Digital Cloak of Invisibility Fends Off Intruders
Hackers cannot access devices if they cannot see them.
One way of ensuring that attackers don’t access a network node or break into a device is to render its identification invisible. Cloaking the device’s address gives a hacker nothing to see, and it can be done on systems ranging from government networks to medical electronics implanted inside human beings.
The result goes beyond shielding. Network nodes simply cease to exist for outsiders trying to engage in malicious acts. The same security process also speeds up data transfer among diverse networks sharing similarly cloaked data and devices. And while most of these invisibility configurations are intended for government and military networks that are the target of malicious hackers—many who work on behalf of adversarial nation-states—this security approach has other applications, including some that are just emerging.
This approach is used in a software infrastructure known as the Cyberspace Operations Infrastructure (CSOI). Developed by IMPRES Technology Solutions, the CSOI is a fabric-based architecture created to integrate with different levels of security, topology and protocols, says the company’s chief technology officer, Robert Osborne.
He points out that the original Transmission Control Protocol/Internet Protocol (TCP/IP) that defined the Internet was not designed to be secure. It focused on identifying devices and access points by giving each one an address. Today’s IP-based security provides an inherent frailty, he continues. The company’s solution is not to focus on identity protection, encryption or firewalls, but instead to make identities disappear completely.
The CSOI removes IP and media access control addresses from a network, Osborne explains. It overlays existing addresses without changing a network’s physical architecture, and it permits rerouting and reprioritizing traffic on the network. Voice, video and data can move across any open traffic area automatically, he reports. “This overlay doesn’t change anything on a network,” Osborne notes.
It establishes a host identity protocol (HIP), which permits filling in security gaps. “If you can’t see it, you can’t hit it,” he declares.
The software infrastructure was used in the U.S. Air Force’s Thunderstorm cyber warfare engagement, Osborne relates. Throughout the entire week the CSOI was operational, devices using it were never discovered.
Osborne describes how, in another test, he was given a half day to cloak a ship’s systems. When he came off the ship a half-hour after beginning his efforts, the system managers thought Osborne had given up. Instead, he explained, it took him 15 minutes to cloak the ship and another 15 minutes to verify the success of the cloaking efforts. Even though the ship was still passing data inside and outside, the managers could not detect the existence of the ship’s data systems from the dock. Osborne adds that the CSOI installers discovered that 30 percent of the ship’s internal traffic wasn’t even known to the vessel’s actual architecture; the traffic consisted of add-ons installed independently off the blueprints.
Speed of installation and operation is a tenet of the software. Osborne describes how a special operations officer asked for secure connectivity anywhere on the globe, so he could pick up a laptop or a cellphone and connect and securely transmit data across a network. Setting up this capability took less than a minute, and de-provisioning the officer took less than a second.
The officer could send data securely across the open network because the CSOI uses the 256-bit Advanced Encryption Standard (AES) encryption mode. A 128-bit header uses a series of standards built out in the 1990s initially to secure drones. AES 256-bit encryption also is used to cloak energy grids and older military architectures that will not attain IP version 6, Osborne says.
Every device on the CSOI network knew which other devices were white-listed, so the usual identifying chatter was absent. The devices still talk the way they always have, he says. “They don’t do any changes to those devices at all. We just make sure we grab everything from the stack coming out, and we cloak it, so it will only talk to those things that are white-listed,” Osborne states.
The system will forbid anything that is not white-listed from connecting with its devices. It will only respond to a request from a known device. Knowing the original IP address will not help a hacker because the system will ignore it. Osborne notes that hackers have traditionally worked to intercept drones by spoofing their IP addresses to take over the vehicles. But by removing the IP address so that no one outside the system can talk to it, only the manager can control the drone.
The CSOI also permits secure connectivity among different types of networks, which allows multiple cloud applications. Osborne explains that the CSOI would provide secure, encrypted connection data and movement among Microsoft Azure, Amazon Web Services (AWS), Google Cloud and Rackspace, for example. And the customer would not be charged for moving data out of any of those clouds because the CSOI would have added HIP switches throughout each cloud.
