Sustaining highly maneuverable forces on a rapidly changing,
noncontiguous battlefield requires an agile logistics command
and control system. But can such a system prevent compromise
of its data by a determined adversary?
Ubiquitous information is a cornerstone of many
contemporary visions of future warfare. Programs as diverse
as the Office of the Secretary of Defense’s Force Transformation
program and the Army’s Future Combat Systems program
envision a tight linking of operations, intelligence, and logistics
made possible by extensive, shared, and widely distributed
Military logisticians generally accept the potential advantages
of a future logistics system that is highly networked and that
is able to widely distribute real-time, actionable data on
the battlefield. However, the survivability of such a logistics
information system has not been demonstrated in practice on
the battlefield or tested extensively in the laboratory.
With its UltraLog project, the Defense Advanced Research Projects
Agency (DARPA) has taken up the challenge of building and demonstrating
just such a networked logistics system. Specifically, the UltraLog
project’s goal is to build an extremely survivable, agent-based
logistics planning and execution information system for the
modern battlefield. [An agent, or intelligent agent, is a software
program that can perform many functions for a human computer
user by applying a certain amount of reasoning.] In UltraLog,
intelligent agents can be agents that are embedded in a military
unit to perform the automated logistics function for that unit,
or they can be agents that perform UltraLog system functions
outside of military units. The agent society models combat
and support units, equipment, transportation networks, and
supply chains. [An “agent society” is an information
system composed of networked intelligent agents.]
of a distributed logistics system is based on three primary
components: robustness, scalability, and security.
Robustness is the ability of a system to continue functioning
when one or more of its components are destroyed or impaired.
Scalability is the ability of a system to withstand massive
increases in size and workload, such as might be encountered
in going from peacetime operations to war. Security is the
capacity of a system to maintain integrity and confidentiality,
even when it is under directed information warfare (IW) attacks.
To be successful, future logistics information systems must
be robust, scalable, and secure; in short, they must be survivable
under battlefield conditions.
In an article in the November–December 2004 issue of
Army Logistician, retired Lieutenant General Leo Pigaty and
I examined UltraLog’s robustness and scalability and
detailed the process for assessing the military usefulness
of logistics data produced when UltraLog was attacked along
those two vectors. This article discusses UltraLog’s
security defenses against cyberattack.
Security Threat Environment
Cyberterrorism is a fact of Information Age life. As a form
of asymmetrical warfare, an IW attack may result in potential
damage that is completely disproportionate to the level of
effort the attacker expends to achieve that damage. Attacks
can be launched with few resources, without warning, and without
regard to geography. They can be originated by pranksters,
by adversaries, or by insiders acting either unintentionally
or with malice.
IW attacks are almost as varied as the human imagination. However,
they can be categorized by the attacker’s intent—
• Destroy information system infrastructure or data. Attackers physically
destroy computing centers or communications resources or introduce a virus to
• Intercept sensitive information. Intruders access operational databases
or intercept data moving through the communications pipeline. An adversary, for
example, could exploit compromised logistics data to determine a unit’s
materiel condition, composition, or disposition.
• Corrupt or manipulate logistics information. Logistics transactions and
data files are modified, duplicated, erased, or misdirected, potentially disrupting
the supply chain and reducing user confidence in the supply system.
• Disrupt service. An adversary floods the system with spurious incoming
messages in distributed denial-of-service attacks. Such attacks are designed
to effectively paralyze the system by preventing legitimate users from accessing
and using the system as intended. This could prevent the processing of logistics
transactions and the transmission of requisitions and status information.
UltraLog Security Defenses
Over its 4-year development cycle, UltraLog has evolved a complex matrix of
commercial off-the-shelf and uniquely designed security features that provide
protection against cyberattack. While the developers of this security framework
readily acknowledge the impossibility of knowing or foreseeing the universe
of potential assaults, UltraLog’s defense in depth provides a significant
bulwark against known threats.
UltraLog’s security functionality is guided by two overarching concepts:
agent system segmentation and dynamically reconfigurable, rule-based protective
countermeasures. First, because of its globally distributed nature, UltraLog
security is built on a unique framework of distributed trust that segments
the agent society. Trust obstacles stand as sentinels between the segments
to cordon off compromised segments, thus preventing damage from rolling unchecked
throughout the system. Second, UltraLog incorporates a tight, policy-based
security system. This system comprises a set of rules that is distributed throughout
system. Rules may be flexibly tailored to respond to changes in threat and
are strictly enforced.
Policies and rules govern how UltraLog functions and control much of the interaction
among agents. Policy is set by subject-matter experts, based on doctrine, and
loaded into an UltraLog society. From a logistics perspective, rules might
govern stocking objectives at different levels of the supply chain. On the
side, rules might control how many times a user can try to log on before being
locked out. Part of UltraLog’s strength is large sets of policies and
rules that allow the system to modify the rules that are in effect in response
Other UltraLog security features include—
• User access control service. This feature identifies and authenticates
users and protects UltraLog from undesirable corruption caused by unauthorized
users accessing the system. A unique user name and user-provided password serve
to identify and authenticate individuals seeking to access the system. Access
mediators decide whether to grant or deny the requested access and enforce
access-control policies whenever someone attempts to enter the system. Once a
user is inside
the system, access to specific system features is strictly monitored and controlled.
