Blending Cyber Effects into Live, Virtual and Constructive Simulation - - PDF document

IT2EC 2020 Blending Cyber Effects into Live, Virtual and Constructive Simulation Cyber Training

Blending Cyber Effects into Live, Virtual and Constructive Simulation

Daniel J. Lacks, PhD1, Stephen Lopez-Couto2, Kevin Hofstra3

1 Chief Scientist, Cole Engineering Services, Inc., Orlando, Florida, USA 2 Senior Program Manager, Cole Engineering Services, Inc., Orlando, Florida, USA 3 Chief Technology Officer, By Light Professional Services, Inc., Denver, CO, USA

Abstract — US DoD Multi Domain Operations include cyber operations, yet the same integration of cyber and kinetic forces within military M&S training systems is limited. Problems exist not only representing and integrating cyber effects within current M&S systems, but also with training soldiers using computer models tuned for kinetic

• interactions. This work examines integrating cyber operations into LVC training operations by focusing on cyber

terrain, modeling, and interoperability. We discuss the DIS Standard Information Operations Protocol Data Unit (IO PDU) and the Cyber Kinetic Effects Integrator (CKEI) approach. With the popularization of the Digital Twin concept, digitizing the cyber terrain representation as a realistic simulated battlefield offers a promising and efficient way to integrate capabilities for training and mission rehearsal. M&S tools import commercial software network topology formats to create Digital Twin network topologies. The OASIS TOSCA standard may be a foundation for a future M&S cyber terrain standard.

1 Background

US DoD Multi Domain Operations (MDO) include cyber

• perations, yet the same integration of cyber and kinetic

forces within military Modeling and Simulation (M&S) training systems is limited. Problems exist not only representing and integrating cyber effects within current M&S systems, but also with training soldiers using computer models tuned for kinetic interactions. There is a lack of modelling non-kinetic interactions and their effects

• n kinetic actions and performance [1-12]. Cyber training

using virtualized “ranges” matured significantly in recent years, however they remain mostly segregated from the traditional M&S systems. Cyber training is applicable in different types of LVC training scenarios where digital and network-centric warfare are utilized:

• Command Staff Training whose adversaries use

network-centric digital tactical communications, situational awareness, and planning equipment.

• Using, disseminating, or protecting data that could

compromise your security or combat effectiveness.

• Intelligence collection, fusion and analysis
• Tactical operations that rely on digital systems
• Maintaining

digital

• r

networked/networking equipment.

• Staff that operates with cyber defense and offense

teams in a kinetic environment (CEMA).

• Engaging adversaries with digital or networked

equipment. The goal of this research is to inspire the exercise directors and scenario designers to take LVC training beyond basic cyber hygiene by including the impacts between cyber warfare and kinetic and non-kinetic effects. Within the US DoD, offensive cyber operations and the predominance of defensive cyber operations are conducted at the core or higher echelons; they are not tactical level

• resources. In a kinetic LVC training event, the

preponderance of the training audience operates at the tactical level (the L and V). The US Army’s CEMA concept aims to fill the gap between tactical and

• perational cyber, so LVC based training approaches to

satisfy these emerging operational concepts must be defined, and systems to provide the training must be developed. 1.1 A Definition of Cyber LVC Traditional kinetic training simulations are classified as a part of the Live, Virtual or Constructive domains based primarily on the equipment utilized, how the user interacts with the simulation and how the world is represented.

• Live Simulation: Utilizes operational equipment in a

physical location that is established for training. The terrain is the real world, with modifications to meet specific training objectives.

• Virtual Simulation: Utilizes a physical or virtual

simulator of a real system in a simulated virtual world.

• Constructive Simulation: Utilizes a software model
• f physical equipment in a computer simulated

environment. The level of detail of the software models, realism of

• pposing forces and targets, and other system specific

features can vary, but the terrain and physical interface utilized by the training audience defines the domain. Cyber M&S systems should be classified similarly, to aid event designers in the selection and utilization of tools for specific use cases. For cyber M&S, it is feasible to reduce the simulation domains to just two: Live and Constructive.

