario trains assessing cyber terrain, accessing physical facilities, cyber attacking
infrastructure and modeling the impacts in the kinetic world, avoiding detection at enemy checkpoints,
defending friendly networks and intel assets, defending communications systems, and more.
• The training objectives include improved
communications between kinetic and cyber forces, realizing the impacts of SCADA attacks, advantages to capturing video feeds, and improving combat power and effectiveness with cyber operations
• Gap exists for negotiating cyber terrain pre-exercise SCADA systems modeled in STEPfwd
System State Value SQL Injection Video Feeds CyberSAF/OneSAF
Distributed Interactive Simulation (DIS)
•
An industry standard LVC data model exists to
interoperate cyber using DIS IEEE Std
1278.1-2012 PDUs
• Information Operations Action
• Information Operations Report
•
Influence, disrupt, corrupt, or otherwise affect
enemy information and decision making while
protecting friendly information operations
•
The specification includes approaches to
defining the interoperability business logic for
IO attackers and targets
•
Compared to CKEI:
• Includes all CKEI elements plus more IO actions
• Reports ground and perceived truth
• The same gap exists for negotiating cyber terrain pre-exercise
•
Information Operations (IO) include these
Warfare Type Enumerations:
• Electronic Warfare (EW)
• Computer Network Operations (CNO)
• Psychological Operations (PSYOPS)
• Military Deception (MILDEC)
• Operations Security (OPSEC)
• Physical Attack
• No Attack
•
IO Action Type to identify if attacking data
or computers
•
Temporal parameters to define when the
attack profile and effects start and end
•
IO Effects indicate states such as denial,
degraded, disrupted
Example DIS Cyber IO Action Interactions
Cyber Action Simulator Kinetic Simulator IO Action - MILDEC Doxxing operation exposes PIIPII used to crack password Access gained to power plant network Controls compromised, power disabled
Special Forces maneuver to Landing Zone Special Forces launch UAV
UAV captures video of enemy patrol Special Forces plans route to hostage
Street lights disabled, Special Forces move RED Attack, BLUE Defend UAV feed
Updated SA, Special Forces change course Access gained to warehouse network
Warehouse camera feed extracted IO Action - MILDEC Special Forces arrive, stay on alert
Building layout and hostage location shown Special Forces don night vision goggles
SCADA compromised
IO Action - MILDEC Warehouse lights out
Special Forces enter building, engage enemy Monitor camera feeds, provide SA
IO Action - CNO
IO Action - CNO
IO Action - MILDEC
Network closet collaterally damaged
Special Forces kill enemies, rescues hostage IO Action - MILDEC
Mapping Cyber Terrain
• DIS and CKEI have procedural gaps mapping cyber terrain a priori to simulating
• One possible approach to solve this is to reuse the OASIS Topology and Orchestration Specification for Cloud Applications (TOSCA) Language
• TOSCA defines the syntax for a “YAML Ain’t Markup Language” (YAML) file that cyber action simulators and cyber training ranges can use to create cyber terrain for L, V, or C simulation
• TOSCA defines various topology elements in YAML format, examples include:
• Compute power and its attributes (IP addresses, ports, etc.) and capabilities (CPU, disk, memory, operating system, etc.)
• Software installations (host type (database server, WordPress), versions, usernames, passwords, links to shell scripts (for configuration), etc.)
• Content Deployment (i.e. how to populate a database)
• Custom software services with properties and compute requirements
• Subsystems define details for constructing elements of an IT architecture by specifying requirements and capabilities
• Vendor and non-vendor specific service components may be specified (i.e. firewall rules)
• TOSCA defines relationships (WordPress connects to a specific database)
Takeaways
•
CKEI shows that effective kinetic and cyber interoperability does not have to be
complicated
•
NATO MSG-170 is a standard to enable modeling cyber effects, attacks, and
countermeasures between simulation and C2 systems. In seeking a parallel LVC
standard, an industry standardized data model exists to link cyber effects with
kinetic and NKE actions using DIS IO Action and report SA using IO Report PDUs.
• The MSG-170 data model is compatible with DIS IO PDUs. High Level Architecture (HLA) and other interoperability approaches are also possible.
•
The M&S industry needs to step up to implement kinetic and non-kinetic effects
within its simulators/tools and interoperate with cyber action simulators
• M&S simulators will be viable and critical when used in cyber training ranges to expand the scope of cyber training to practical operations
•
Industry still needs to solve the gap for aligning cyber terrain pre-exercise
• OASIS TOSCA may provide a viable approach to create cyber terrain in simulators and ranges