• Message protection service. This mechanism controls the flow of damaging
communications by mediating all outgoing and incoming transmissions. It compares
messages against policy, stops all disallowed
traffic, reports violations, and, if warranted,
isolates the unit transmitting suspect messages.
• Communications security service. Encryption and digital signature of
data in the communications pipeline protect data from compromise or unauthorized
Encryption ensures confidentiality, and digital signature ensures integrity of
data and serves to authenticate the source.
• Monitor and response service. This provides a framework for monitoring
the security condition of the logistics information system. It looks for signs
of attack, such as denial-of-service flooding, using data collected from a range
of sources; analyzes the data; and selects a course of action determined to minimize
the security risk. The framework includes UltraLog-developed sensors to monitor
such things as unauthorized service requests or denial-of-service probing; analyzers
to evaluate sensor input against decision rules; and a policy-management service
that provides the ability to manage the security posture of the system. Examples
of responses include simply monitoring intruder activities, deactivating portions
of the system under attack, updating security policy (strengthening or weakening
it as appropriate), and locking out offending users.
is a distributed, agent-based software architecture
that is inherently survivable even in the most hostile
environments. It is a resilient system that can protect
and adapt itself under the most harsh and dynamic
Assessment of Security Defenses
In order to assess the suite of security technologies, an UltraLog
society was designed, built, and tested in the computer lab
located at DARPA’s Technology Integration Center. A
battery of over 100 high-speed servers, along with related
routers and switches running on a fractional T–3 network
connection, were assembled to demonstrate an UltraLog society
of over 1,000 military organizations and vehicles.
A scenario was run simulating units of the Army’s V Corps
fighting a 180-day major regional contingency in Southwest
Asia. UltraLog’s task was to propagate an operation plan
(OPLAN); build an executable transportation plan; plan the
sustainment of deploying units; and then, during a simulated
execution of the scenario, accept and propagate changes to
the OPLAN and revise the transportation and sustainment plans
accordingly. All of this was to be accomplished with minimal
loss of function while independent assessors attacked the system
by such means as cutting or reducing communications, limiting
available computer processing and memory, and conducting a
variety of IW assaults.
With the testing infrastructure in place, UltraLog security
functionality was assessed using a combination of distinct
structured experiments and a variety of Red Team hacker attacks.
The attacks were designed to probe the ability of UltraLog’s
multiple security defenses to preserve the confidentiality
and integrity of its logistics functions against real-world
threats based on the concept of operations scenario. Emphasis
was placed on determining if the defense performed as expected
and what the likely impact of the success or failure of the
defense would be on the resulting logistics plan. A sample
of these experiments follows.
Invalid User Log-in
This experiment tested if an unauthorized user could gain entry
into the UltraLog system. It involved a nonexistent user with
a bad password, a valid user with a bad password, and a valid
user with a bad certificate.
UltraLog successfully prevented the breach of this “first-line” security
defense. The logistics functionality of the system was protected
by successfully deflecting unauthorized users at the log-in
screen. This defense is particularly important in a deployed
and distributed system, where it may be relatively easy for
an unauthorized user to gain access to a processor running
an operational UltraLog logistics system.
A trusted user operating as an enemy agent or working with
other malicious intentions can be extremely damaging to military
operations. Compartmentalizing access to systems and data is
a fundamental mechanism for limiting potential damage. An UltraLog
user has defined levels of access to various UltraLog services.
In an operational context, these levels of access would be
used to define the roles of maintenance and supply technicians,
logistics planners, and decision and approval authorities at
different levels in the chain of command.
The purpose of this experiment was to determine if a user would
be allowed access to functions for which permission had not
been granted. A valid user with a valid password logged in
and attempted to access several unauthorized services. Access
to these services was successfully denied in every instance.
The runs were repeated with the user attempting to access resources
for which use was authorized. In these runs, the user was able
to access the authorized services. These experiments were repeated
using authenticating certificates, and again the user gained
only the appropriate level of access. Messages were generated
advising security managers of the attempt to access unauthorized
functions. This combination of successful deflection of access
and generation of alerts provided a sufficient defense against
A series of experiments was performed on controlling the transmission
of information and instructions between agents. UltraLog agents,
whether physical agents such as a combat or support unit or
UltraLog functional agents such as the security manager, are
required to perform specific tasks with specific communications
requirements. Policy establishes with whom an agent may communicate
and the nature of that communication. From an operational perspective,
this ensures that communications are limited to what is needed
and that commands and instructions flow correctly along the
military and logistics chains of command. These experiments
demonstrated the following successes—
• Agents were prevented from sending messages prohibited by policy. In
experimental runs, UltraLog successfully stopped the message on the sender’s
node and the message was not delivered to the intended recipient. Security messages
were generated documenting the attempted transmission of a message in violation
of policy. Operationally, this defense could be used to isolate military units
that display suspicious behavior or to compartmentalize the force structure so
that the impact of a rogue agent can be limited to a subset of correspondent
agents. [“Correspondent agents” are a group of agents with which
the bad agent communicates.]