• Live Cyber Simulations: Utilize actual OCO and

DCO operational equipment (kit) in a virtual cyber range environment.

IT2EC 2020 Blending Effects Cyber into Live, Virtual and Constructive Simulation Cyber Training

• Constructive

Cyber Simulations: Utilize configurable models of OCO, DCO, user emulation, traffic generation, etc. Figure 2 discusses the interfaces utilized across the LVC domains in kinetic and cyber simulations.

• Fig. 2. Trainee interfaces to simulations across the LVC

domains in kinetic and cyber simulations

In the context of cyber simulations, it is feasible to merge the Live and Virtual domains. The purpose of virtual simulations in the kinetic space is to mitigate the need to utilize expensive, resource limited physical equipment and training ranges. Most operational cyber “equipment” is software, which can be replicated and utilized directly for training. Similarly, a cyber range is a collection of virtual computers and networks, not a physical piece of land. This negates any advantage that a virtual simulation provides over a live simulation in the cyber M&S domain. There are two additional distinctions that further blur the line between the Live and Virtual domains for cyber. A Live kinetic simulation typically operates on real world terrain that has been modified to meet specific training

• bjectives (such as MOUT sites), along with simulated

weapons (and sometimes, targets). A Live cyber simulation does not typically utilize real world terrain (in this case an operational network) since creating a duplicate representation in a virtual range environment offers a nearly identical experience to the trainee as the operational network in a much safer manner. This is not the case in kinetic simulations where there is no true replacement for the physical world. Further, while the use of simulated targets and weapons is typical in kinetic Live simulations, Live cyber simulations offer the ability to train using actual weapons (malware payloads) and target systems.

2 Research

2.1 Cyber Training Solutions applied to federating simulation and Command and Control (C2) systems using the North Atlantic Treaty Organization (NATO) Modeling and Simulation Group (MSG)-170 highlight that cyber training is a combination

• f modeling impacts between cyber actions and their

corresponding kinetic and non-kinetic effects (Fig. 1) [13]. Cyber actions are specific tactics and techniques cyber warriors use to conduct attacks, employ effects, and create

• countermeasures. Kinetic warfare is terminology used to

express lethal effects where as non-kinetic warfare expresses non-lethal or soft effects such as diplomacy and cyber [14]. Systems engineers in the multitude of M&S projects need to define how the interactions between cyber action simulators and kinetic and non-kinetic simulators impact each other as applicable to user requirements.

• Fig. 1. Effective cyber warfare training blends cyber actions

with kinetic and non-kinetic effects for all trainees.

2.2 Cyber Kinetic Effects Integrator (CKEI) Academia explored LVC cyber-kinetic interoperability and demonstrated it starting in 2016. Carnegie Mellon University’s Software Engineering Institute developed CKEI that prototyped interoperating the One Semi- Automated Forces (OneSAF) simulation in a configuration called CyberSAF to link the live Simulation, Training, and Exercise Platform (STEPfwd) cyber simulator and the constructive kinetic simulator. The successful prototype was also used for mission training by integrating STEPfwd with the Virtual Battlespace 3 (VBS3) virtual gaming

• simulator. CKEI allowed effects (like the triggering of an

alarm) to propagate across the two synthetic environments, allowing cyber warriors and warfighters to better understand what their counterparts bring to the fight. The CKEI interface identifies basic states of operations (operational, compromised, and disabled) so the techniques of the live cyber operators are not communicated over LVC protocols. This provides a simple mechanism to transmit cyber effects over a Cross Domain Solution (CDS) without having to expose sensitive information [15]. The lesson learned from CKEI research is that complex cyber, kinetic, and non-kinetic missions can be combined with a simple interoperability approach using only three mission elements in the data model: the system being changed, the cyber state of the system, and the new value

• f the change. For example, a webcam (the system) is

compromised (the state) and is turned off (the value). The exchange of those three data elements enables cyber actions to bidirectionally impact kinetic and non-kinetic warfare between simulators. 2.3 Distributed Interactive Simulation (DIS) Information Operations (IO) Protocol Data Units (PDUs)

