General Micro Systems (GMS) announced four cross-domain systems (CDS), the culmination of decades of system-level experience with increasingly complex and secure systems. A recognized expert in defense communications, sensor processing, and data recorder systems, GMS brings it all together with these four new systems: an airborne 3-domain CDS, two ground-based CDS systems, and a ¼ ATR OpenVPX-based CDS. Each CDS is based on the X9 distributed computing architecture and delivers mission processing, secure storage and authentication, encryption, networking, and options for SATCOM, AI and data diodes. Each system supports GMS’ new Enhanced SecureDNA cyber suite and will be TEMPEST certified.
“In an era of interconnected systems and sensors, ‘joint’ operations between the services, and increasing cooperation between the US and NATO (and other allies)—data is being slung around the battlefield at gigabit rates,” says Ben Sharfi, CEO and Chief Architect of GMS. “With more and more ‘at the edge’ and embedded processing ‘at the tip of the spear,’ data comes in different colors - red for classified and black for unclassified. Keeping this data correctly categorized while sharing it between machines and allies requires robust cross-domain systems like the four we’re announcing at AUSA. No systems have ever been done like this before.”
Different from multi-domain Red/Black systems, cross-domain systems (CDS) provide the gateway between highly secure, classified systems and insecure—often public—systems and networks. They offer higher levels of security than multi-domain, such as via data diodes for rules-based routing, and beefier crypto and sanitization for data-at-rest within storage devices. Generically and insufficiently called Red/Black systems, the Department of Defense’s (DoD) SIPR (classified) and NIPR (unclassified) networks co-exist because data must often transit between US allies and disparate networks, and in an age of “connectedness,” often travels across public networks and systems such as Wi-Fi, 5G cellular, SATCOM such as Starlink or Starshield, and other public networks.
The cross-domain system filters the data, makes decisions about what data can pass between the domains, and encrypts/de-crypts data on-the-fly and at-rest on storage drives—all in real time. The CDS must also prepare for the eventuality that the vehicle, platform or location come under enemy control, so it must sanitize and eradicate its data in all kinds of circumstances, often autonomously with no operator ever pushing the big red button.
GMS history in secure systems: A long road with demonstrated results
“In our 45-year history, these GMS cross-domain systems are the pinnacle of everything we’ve learned about secure, rugged, networked, sensor processing and storage systems,” Sharfi says. “Our partnerships with security leaders like General Dynamics Mission Systems and learnings from the Army, Navy and Air Force are rolled into these highly secure, ready-to-deploy cross-domain systems that are unlike anything we’ve seen before.”
No other vendor or prime DOD contractor has systems that fit into such small spaces, weigh so little and are yet so full-featured and powerful while being completely off-the-shelf and ready to deploy. The airborne system, for example, has three domains—two in the Red enclave separated by a GD-MS TACDS for ultra-secure data within SIPRnet. The other three CDS offerings are tailored to different use cases but remain customizable.
Exceptional security in airborne, ground, and ¼ ATR OpenVPX cross-domain systems
The new cross-domain systems being shown at AUSA include:
- Airborne three-enclave (Purple, Red, Black) with user tablet interface
- Large ground-based CDS with storage canister, Ethernet switch and user tablet interface
- Small-sized ground-based called “The Cube”
- A ¼ ATR 3U OpenVPX CDS
All systems are based upon the high TRL X9 architecture in either Spider small form factor or Venom OpenVPX and all systems will be TEMPEST certified. The X9 architecture allowed the systems to be created quickly with features such as network ports, including fiber optic 100GigE, legacy I/O including MIL-STD-1553, mission processors and AI, plus removable storage using NSA encrypted, NIAP-listed FIPS-140-2 SSDs and CSfC offerings. Each Domain IO controller has two removable drives: one R/W drive for large data sets and one drive programmable as read-only, intended to store the operating system or mission profile(s). Drives are fully sealed when removed, IP67 rated, virtually indestructible, and are smaller than ever before. All internal I/O uses fiber optic connections to minimize EMI, relying on Intel’s Thunderbolt 4-over-fiber connections. Incoming power is isolated and each domain sports its own power supplies, including 3-phase/400Hz AC options and MIL-STD-1275 DC for vehicle power. All I/O to the outside world is opto-isolated and the domains are shielded Faraday boxes.
All GMS cross-domain offerings include provision for the General Dynamics KG-175N Type 1 encryptor. The airborne system includes the GD-MS TACDS CDS between the “landing zone” (Purple) and Red domains for a rules-based dual simplex data diode configuration to separate ultra-secure from secure data. In this manner, data snooping isn’t possible since data is not on the same link.
Enhanced SecureDNA
For these systems, GMS has also beefed up the company’s SecureDNA cyber suite. As before, all storage can be erased along with the system’s firmware and BIOS via button-press, software call, or external input such as general-purpose input/output (GPIO). Additionally, all SSDs include hardware secure erase and write-protect for a positive transaction, plus drive bay doors have switches that can trigger an intruder alert which can start SecureDNA. Enhanced SecureDNA adds a Domain IO Controller with CAC authentication card (SIPR token for the Red) for each domain to provide differing enclave security profiles, and a chassis-level System Information Module with daisy-chained physical connection to all modules to prevent removal or tampering lest an intruder alert be triggered. All inputs are opto-isolated to prevent crosstalk or side channel data analysis.
Additionally, care was put into defining various cyber sanitization use cases. For example, a new intruder alert connection on all X9 modules and the chassis System Information Module assures that all elements have a coordinated cyber response to “maskable” and “non-maskable” events. Maskable events include the disconnection of the normally closed daisy-chained intruder line that runs to all X9s, the opening of a drive bay door, system shock detected by the Mission Processor’s accelerometers, and more. Maskable events can be configured to be ignored, depending on use case. Non-maskable events can not be ignored and include a software command, an external I/O line trigger—such as a pilot’s ejection seat—or the pressing of the Zero button on the chassis or tablet.
Two scenarios can be envisioned: opening a drive bay door can immediately trigger an intruder alarm, which causes SecureDNA to run and sanitize the drives and wipe the BIOS. In another scenario, disconnecting one of the intruder lines to remove an X9 module triggers intruder mode, thus sanitizing the system and foiling a bad actor. Optional internal UPS hold-up power allows Enhanced SecureDNA to run even if the system is off or disconnected from external power.