Osborne notes that a hybrid cloud, in particular, can benefit from this approach. Placing this capability at the edge of the cloud environment enables it to extend into the cloud itself. Much of the CSOI software allows treating the network within whatever cloud a user chooses to resemble the exact physical network outside the cloud. By cloaking the network completely and between different clouds, the type of cloud is irrelevant—the network will appear in its original format.
The software also improves transmission efficiency. Government satellite links often experience between 10-30 percent packet drop losses, according to Osborne. The compression software inherent in the CSOI virtually eliminates packet losses, he says. This was an unintended but welcome effect, Osborne adds. And data files move much faster. A standard 4-gigabyte file might take more than two hours to move across three state lines, but the same file could move in 18 seconds with the CSOI and no hardware changes.
Artificial intelligence (AI) plays a role in the software’s ability to protect and defend the network. Osborne explains that it automatically reconfigures a network based on needs and reliability levels, mapping out potential routing methods. It also automatically spreads data through different routes to avoid congestion.
With its built-in AI, the CSOI-equipped network is effectively a mesh network, Osborne states. Every device can have multiple point-to-point connections that provide microsegmentation. A device will not know it is talking to another device on the other side. If one device is breached, then the CSOI network can automatically drop it offline, and every other device in the network will know to shun it as an invalid point.
Many nontraditional uses beckon. For one, the CSOI could make wireless connectivity more secure. Osborne points out that many people are reluctant to use wireless technology because of security concerns. This is a growing issue with medical electronics technology such as pacemakers and insulin pumps, and the biomechanical nanoelectronic systems entering the field of medicine pose an even more complicated threat (SIGNAL Magazine, August 2018, page 18, “Hacking the Human ...”).
Using the CSOI allows network managers to effectively take biomedical electronic devices offline. By cloaking their IP addresses, the software renders them invisible to hackers. Even if malevolent computer experts know people with pacemakers, insulin pumps or internal nanoelectronics, the hackers would be unable to detect their presence in cyberspace. Adding the CSOI software eliminates the need to remove a piece of internal medical electronics to seal off vulnerabilities, Osborne allows.
He explains that pacemakers have been especially open to hacking through their IP addresses. Osborne recounts one case in which an intruder could see the username, administrator password, IP address, and server names and addresses on a database at a corporate headquarters. These represent security vulnerabilities that can—and must—be sealed off.
And if a person who has an internal biomedical device is a military or government official, then the threat is extended beyond that individual. “When you talk about hacking the human body, as more of these [biomedical] things become prevalent, if there is no ability to tie this stuff down, then anybody who has any type of device can go near a government individual … [who] becomes a hackable asset to be used against the government at that point,” Osborne says. “If I can hack you in a matter of seconds, then you’re useless to the people that you’re there to defend.”
One government customer has been testing the CSOI for about a year, Osborne relates. Several others, some with antiquated systems that would benefit from the IP-cloaking approach, are in the process of implementing it. The software handles serial connections, Wi-Fi, cellular, standard Ethernet and other legacy technologies, in addition to the latest hybrid cloud constructs. Osborne notes that, in some cases, it need not be implemented on every network device. A network can be cloaked just at the edge. It all depends on the level of sophistication and security required.
For future iterations, designers are focusing on improving integration capabilities. Osborne allows that many customers want to “tie down every gauge inside a vehicle, ship or aircraft.” Engineers also are testing integration directly with existing switches instead of putting a switch in front of the network. He expects to soon be able to integrate the CSOI directly into existing network switches.
A recently added capability allows a device to run its own Wi-Fi, which shows only a cloaked connection. This will tie into anyone’s laptop that has the right software, Osborne says. The company also is targeting vendors that manufacture hospital equipment, especially where it could secure gauges, he adds.