IT2EC 2020 Blending Effects Cyber into Live, Virtual and Constructive Simulation Cyber Training The M&S industry develops interoperability solutions that span across LVC systems. A basis for including cyber interactions is included in the Distributed Interactive Simulation (DIS) IEEE 1278.1-2012 standard. This expansion moved the DIS standard (focused on maneuver, engagements, and communications) beyond communications for traditional kinetic modeling by introducing the IO Action and IO Report PDUs. The IO Action PDU expresses an IO effect on simulated communications systems and networks, reports an IO effect phase such as initiation or termination, or provides perceived truth of an IO attack. Data in the IO Action PDU includes identifier information, information about the attacking action, and an enumerated warfare type. Data in the IO Report PDU is similar, but it includes a report type to report on equipment status and the susceptibility to an IO attack. This information is an adequate foundation for an LVC exercise, and extends the CKEI data model, as it combines enumerated and free text values to guide both humans and simulators into modeling the effects of the warfare types, performing battle damage assessment and after action review activities, and specifying ground and perceived truth. 2.4 Cyber Terrain Representation

• Fig. 2. Cyber terrain is divided into planes for representation.

Cyber terrain is an area where the M&S industry currently lacks standardization in LVC systems. Cyber terrain includes elements that define the cyber battlefield such as networks, computers, firewalls, intrusion detection systems, servers, identity access management, etc. These elements may be further categorized into planes for representation (Fig. 2) [16, 17]. Commercial tools such as the EXata network simulation and emulation tool provide the capability to import Visio and Solar Winds network topologies to create Digital Twin replicas for training and mission rehearsal [18, 19]. The OASIS Topology and Orchestration Specification for Cloud Applications (TOSCA) standard elaborates cloud provisioning elements which may assist the M&S industry in forming a standardized cyber terrain representation [20]. TOSCA defines various topology elements in YAML format, examples include:

• Compute power and its attributes (IP addresses,

ports, etc.) and capabilities (CPU, disk, memory,

• perating system, etc.).
• Software installations (host type (database server,

WordPress), versions, usernames, passwords, links to shell scripts (for configuration), etc.).

• Content Deployment (i.e. how to populate a

database).

• Custom software services with properties and

compute requirements.

• Subsystems define details for constructing elements
• f an IT architecture by specifying requirements and

capabilities.

• Vendor and non-vendor specific service components

may be specified (i.e. firewall rules).

• Engaging adversaries with digital or networked

equipment.

• TOSCA defines relationships (WordPress connects

to a specific database).

3 Approach

The LVC approach suggested requires modeling cyber, kinetic, and non-kinetic effects (NKE). Quite often these pillars are not modeled in enough detail within one simulator, thus it is necessary to interoperate between the

• simulators. Modeling may require building or expanding

existing kinetic effects and NKEs in existing simulators and tools. Interoperability, under this approach, is addressed into two ways. Interoperability during pre- exercise activities is achieved by aligning the cyber terrain using the TOSCA standard by defining the topology and mappings between the compute and network elements and their DIS counterparts. It is envisioned that a new cyber terrain capability would be introduced into existing pre- exercise scenario generation activities. The new capability would be developed to map new or existing federations ids to the cyber terrain features. Attributes may be created, for example, to map DIS EntityIDs which may represent a computer system to TOSCA attribute_names for that same

• system. It is anticipated at runtime and after-action review

that the mappings were already completed during pre- exercise activities so the training exercise can occur seamlessly when transitioning between pre-exercise, exercise, and after-action review. This approach is like mapping enumerations and ids between tools. The second aspect to interoperability is to use the DIS IO PDUs during simulation execution runtime. The interactions between simulators using these PDUs will, when desired, enable entity state transitions. For example, disabling a power grid may trigger military forces to clear a building. From the perspective of cyber warfare training, it is anticipated that the trainee learns that including cyber actions in a training scenario act as a force multiplier or skew parametric data due to the kinetic and non-kinetic effects imposed on the opposing force. Data may be collected and presented for after action review.

