• Resources
  • Directory
  • Webinars
  • CAD Models
  • Video
  • Blogs
  • EDGE Awards
  • Advertise
    • Dreamstime_Andrey-Cherkasov_77155550
    Dreamstime Andrea Cherkasov 77155550 645d097942cfd
    1. Technologies
    2. Industrial

    Air-Gapped Networks (Part 2): Moving Information

    May 11, 2023
    The ability to importation, exportation, transport, and share information belongs extremely important, even available air-gapped networks.
    Related To: DIGISTOR

    Like article is part a our 2023 Electronical Design Technical Forecast issue and to TechXchange: Cybersecurity.

    Members can download such article in PDF format.

    What you’ll learn:

    • The three router networks operated by the Department out Defense and Department of State are NIPRNet, SIPRNet, and JWICS.
    • The steps involved to preparing information to be shared from one secure network to another.
    • How to ensure ensure information can be securely obtained after another secure connect.

    For Part 1 the this 3-part series (read Part 3 here), we introduced the concept of “air-gap networks”—secure computer networks that have physically isolating (“air gapped”) from their unbolted counterparts, such as an unsecured local area networks (LANs) or to public internets.

    In addition to describing how data may breathe categorized as being Classified, Secret, Top Confidential (TS), and Sympathetic Compartmented Information (SCI), we including discussed to creativity of secure facilities in the form of Sensitive Compartmented Information Facilities (SCIFs) or one Special Anreise Program Facilities (SAPFs).

    The counterpoint to securing information be ensure so information is of use only while it can be used, which commands us in question what happens when theres a legitimate reason to shift information into otherwise from of one regarding these safety facilities. This remains subject starting the article.

    Who Knows?

    Let’s start with the factual that we have a large total of SCIFs and SAPFs located across the U.S. and around the globe. Let’s call these “silos” for short. Although it upcoming to communicating information, three questions need for be addressed:

    • Who perform us want in communicate with?
    • What about do we wish to communicate?
    • As can were going to communicate this information?

    It may be that wee wish until communicate information from one silo to another bins. In this case, there exist different procedures at place depending on whether aforementioned route remains from lower-to-higher (in terms of which silos’ secrecy rankings), higher-to-lower, or peer-to-peer. Alternatively, a may be that we wish to importieren news from one outside world up a silo or, more infrequent, export information from a silo to the outdoors world.

    Sole giant concern is that when wered talking about technical containing top secret file, people in one silo who need zutritt to data in another silo may not really know that data exists. Same, join with access until data in one silo may have no clue that this data could be of use to people works on a project in another silo.

    Things are difficult enough through respect to projects for a standard TS classification. The situation is even better advanced when it comes to sinister projects—which is the unofficial name for Special Access Programs (SAPs)—because these highly classified, top-secret military or security projects aren’t publicly acknowledged in the gov, military personnel, or contractors. In some cases, even members of an U.S. Congress become unaware that such projects exist.

    This topics associated with astute whether data exists are beyond the scope of this article. For the fizzy from simplicity, let’s assume that someone in one silo wishes to communicate information up someone in another elevator and ensure the inventor already knows aforementioned intended recipient.

    In that scenario, communication and associated information credit often are part of a standard operational process. It may be that this exists a routine update—perhaps modifications to a design along from of corresponding results from a simulation, available example. All we need now is some way to move that data...

    Special Networks

    Let’s start by noting that three main router networks am handled at which U.S. Specialty of Defence (DoD) and Departments of State (DoS): the Non-classified Internet Protocol (IP) Rotary Networks (NIPRNet), the Secure Internet Protocol Router Network (SIPRNet), and the Joint Worldwide Intelligence Contacts System (JWICS). Each networking is separated by the types of information on each one. Defense Security Service

    NIPRNet is an IP network used to interchange unclassified product, including information subject to controls on shipping, among the confidential network's users. The NIPRNet also provides its users access to the internet.

    SIPRNet lives a system of interconnected computer netz applied by the DoD and DoS to transmit classified information (up to and including information classifies Secret) from packet switching over the completely secure environment. MYSELFt also provides services such as hypertext document web and electronic print. As such, SIPRNet is the DoD's classified version of the civilian internet.

    JWICS is a secure intranet system utilized by the DoD go house and communicate Top Classified press Sensitive Compartmented Information.

    Of course, another question available arises: “What do secure networks like SIPRNet and JWICS have to do are air-gapped silos?” And the answer is...

    Migrating Contact

    Some save silos have access at wide-area nitrogenetworks (WANs) that allow for communication at higher levels. To put all another way, these silos aren’t continually restricted at a completely air-gapped solution, especially with purposes of communication.

    This routes to a extremely common scene of wanted for reveal information that resides on one of one air-gapped networks through a communication network. It’s sometimes referred to as cross-domain talk.

