Enable breadcrumbs token at /includes/pageheader.html.twig

Is Your Live Video and Data Safe?

Secure platforms must be built with security in mind.

U.S. Air Force Airmen speak with reporters on the new innovative Advanced Battle Management System (ABMS) Onramp 2 in September at Joint Base Andrews, Maryland. ABMS is the digital infrastructure which allows a level of connectivity and sensor compatibility for military at war. Photo by Senior Airman Daniel Hernandez, 1st Combat Camera Squadron

U.S. Cyber Command members work in the Integrated Cyber Center, Joint Operations Center, at Fort George G. Meade, Maryland in April. Photo by Josef Cole, U.S. Cyber Command

In the current cybersecurity environment, live video and data distributed within physically secure environments, such as a sensitive compartmented information facility (SCIF), command and control centers, situational awareness or secure briefing centers, is no longer safe and secure.

SCIFs and other traditional command and control (C2) systems have historically used matrix routers with uncompressed baseband signals such as serial digital interface or high-definition multimedia interface, and control signals such as a kernel-based virtual machine. However, these video distribution systems were architected decades ago without information security as a priority. Uncompressed baseband signals were designed for easy connectivity and reliable viewing of low-latency, high-resolution video. The benefits of accessibility come at the steep cost of glaring security vulnerabilities.

The baseband standards that guarantee compatibility between devices allow anyone to connect a cable and immediately view, hear or record any of the signals. For missions where data and video confidentiality are paramount to success, the vulnerabilities presented by uncompressed baseband signals are unacceptable.

Matrix routing environments are vulnerable to intentional and accidental exposure of data. A matrix router, also known as a video matrix switch, has been pervasive in broadcast and other video-intensive applications, including C2 environments for routing multiple input sources, such as cameras, computers, satellite receivers and certain audio/video sensors, to one or more destinations, including displays and information walls and computers. Because any source can be routed to any destination, the internal function is driven by crosspoints. When activated, the crosspoint chip passes the input port content to the desired output port.

Matrix routers were never designed for security or networking. The inability to encrypt uncompressed baseband signals is an insurmountable hurdle to overcome. Even matrix router systems that claim security certifications are vulnerable.

Security certifications vary based on what each certification entails and what specifically is tested. Certifications also vary widely in stringency. Some certifications demand achieving specific technical capabilities. Others allow vendors to self-author their own arbitrary security targets and be certified by a third-party lab to determine if they meet their own requirements. This is like a fox defining the security requirements of a hen house.

It also could be considered a doorknob certification. For example, if the security target is self-authored as a doorknob that turns to the right and then the test confirms it opens the door, it passes certification. The doorknob does not add to security; it does not lock against intruders, nor does it prevent unauthorized personnel from turning it. However, it meets the target. Common Criteria (CC) states, “Where a CC certificate claims compliance to Evaluation Assurance Level 3 or higher but does not claim compliance to a collaborative Protection Profile, then for purposes of mutual recognition under the CCRA, the CC certificate should be treated as equivalent to Evaluation Assurance Level 2.”

All self-authored security targets when not compliant to a Protection Profile, independent of their Evaluation Assurance Level (EAL) testing level achieved, cannot be considered above EAL Level 2.

On the other hand, National Information Assurance Partnership Protection Profiles are well-defined and articulated targets that are consistent across products. It is important for a perceptive customer to thoroughly scrutinize the security targets to understand the scope and limitations of what is genuinely being tested.

Often these targets explicitly state that to be secure, the system under test must include both physical security in a closed environment for the entire system and trusted users. Unfortunately, the combination of physical security and trusted users is blind to the severe risk of insider leaking, whether deliberate or accidental, which many experts consider a naive oversight at best and deliberately misleading at worst.

An analogy to this concept is driving an armored truck filled with cash through the city with its back doors wide open, yet the company states the money in the truck is secure since the truck is secure and all of the citizens in the city are trusted. All the bulletproof glass, steel plate pillars and Kevlar-bolstered doors that secure that armored truck are now rendered utterly useless by the open back door. The trouble is people cannot be trusted. These are the insider threats. People can be nefarious, but others are just careless or make unintentional mistakes, leading to leaked data.

TEMPEST, a pre-Internet protocol (IP) network artifact, was concerned with spies exploiting the electromagnetic signals and snooping for information on radio frequency devices. Today, fiber optic IP networks are not emitting radio frequency signals. However, the threat of easily penetrating a matrix routing environment by simply plugging in a video cable for unlimited access to sensitive data is frighteningly real. TEMPEST and other certifications are meaningless without a security target that upholds integrity to protect assets from internal and external threats without requiring the trust of all users. Electronic snooping equipment is likely much less an immediate concern than is an insider threat with the ability to plug in an extender to any port on the matrix router and view the classified content.

