[PPT] - DRAFT 1-6-20 Ble lending Cyber Effects in into Liv ive, Vir PowerPoint Presentation

SLIDE 1

Ble lending Cyber Effects in into Liv ive, Vir irtual and Constructive Sim imulation

April 29, 2020 Presenters

Daniel J. Lacks, PhD Chief Scientist Stephen Lopez Senior Program Manager

DRAFT 1-6-20

With help from

SLIDE 2

Introduction

A cursory look at commonly used LVC training simulators and toolkit websites and

product brochures surprisingly did not include the word “cyber” [1-12].

Many of these tools provide some form of cyber features or the ability to train

cyber despite not advertising. Have we not prioritized cyber training for…

Command Staff Training whose adversaries use network-centric digital tactical

communications, situational awareness, and planning equipment?

Using, disseminating, or protecting data that could compromise your security or combat

effectiveness?

Intelligence collection, fusion and analysis?
Tactical operations that rely on digital systems?
Maintaining digital or networked/networking equipment?
Staff that operates with cyber defense and offense teams in a kinetic environment (CEMA)?
Engaging adversaries using digital or networked equipment?
Training cyber hygiene is just the beginning, take training to the next level by

including kinetic and non-kinetic effects in your LVC exercises

SLIDE 3

Why Train Cyber?

Cyber training is not just how to

conduct defensive and offensive cyber operations. It also includes the impacts of stimulating and being affected by cyber actions.

Need to train…
How to identify
How to report
How to react
How to prevent and defend
How to prepare and monitor
How to find vulnerabilities
How to cause cyber actions and

exploit kinetic effects

How to prioritize

Cyber Actions

Defensive Cyber

Operations

Offensive Cyber

Operations

Incident Response
Auditing
Forensics
Intelligence
Planning, Policy, and

Leadership Kinetic and Non-Kinetic Effects

Delay or Deny C2
Distract and Deter
Corrupt and Disrupt
Fail Equipment
Cause Fratricide
Delay Logistics
Forge Information
Cause Civil Unrest
Influence Decisions
Fail Communications
Fail Sensor
Lower Morale

Impacts

SLIDE 4

Echelon Based Challenges to Cyber Training

The operational concept for how cyber missions are controlled and

executed makes tactical level LVC interoperability challenging

TODO Include a graphic of echelons where kinetic LVC training focuses juxtaposed against where operational cyber exists

SLIDE 5

Classifying Cyber Training Within an LVC Context

TODO Compare and contrast “Kinetic LVC”

to “Cyber LC”

Simulation Type Kinetic M&S Use Case Cyber M&S Use Case Live A real tank on a training range. Primary user interface is the actual tank controls Real OCO or DCO tactical kit (HW and SW) operating within a cyber range. Inclusive of virtualized instances of physical devices Virtual A tank simulator with physical or virtual user interface executing in simulated 3D graphical environment Emulated OCO or DCO tactical kits operating within a cyber range

*Emulated tactical kits offer no training value over operational equipment, and other similarities make this redundant to the live domain

Constructive A computer generated forces (CGF) simulation of a tank unit operating on a virtual terrain with a desktop based point and click interface Software models that represent or enable cyber operations. Includes automated BLUFOR and OPFOR models, user emulation, traffic generation, etc.

SLIDE 6

Approach to Train Cyber in LVC?

NATO MSG-170 offers an approach to introduce

cyber effects into C2 simulation including kinetic and non-kinetic effects through interoperability. This research suggests a similar approach for an LVC environment.

Model Cyber, Kinetic, and Non-Kinetic Effects

(NKE)

Build kinetic and NKE effects into existing tools
Interoperate
Interoperate with cyber action tools to stimulate the

kinetic effects and impact the cyber actions

Implement Cyber Terrain
The systems, devices, protocols, data, software, processes,

cyber personas, and other networked entities that comprise, supervise, and control cyberspace

Identify advantages for either side
Link to mission objectives
Bounded by time
Figure out the fidelity needed, interoperate to

address gaps

SLIDE 7

Cyber Kinetic Effects Integration (CKEI)

Kinetics modeled in VBS3 and

CKEI is a 2016 example of effectively integrating

CERT’s STEPfwd cyber simulator with a VBS3 and CyberSAF/OneSAF kinetic simulators

CKEI shows the outcome of modeling complex cyber

and kinetic operations using a simple interoperability approach with only three elements to conduct a variety of missions in the data model:

The system being changed
The cyber state of the system
The new value of the change
Hostage rescue scenario trains assessing cyber terrain,

accessing physical facilities, cyber attacking infrastructure and modeling the impacts in the kinetic world, avoiding detection at enemy checkpoints, defending friendly networks and intel assets, defending communications systems, and more.

