Imagine a doctor in a hospital who is about to operate on a patient with a brain aneurism. Before surgery, the doctor needs to gather lots of pieces of information: A scan of the patient’s brain, information about what kind of medications the patient uses, and if they smoke or use drugs, as well as family history. The doctor may also want to have specific people working in the operating room to help save the patient’s life.
But accessing all of the information quickly can be a challenge. Some of it, like the brain scan and records of prescribed medicines, may be in the patient’s electronic health records, accessible only to certain people within the hospital. Other information may come from less secure databases that track, for example, who is on call at any given time. The differing security protocols make it difficult to share crucial information.
This is a common problem for anyone who works with sensitive data, in healthcare, the military or the power industry — anywhere there is a combination of public and restricted data, says Bill Smith, principal engineer and project leader of GE Research’s DARPA Guaranteed Architecture for Physical Security (GAPS) program. With $8.6 million in grant money from DARPA — the Defense Department’s research arm — Smith and his team have partnered with GE Aviation, Dartmouth College and chipmaker Xilinx to find a way to sort out sensitive and public information.
Specifically, they’ll spend the next four and a half years developing MIND, short for monitoring and inspection device. MIND will act as a kind of data gatekeeper, sorting incoming information so that only people with proper clearance can see the most sensitive data. This will allow industries to move information between different systems that have different security classifications and policies, reducing redundancies and simplifying communications.
To start, MIND will use commercial aviation-grade hardware developed by GE Aviation’s Avionics Systems as a testbed for the new platform, which will be a combination of hardware and software. Less than half the size of a shoebox, MIND will sit wherever data is entering or leaving a system, whether that’s through Wi-Fi, Ethernet or USB. It’ll control the information using what’s known as deep packet inspection, combined with detailed knowledge about the information that is supposed to be flowing through the gap.
The MIND box will ensure that, for example, specifications for sensitive military hardware will go only to leaders with top-secret clearance, but performance data (such as fuel levels and wear and tear) about the transport plane can go to the ground crew waiting to service the aircraft when it gets back to base. “This will allow us to combine information systems and preserve security,” Smith says. “This will be new technology that will allow communications to flow between security domains within a network.”
Dartmouth’s computer science department will bring its language-theoretic security expertise to the party to develop specific rules on how to process and interpret the input data. The security policies and communication protocols will be customized depending on who is using MIND: The Department of Defense will require different protocols than a hospital, for example. Xilinx will provide the ability to add these protocols into what is known as a programmable logic device — semiconductor devices that will work inside the box and move the data quickly from one place to another.
In addition to helping move data between secure systems, MIND will also add an extra layer of protection to networks that are trafficking in highly sensitive information. The same protocols that will sort top secret from ordinary data will also be able to stop cyberattacks. The Heartbleed bug, for example, exploited a weakness in the OpenSSL encryption software that protects most of the information on the internet. Hackers exploited the bug to steal private information from the likes of Google, Facebook and Intuit. MIND has the potential to sort information in a way that would better flag potential hacks. Initially at least, MIND will only be available to organizations handling the most sensitive information because of the complexity of customizing protocols.
The DARPA grant will allow the team to build a proof of concept. The project will take place in three phases: The first will focus on demonstrating the basic ability to move communications across two secure servers. Subsequent phases will improve speed and build out security protocols.
“This is about showing a path forward,” Smith says. “We’re looking to ensure security among different networks.”