Cross-domain solutions (CDSs) securely manage and transfer information between different security domains. Part 3 in this blog series explains the need to secure cross-domain solution devices themselves in alignment with NSA Raise-the-Bar (RTB) initiatives.

Designed as an interface between security domains, cross-domain solutions (CDSs) play a critical role in protecting the transfer or sharing of data between classified information networks. But while these devices are protecting our most sensitive data, what is protecting the CDS itself against manipulation or other forms of tampering?

The need for tamper resiliency

Software developers go to great lengths to secure data against unauthorized cyber-based threats. However, there is another effective method to interfere with or gain access to digital data: gaining physical or near-physical access to the hardware.

Most CDSs are located in secure data centers, meaning they are generally secure under normal operations. However, the mere presence of CDS in a data center can make it a target, meaning the technology must be designed to protect against a scenario where an inside or other threat might gain access and perform, for example, any of the following actions:

• Side-channel analysis, or the gathering of system information based on emitted information such as power consumption and patterns and sounds
• Physically plugging in and uploading malicious codes and backdoors into applications and systems
• Theft, physical examination, deconstruction, or photographic or other scanning of system hardware
• Unauthorized retrieval of data or copying onto devices

As data moves to the edge — a term for the military’s deployed area of operations — so do CDSs. This means it may be increasingly likely that such devices could fall into the hands of or be accessed by an adversary.

While dedicated classified rooms are usually required for classified systems and certainly add an additional layer of protection, especially at the edge, they also come with high costs such as the need for physical human security guards and regularly sanitizing the system.

Properly protecting CDS and other hardware solutions from tampering allows them to be deployed without the need for these expensive security measures.

Hardware-based CDS tamper-resilient solutions

CDS devices have several layers of security. However, if someone were able to gain access, they might need to overcome the following physical or hardware protections:

• Identification sensors such as fingerprinting technologies that ensure only authorized users gain access to the system
• Use of volatile built-in board hardware such as Random Access Memory to ensure accessed data is not physically saved on hardware such as hard drives
• Tamper-evident seals that cause physical or chemical changes to the device that can delete data or render it unusable
• Barriers and mechanisms that can damage the device or render it unusable if improperly opened
• Security screws, locks, encapsulation materials and hardened enclosures that make it difficult to access, damage or alter the device
• Sensors that detect the opening of doors, cabinets and enclosures or changes in temperature or movement
• Tightly-packed components that make optical probing using fiber optics more difficult

Another built-in tamper-resilient solution is the use of one-way data diodes that by physical design will not, for example, allow an operator to use an input port to extract data. Hardware-based data diodes contain just two nodes: one that sends data and one that receives the same data.

By physical design, the first, or sending, diode cannot receive data, nor can the second, or receiving, diode send data in reverse. This unidirectional data flow is similar to the check valves used on each end of a water main, allowing water to enter a building while also preventing it from backflowing into the water supply.

These diodes help prevent the accidental or purposeful transferring of data to unauthorized networks or devices, including the moving or copying of data from, for example, a high-level Top Secret network to a Secret or lower-level network.

Using software and firmware to prevent tampering

The same software and firmware that a CDS device relies on to operate and function also protects it against physical or digital manipulation.

For example, the dedicated and monitored interfaces used to manage the transfer of data between networks are separate interfaces from those used for operational traffic and can be set to restrict access to certain IP addresses. Depending on the case, they might only allow physical and not remote access.

Security software also filters and sanitizes data before transfer, ensuring sensitive or unrelated data is not transmitted to unauthorized parties. It can also check the integrity of data via digital signatures and hashing algorithms. Other software- and firmware-based tamper-resistant methods include:

• Runtime protection that protects memory, checks software code integrity and monitors sensors for possible tampering
• Code obfuscation, which renames the functions and variables of code
• Trust extension and attestation, which enables trusted executed environments by verifying software and establishing trust beyond the hardware root of trust
• Cybersecurity measures that protect against the remote or physical installation of malicious code

Protecting information with tamper-resilient cross-domain solutions

It is critical that only people or devices with a need to know can access classified and other sensitive government, industrial and commercial information. Read more about cross-domain solutions[NACC2]  and how they securely manage data [SK3] to help us keep the information advantage.

Designing a cross-domain solution? Our security experts can help you implement advanced security techniques to meet Raise-the-Bar guidelines. Contact us today.

Agile cross-domain solutions ensure Top Secret, Secret and unclassified information can be securely shared between forces, and are critical to the military’s Joint All-Domain Command and Control (JADC2) strategy.