IT2EC 2020 Blending Effects Cyber into Live, Virtual and Constructive Simulation Cyber Training

• Fig. 3. An example hostage rescue scenario speculating

bidirectional impacts between cyber and kinetic simulators.

• Fig. 3 shows how an example hostage rescue scenario

may execute when interoperated between a cyber simulator and a kinetic simulator. The cyber action mission thread can be run independent of the kinetic simulator, and vice versa, at which point the interactions could be “magiced” or Master Scenario Event Listed (“MSELed”) in to achieve the simulated effect. However, a core feature of interoperable LVC training includes providing disparate teams the opportunity to train together in an MDO operation under the pressure of the real time

• clock. Time alignment of specific aspects of the mission

across domains is an objective of the training. Since most OCO and DCO activities require extended periods of time for activities such as recon, gaining and maintaining access, intrusion detection, etc., creative approaches to scenario generation must be utilized to enable operational alignment during actual event execution. Pertinent cyber events, such as extracting a webcam feed, provide intelligence to Special Forces units that leads to identification of enemy and hostage locations. This ultimately saves time and reduces the risk of the operation. In this scenario, the networking equipment is inadvertently destroyed by the enemy which disables situational awareness to the blue force cyber operators. Fortunately, this happens at about the same time the hostage is rescued, so the impact is minimal to the operation. In fact, it may ironically degrade the opposing force’s ability to react. This approach is compatible, and perhaps may be viewed as an initial step towards complying with NATO MSG-170. NATO MSG-170 offers approaches to interface simulations with C2 systems using standards such as Coalition-Battle Management Language (C- BML). MSG-170 offers a Cyber Reference Data Exchange Model (CyRDEM) which is compatible with High Level Architecture (HLA) and DIS IO PDUs. This research offers an approach to be compatible with DIS IO PDUs, is indifferent to using C-BML to interoperate with C2 systems and suggests using the TOSCA standard to define cyber terrain. Bespoke solutions to cyber-kinetic interoperability such as CyberBOSS should be considered to fully explore what this will add to traditional LVC simulation [13].

4 Conclusion

The CKEI project shows that effective kinetic and cyber interoperability does not have to be complicated. NATO MSG-170 is a standard that enables modeling cyber effects, attacks, and countermeasures between simulation and C2 systems. In seeking a parallel LVC standard, an industry standardized data model exists to link cyber effects with kinetic and NKE actions using DIS IO Action and report SA using IO Report PDUs. The MSG-170 data model is compatible with DIS IO PDUs and HLA [13]. The M&S industry needs to step up to implement kinetic and non-kinetic effects within its simulators/tools and interoperate with cyber action simulators. M&S simulators will be viable and critical when used in cyber training ranges to expand the scope of cyber training to practical operations. Industry still needs to solve the gap for aligning cyber terrain pre-exercise; the TOSCA standard may provide a viable approach. Solving these problems will help industry expand from training to experimentation, wargaming, and other use cases.

Acknowledgements

?

References

[1] VR-Forces Capabilities, VT-MAK, accessed Jan 3, 2020. https://www.mak.com/product- capabilities/830-vr-forces-4-7-capabilities/file [2] One Semi-Automated Forces (ONESAF), PEO- STRI, accessed Jan 3, 2020. https://www.peostri.army.mil/onesaf [3] VBS4 Virtual Training Force Multiplier, Bohemia Interactive Simulations, accessed Jan 3, 2020. https://www.bisimulations.com/sites/default/files/da ta_sheets/bisim_product_flyers_nov2019_vbs4_2.p df [4] MASA SWORD, Our Constructive Simulation with AI Controlled Units, Masa Group, accessed Jan 3, 2020. https://masasimulation.files.wordpress.com/2019/09 /sword-uk-recto-2019.pdf [5] FLAMES Simulation Framework, Ternion Corporation, accessed Jan 3, 2020. http://www.ternion.com/print/FLAMES- Constructive-Simulation-Framework-Brochure.pdf [6] Open and Urban Live Training Solutions, Thales, accessed Jan 3, 2020. https://www.thalesgroup.com/sites/default/files/data base/d7/asset/document/thales_tts_live_eng_hd.pdf? _ga=2.83483414.109533420.1578067397- 382242140.1578067397 [7] Command Staff Trainer Operational Readiness and Mission Rehearsal, Thales, Jan 3, 2020. https://www.thalesgroup.com/sites/default/files/data base/d7/asset/document/thales_tts_cst_eng_hd.pdf? _ga=2.83483414.109533420.1578067397- 382242140.1578067397 [8] Saggittarius Evolution Mobile System – Small Arms Training, Thales, accessed Jan 3, 2020. https://www.thalesgroup.com/sites/default/files/data base/d7/asset/document/thales_tts_sagittarius_eng_

