White Paper

w w w. m r c y. c o m WHITE PAPER 6 Case Study: Speed and Security Matter The following case study is hypothetical and provided for illustrative purposes only. The Threat An overseas military operation receives intelligence that a hostile na- tion state has begun construction of a mining facility in a remote des- ert to source a specific raw material. The hostile nation state is known to possess the capabilities required to refine this raw material into the components needed for the development of advanced weapons. Reports indicate that the mining facility will become operational in less than one year. Once mining begins, the material must be transported to a process- ing facility for purification and further processing before it is suitable for deployment in weaponized applications. If the hostile nation state gains access to this raw material in sufficient quantities, it could pose a significant threat to neighboring ally countries. The Mission Objective The orders are clear – gather tangible evidence that the raw material is being mined and transported to a purification facility. Then, an appropri- ate course of action can be determined given the geopolitical environ- ment at the time. A fleet of new, highly classified extended range unmanned aerial vehicles (UAVs) is redirected from a prototype evaluation program and assigned to this mission. The operations team must make the fleet of new UAVs deployable in no more than 9 months. The UAV mission computer con- tains advanced electronic warfare electronics and processing algorithms designed to allow evasion of enemy radar. These UAVs must be retrofit- ted with advanced sensors and state-of-the-art imaging and night-vision systems as soon as possible. The UAVs will then continuously survey the area of interest around the clock, capturing both (1) optical images of the types and number of vehicles traveling to and from the mine site and (2) sensor data monitoring the surveillance area for traces of the suspected raw material exiting the mine site. The UAV mission computer and sen- sor processing subsystems employ highly sophisticated algorithms that have been classified Top Secret by the government. Mission Vulnerabilities Moving from a controlled test environment in a highly secure facility to field deployment in unfriendly territory necessitates a robust means of protection for the mission computer's control system as well as the sen- sor data resident in the data storage platform. The design team first con- siders an existing storage system implemented as two sequential layers of AES-256 encryption. This approach could potentially shorten time to deployment by a few months. The manufacturer's product literature indi- cates the system is "compliant" to CSfC, however; the individual compo- nents of each layer do not appear on the CSfC approved components list and the system solution is not NSA registered as a CSfC End User Device (EUD). Ultimately the team decides that using a non-validated solution for such a mission critical application incurs too much risk should a UAV be lost in unfriendly territory. After careful consideration and lengthy discussions with a series of Trusted Integrators, the team decides that a fully validated CSfC 2-layer security implementation using HWFDE and SWFDE components from the CSfC approved component list provides the most robust security implementation. The ideal HWFDE component in the CSfC component list is an SSD in a 2.5" form factor. Unfortunately, this form factor is too large for installation in the existing electronics bay of the UAV. The team needs to find a creative solution. Effecting the Mission The UAV team Program Manager contacts the manufacturer of the HWFDE component, Qubit Drives, Inc (QDI). Following proper security protocols, QDI's cleared engineering team is briefed on the problem at hand. A solution is possible, although it will be challenging to implement in the short time period available. The QDI team suggests taking the Qubit Drives CSfC certified 2.5" SSD and repackaging the design into a small, low profile BGA form-factor. The new BGA device must achieve FIPS 140-2 and Common Criteria certification and then gain inclusion on the HWFDE CSfC approved component list within a 6 month design window. Fortunately, QDI's SSD engineers had previously begun conversion of their CSfC certified 2.5" SSD product into both BGA and mSATA form- factors. Prototype BGA devices were already undergoing design valida- tion testing in a QDI R&D lab. The QDI engineering team reviews notes from the evaluation of their original 2.5" SSD CSfC HWFDE component. QDI's Program Manager maintained a list of lessons learned during the certification process and this is expected to accelerate the CSfC valida- tion schedule for the BGA device. The BGA device uses the same firm- ware set as the original 2.5" design and after an initial evaluation by the external FIPS/CC lab, it is determined that the minor changes between the 2.5" and the BGA will definitely speed the certification process. The QDI team updates the FIPS Security Policy and CC Administrative Guide documents and submits them to an approved external lab for review. The external lab conducts on-site code reviews, state machine reviews, a schematic review and an entropy assessment as well as running a thorough suite of tests and debug procedures on the BGA device. The QDI team provides sample BGA devices for destructive physical security testing. The lessons learned from the original 2.5" certification and the similarity between the two designs now pays dividends. The remaining FIPS and CC tests proceed smoothly. There is essentially no learning curve for the external lab, and in less than 2 months, the lab completes its FIPS and CC evaluations and submits final reports to NIST and NIAP for the FIPS 140-2 and CC certifications. In another 4 months the BGA component is fully certified and appears on the CSfC components list as a new HWFDE component.

• Cover