The training objectives include improved

communications between kinetic and cyber forces, realizing the impacts of SCADA attacks, advantages to capturing video feeds, and improving combat power and effectiveness with cyber operations

Gap exists for negotiating cyber terrain pre-exercise

SCADA systems modeled in STEPfwd

System State Value

SQL Injection Video Feeds CyberSAF/OneSAF

SLIDE 8

Distributed Interactive Simulation (DIS)

An industry standard LVC data model exists to

interoperate cyber using DIS IEEE Std 1278.1- 2012 PDUs

Information Operations Action
Information Operations Report
Influence, disrupt, corrupt, or otherwise affect

enemy information and decision making while protecting friendly information operations

The specification includes approaches to

defining the interoperability business logic for IO attackers and targets

Compared to CKEI:
Includes all CKEI elements plus more IO actions
Reports ground and perceived truth
The same gap exists for negotiating cyber terrain

pre-exercise

Information Operations (IO) include these

Warfare Type Enumerations:

Electronic Warfare (EW)
Computer Network Operations (CNO)
Psychological Operations (PSYOPS)
Military Deception (MILDEC)
Operations Security (OPSEC)
Physical Attack
No Attack
IO Action Type to identify if attacking data
r computers
Temporal parameters to define when the

attack profile and effects start and end

IO Effects indicate states such as denial,

degraded, disrupted

SLIDE 9

Example DIS Cyber IO Action Interactions

Cyber Action Simulator Kinetic Simulator IO Action - MILDEC Doxxing operation exposes PII PII used to crack password Access gained to power plant network Controls compromised, power disabled Special Forces maneuver to Landing Zone Special Forces launch UAV UAV captures video of enemy patrol Special Forces plans route to hostage Street lights disabled, Special Forces move RED Attack, BLUE Defend UAV feed Updated SA, Special Forces change course Access gained to warehouse network Warehouse camera feed extracted Special Forces arrive, stay on alert IO Action - MILDEC Building layout and hostage location shown Special Forces don night vision goggles SCADA compromised IO Action - MILDEC Warehouse lights out Special Forces enter building, engage enemy Monitor camera feeds, provide SA IO Action - CNO IO Action - CNO IO Action - MILDEC Network closet collaterally damaged Special Forces kill enemies, rescues hostage IO Action - MILDEC Camera feeds denied to RED and BLUE

SLIDE 10

Mapping Cyber Terrain

DIS and CKEI have procedural gaps mapping cyber terrain a priori to simulating
One possible approach to solve this is to reuse the OASIS Topology and Orchestration

Specification for Cloud Applications (TOSCA) Language

TOSCA defines the syntax for a “YAML Ain’t Markup Language” (YAML) file that cyber action

simulators and cyber training ranges can use to create cyber terrain for L, V, or C simulation

TOSCA defines various topology elements in YAML format, examples include:
Compute power and its attributes (IP addresses, ports, etc.) and capabilities (CPU, disk, memory, operating

system, etc.)

Software installations (host type (database server, WordPress), versions, usernames, passwords, links to shell

scripts (for configuration), etc.)

Content Deployment (i.e. how to populate a database)
Custom software services with properties and compute requirements
Subsystems define details for constructing elements of an IT architecture by specifying requirements and

capabilities

Vendor and non-vendor specific service components may be specified (i.e. firewall rules)
TOSCA defines relationships (WordPress connects to a specific database)
Attributes may be created, for example, to map DIS EntityIDs to attribute_names

SLIDE 11

Takeaways

CKEI shows that effective kinetic and cyber interoperability does not have to be

complicated

NATO MSG-170 is a standard to enable modeling cyber effects, attacks, and

countermeasures between simulation and C2 systems. In seeking a parallel LVC standard, an industry standardized data model exists to link cyber effects with kinetic and NKE actions using DIS IO Action and report SA using IO Report PDUs.

The MSG-170 data model is compatible with DIS IO PDUs. High Level Architecture (HLA) and
ther interoperability approaches are also possible.
The M&S industry needs to step up to implement kinetic and non-kinetic effects

within its simulators/tools and interoperate with cyber action simulators

M&S simulators will be viable and critical when used in cyber training ranges to expand the

scope of cyber training to practical operations

Industry still needs to solve the gap for aligning cyber terrain pre-exercise
OASIS TOSCA may provide a viable approach to create cyber terrain in simulators and ranges
Solving these problems will help industry expand from training to

experimentation, wargaming, and other use cases

SLIDE 12

Thank You

Daniel J. Lacks, PhD Chief Scientist Daniel.Lacks@cesicorp.com +1-407-674-8326 Stephen Lopez Senior Program Manager Stephen.Lopez@cesicorp.com +1-407-384-3926 Kevin Hofstra Chief Technology Officer Kevin.Hofstra@metova.com +1-618-207-3799