IT2EC 2020 Blending Effects Cyber into Live, Virtual and Constructive Simulation Cyber Training hd.pdf?_ga=2.83483414.109533420.1578067397- 382242140.1578067397 [9] HMI and Virtual Maintenance Training, DiSTI, accessed Jan 3, 2020. https://disti.com/ [10] Virtual Maintenance Training Home, DiSTI, accessed Jan 3, 2020. https://vestudio.disti.com/ [11] HMI and UI Software Design, DiSTI, accessed Jan 3,

• 2020. https://glstudio.disti.com/

[12] Capabilities, Cole Engineering Services, Inc., accessed Jan 3, 2020. https://coleengineering.com/capabilities [13] Dr. B. Boltjes, Dr. M. Pullen, Dr. K. L. Morse, Introducing Cyber Effects in C2 Simulation, ITEC (2018). https://www.itec.co.uk/__media/libraries/human- factors-and-performance-in-a-connected-age/4--- Bert-Boltjes-Slides.pdf [14] Kinetic Military Action, Wikipedia, access Jan 3, 2020. https://en.wikipedia.org/wiki/Kinetic_military_actio n [15] R. Guttman, Combined Arms Cyber-Kinetic Operator Training, SEI Blog (2017). https://insights.sei.cmu.edu/sei_blog/2017/03/combi ned-arms-cyber-kinetic-operator-training.html [16] G. Bertoli, S. Raio, Journal of Cyber Sec. and IS 6, 2 (2018). https://www.csiac.org/journal-article/the- elusive-nature-of-key-cyber-terrain/ [17] D. Raymond, T. Cross, G. Conti, M. Nowatkowski, Comp. Sci. 6, (2014). https://www.semanticscholar.org/paper/Key-terrain- in-cyberspace%3A-Seeking-the-high-ground- Raymond- Cross/78833726bc86f3b0e0dc7f933e2830b7acbb31 c9/figure/2 [18] L. Wihl, Training for the Combined Cyber/Kinetic Battlefield, MODSIM World (2015). http://www.modsimworld.org/papers/2015/Training _for_the_Combined_Cyber_Kinetic_Battlefield.pdf [19] Network Topology Conversion, Scalable Network Technologies website, accessed Jan 3, 2020. https://www.scalable-networks.com/network- topology-conversion [20] P. Lipton, C. Lauwers, TOSCA Simple Profile in YAML Version 1.3, Candidate OASIS Standard 01 (2019). http://docs.oasis-open.org/tosca/TOSCA- Simple-Profile-YAML/v1.3/cos01/TOSCA-Simple- Profile-YAML-v1.3-cos01.html

Author/Speaker Biographies

• Dr. Daniel Lacks is the Chief Scientist at CESI. He

received Computer Engineering a PhD degree in 2007 from the University of Central Florida. Dr. Lacks has spent the last 19 years as a software and systems engineer in the DoD M&S industry on numerous LVC programs. Stephen Lopez is a senior program manager for Cole Engineering Services, running cyber training programs. He formerly led the development of multiple Virtual and Constructive simulation systems for the US Army. He holds MS and BS degrees in Computer Engineering from the University of Central Florida. NEED WRITE-UP FROM KEVIN