Some matrix router companies have attempted to bridge the security vulnerability chasm in their products by placing IP gateways to travel between an uncompressed baseband signal into an IP network. While this cobbled composite solution may be effective in scenarios where data and video confidentiality, integrity and availability are not a high priority, the lack of end-to-end encryption and easy exposure to both internal and external threats make this attempted solution unworkable in mission-critical scenarios. There are enormous vulnerabilities, inefficiencies, costs, latency issues, along with end-to-end management and control issues.

Matrix-based companies will sometimes use a FIPS 140-2 encryption module only in a conversion gateway that places baseband signals onto an IP network. However, for Department of Defense Information Network (DODIN) requirements, everything must be FIPS 140-2 compliant, and no exposed video or control information can exist anywhere on the network. The video data must be protected at rest, in transit or in use.

Video that is only encrypted at a gateway is still exposed and vulnerable if the end-to-end transmission is not secure. A matrix installation is not secure by only implementing an encrypted signal across the IP network portion. From a signal security perspective, matrix router-based systems present a significant risk.

The modern solution falls to Ethernet IP primarily because encryption is a viable option for the IP matrix. In addition to all the inherent benefits of IP architectures, including, but not limited to, distributed scalability, interoperability, cost and pervasiveness, IP video distribution capabilities can now provide absolute security against internal and external threats while delivering, if architected properly, zero latency and ultra-high definition (4K) solutions.

But not all IP security is the same. Security must be designed from the ground up within the application to be truly secure. Putting a steel door on a cardboard house does not make it secure. The use of certified encryption, along with advanced use of dynamic rotating keys, tokens and certificates, including mutual authentication, completes a solution that can provide security from source to glass in a Multiple Independent Levels of Security (MILS) environment. The investments in IP and the use of IP globally over the past decades overshadows the modest use and investment in baseband. The innovation in video over IP has made it possible to implement secure, encrypted, reliable, MILS classifications for distributed video solutions. The advances in price/performance combined with current programming techniques and cloud capabilities will see IP systems replace matrix video when security matters. Not in the future, but now.

The pervasiveness of IP technology in society to perform basic functions in medicine, finance, military, commercial and others gave birth to state and nonstate actors’ efforts to steal information and take down networks. The massive investment, billions of dollars, in making IP secure started in the 1980s. While breaches continue to be exposed, it is not because of weakness in technology. It’s due to the breakdown in the proper implementation in securing the technology. Actors with malicious intent are always looking for vulnerabilities. Using current capabilities and processes plus implementing IP properly makes IP MILS Security superior to baseband Multiclass Security.

The objective of the IP video transmission is to ensure the user securely receives and transmits data according to the assigned MILS level and only the intended information. Delivering a secure platform for MILS IP requires the product to be designed from the ground up with this objective. Without an appropriate architecture supported by a clearly articulated and well-defined process, the solution is vulnerable. Taking legacy applications and metaphorically sprinkling security dust on top does not patch the gaping security holes. There are a variety of ingredients that must be properly designed to implement a secure IP MILS classification, multidomain-enabled distributed network.

Security is not generic, details do matter. Buyers must be aware and know the questions to ask to determine if the security delivered meets requirements. Government certifications such as from National Information Assurance Partnership (NIAP) or DODIN are often used to support a level or degree of security. Of course, understanding the claimed certification and its underlying capabilities is very important. The certification may sound impressive but may prove meaningless depending on the environment and how the system is implemented. How keys, certificates, encryption and authentication are implemented and managed vary greatly. Companies state their featured strengths but never their inherent vulnerabilities. It is up to the buyer to find “open back door” security vulnerabilities and assess the integrity of security certification capabilities.

National and corporate cybersecurity is the greatest threat facing the world economy over the next 10 years. The EY (Ernst & Young) CEO Imperative Study revealed that among all the myriad worries faced by global leaders, they placed cybersecurity threats above all other major concerns. While EY focused on external threats, insider threats are just as insidious. The Defense Counterintelligence and Security Agency constantly emphasizes the dangers of “insider threats to the country’s cleared organizations and personnel. Both must be taken extremely seriously. The 2021 Cybersecurity Executive Order has raised the profile and awareness, providing a roadmap toward implementing a zero-trust environment.

If one looks at the big picture, security is not only important but also strategic. This is a strategic decision requiring a strategic, secure platform. The following questions, amongst others, should be asked of any vendor stating they provide “secure communications.” Is security the greatest threat to your operation? What is your weakest link? Is each one of the flows protected with encryption, including video, audio, USB, CAC and Control? Are you using keys, and if so, are they fixed keys versus the more secure dynamic or rotating keys? Where were your keys sourced? Can users, devices, groups and areas all be segmented and defined by the control system? Is the crypto currently FIPS certified and appropriately implemented within the application?

Looking forward 10 years, security solutions must be able to adapt to new threats. The enemy is not standing still but continues to evolve and find new ways of intrusion. Secure platforms must be architected from the ground up with security design at the core.

It’s time to rethink secure video distribution systems. Legacy systems were not designed for the requirements of today.

Howard Sutton is the executive chairman of PESA. A professional engineer by training, followed by MBA and CFA degrees, Sutton’s career spans four decades of working, leading and investing in technology companies.