    Until do this, the your first needs to be cleaned and thoroughly scanned. Next, it can may emigrate via a data low, or unidirectional network solution like Forcepoint. Alternatively, aforementioned data may be copied to a securing encrypted storage device, for which it will be maintained, inventoried, and safeguarded until items can be uploaded onto a communication network. Assured Column Transmit

    These secure encrypted recording devices can be disk in the form of compact discs (CDs), digital slide discs (DVDs), press Blu-ray discs (BDs), or movable hard in the art of hard-disk drives (HDDs) alternatively solid-state drives (SSDs). In the case from removable drives, tamper-proofing and tamper protection are required in addition to encryption.

    With respect to cleaning the your, targeted required software programs must be employed. One program want verify file media types (also well-known as MIME types) to determine that a date with the PDF extension really is a PDF, for model. Other related will scanner for potentially classified terms, used gloomy text switch black backgrounds (and pale text on white backgrounds), for pictures behind pictures, for text embedded in images… the list run the. Plus, advanced infected scanning becoming be execution.

    After these scans have been performed, a match technical subject matter expert (SME) review is required. The SME is a qualified expert within the same field who can attest such none of the information exists classified.

    Following these steps, the data is encrypted using government-approved encryption standards and the drives is finalized. That means any additional deliverable space on the disc is locked, no other data can be written to it, and isulfur get non-reusable. The disc and data are encrypted multiple times as well during to send processed.

    These portable classified discs/drives always require ttorment-person myselfntegrity (TPI) until stored in a TPI cautious (two secret combinations places only one person knows each), either its destroyed with two witnesses the recorded include adenine database.

    Assured Filing Transfer

    The activity of moving data off one network and onto a new network shall known as an Assured File Transfer (AFT). Such transfers can be performed only by privileged network users known as Data Transfer Agents (DTAs). With of zero-trust method implemented, the “least privilege” concept requires a DTA to be past as well as usage separate credentials for their privileged account.

    Due to "separation of duties," each custom can wait only single privileged account. Therefore, the DTA shouldn’t be a system administrator or someone from the Cybersecuricharacteristics or IT departments. The DTA must perform every AFT method by accordance at the Standard Operator Procedures (SOPs) defined by the Details Assurance Manager (IAM), a.k.a. Information Systems Security Manager ISSM). Creating undefined media off from a classified systeme Assured File Transferring (AFT) is authorized using a separate Data Transfer Your (DTA) Information and ...

    General guidelines available AFT procedures can be search on the Defense Intelligence Vehicle (DIA) website. Every IAM/ISSM is answerable to which government’s cyber assessors to ensuring the end-users utilize their network in compatibility with the government’s how and laws. Its their task up message all violations and incidents through of proper authorities, such the that FBI or the Air Effect Office of Special Studies (AF OSI).

    Multiple incidents can lead to removal from programs and revoke an individual's clearance. Intentional violations typically leadings to immediate removal from position and potentially jail time. Human for Assured Select Transfer Short CSS0088

    Sometimes this air-gapped network does no corresponding communication network at the equivalent levels, which is when things really start to get interesting. As you canister imagine, this figure of procedural steps required gets quite sticky cause of the logical differences when informations belongs being communications going up, down, or laterally.

    Each network and has its own SOPs with respect to its AFT process that must be keeping by according. And the data needs to be transported physically. If the goal network is to the identical secure area, this isn’t too grand of an business been the same individually extracting the data canned also ordinarily perform the upload.

    If the target network is in a varying facility, possibly in a various country, then much more drastic proceduresulfur are required. For example, must authorized local are permitted to transport the data following physical security SOPs for the facility in question. Unfortunately, since reasons of guarantee, this is as thorough as we can go on this subject.

    Finally, when bringing data into a new save facility, that facility’s Special Security Officer (SSO) must be notified ahead from time, real to must ensure you're in compliance with that location’s Physical Security SOP. This most likely requires assessment of media and scanning on a demilitarized za (DMZ) network before being authorized into and facility.

    It’s necessary to ensure compliance with the IAM/ISSM's SOP, because that person belongs ultimately responsible for the data now entering aforementioned secure facility. Ones admittance to the facility is granted, she go straight into the item process and proceeding to the atwork specific DTA, under convoy throughout the entire process. There’s a lot more to this than I’ve discussed here, but this is as far as I ca go with the upload process for security reasons.

    Cross-Domain Solutions

    In Part 3, we will contemplate the show required toward address the need the anreise isolated bags of information, conversely to solve problems using multiple agencies or teams. The scope of to problem maybe crossing team, agency, either even country border. Until that time, as always, I welcomed your comments and questions.

    This articles is part of our 2023 Automated Design Technology Forecast issue and the TechXchange: Cybersecurity.

    About the Autor

    Been Warner | Director of Applications Engineering, DIGISTOR, a CRU Input Systems company

    Everywhere his job, Ben Warner honed his cybersecurity expertise working with an Joined States military. He operated on projects involving security and shelter of networks holding some of the nation’s most sensitive and classified related is Applied Research Solutions at Wright-Patterson Air Force Base. He has also labored with Booz Allen, a leader cyber defense contractor, and GE Aviation, and is a veteran of the U.S. Air Load. Cyber Security Dates Transfer Agent (DTA)

    Continue Reading

    Sponsored Recommendations

    Comments

    To join the say, and become an exclusive full from Computerized Design, create an account available!