• Agents were prevented from sending disallowed directives. Messages may
contain directives that ask or direct that something be done. Policy determines
which directives an agent may use and which are prohibited. For example, it might
be inappropriate for a signal company to direct that a transportation company
move a tank from one location to another. Based on the experimental data, UltraLog’s
access control service on the send side enforced policies that specify the directives
an agent is allowed to send. Operationally, this prohibits a military unit from
issuing orders without appropriate authority.
• Receivers rejected disallowed directives. This experiment examined the
situation that occurs when a compromised agent successfully sends a message with
disallowed directives and determined if the receiving agent detected and rejected
bited message. In the experimental runs, the message access control service successfully
prevented agents from receiving messages containing disallowed directives.
• Receivers rejected disallowed messages. This experiment examined what
happens when a compromised agent successfully sends a disallowed message and
determined if the receiving agent detected and rejected the prohibited message.
The experiment demonstrated that UltraLog agents detected, rejected, and reported
when messages disallowed by policy were received. Operationally, this defense
effectively isolated a military unit from a rogue agent trying to transmit damaging
• Unsigned or improperly signed messages were rejected. Operational decisions
rely on the accuracy of information contained in incoming transmissions. In UltraLog,
information integrity is ensured in part by the digital signature that accompanies
incoming messages. This experiment assessed whether or not target agents accepted
or rejected unsigned messages. Policy was modified by Red Team hackers so that
the agents of one unit transmitted messages without signatures. UltraLog agents
successfully rejected 731 of 731 unsigned messages. UltraLog successfully defended
against agents receiving and accepting messages of questionable origin. From
an operational perspective, logistics functions were protected.
Unsigned or Improperly Signed Code Modules
It is essential that code that is introduced into a deployed and functioning
information system be from a trusted source. The ability of an adversary to insert
malicious code can be extremely damaging; in UltraLog, this ability could completely
compromise operational and logistics functionality. Only code that contains the
digital signature of someone known and trusted is supposed to be accepted and
loaded into UltraLog. This experiment demonstrated that UltraLog was able to
prevent the loading of code that was not accompanied by a trusted digital signature.
Adaptable Security Posture
In the event of multiple security violations, UltraLog is designed to sense the
increased security threat environment, increase the threat condition level, and
modify security defenses appropriately for the
new threat environment. A series of experiments was conducted involving multiple
attacks against the system. These attacks included multiple invalid log-ins,
invalid and unsigned message transmissions, and invalid code insertions. In each
case, UltraLog detected and prevented the disallowed activity, generated alert
messages, and increased the system’s security posture in response to the
heightened threat. The policy enforcement infrastructure also rebuffed denial-of-service
attacks by limiting the system interfaces available for attack.
Final Analysis of UltraLog Security
As a group, the tested UltraLog defenses provided significant protection from
cyberattack. For the experiments conducted, all UltraLog defenses
were rated “green” (acceptable)
for completely or nearly completely defending against the intended attack.
The overall security functionality of UltraLog was rated green
in recognition that
significant portions of the threat envelope had been effectively secured.
Improvements over previous years were noted in the areas of preventing unauthorized
access to information, securing interagent communications, preventing malicious
code insertion, and preventing unauthorized operations. Other enhancements demonstrated
that the security services are scalable to support large distributed systems.
Progress was made in controlling unauthorized access to data and processes operating
in system memory.
Progress also was made in the system’s ability to manage security policy
and respond to changes in the threat environment. This included the development
of templates that enhance the ability of policy administrators to specify and
modify enforceable security policies. Overall, UltraLog’s security policy
framework and the specific policies tested successfully deflected hacker attacks.
As it nears the end of its development cycle, UltraLog has made significant
strides in building a security infrastructure sufficient to protect distributed
agent-based applications. Clearly, based on assessment-derived
data, the integrity and confidentiality of the highly distributed logistics
information systems envisioned for the modern battlefield can be protected—even
from a determined adversary. ALOG
Commander James C. Workman, USN (Ret.), is
employed by Los Alamos Technical Associates,
Inc., in Sterling, Virginia. He holds a B.S. degree in financial management
from the University of Oregon and an M.S. degree in financial management
Naval Postgraduate School. Commander Workman served 20 years in the Navy
Supply Corps, culminating in joint tours at the Office of the
Secretary of Defense
and the Defense Logistics Agency.