Titanium Technology Protection Kevlar Embedded Security Secure Boot Services
White Papers Blog Newsroom Partners Release Notes Webinars
About Star Lab Careers Privacy Policy Events
EMBEDDED SECURITY | TECHNOLOGY PROTECTION | EMBEDDED SECURITY

Webinar

Cybersecure Mission-Critical Systems

Logo - Star Lab Wind River Knockout.png
image_2020-10-27_113939.png
 
AdobeStock_335145711.jpeg
 

The combination of Trenton Systems' ruggedized hardware and Star Lab's cybersecurity software provides customers with durability, data protection at the hardware and software levels, and reliability across all dimensions of the battlefield - on land, in air or space, at sea, and beneath the ocean.

Register to watch our webinar now talking about how to secure mission-critical ruggedized systems with virtualization, secure boot, and operating system hardening cybersecurity.

Transcript

Yazz: All right there, everybody. I think we're right at two o'clock Eastern Standard Time. Hello, everybody. Thank you for joining us today as we discuss the importance of cybersecure, hardened, and ruggedized mission-critical systems for the military. My name is Yazz Krdzalic, Director of Marketing and Business Development at Trenton Systems, and I will be discussing the hardware portion during this webinar.

Mike: And hello, everyone. My name is Mike Mehlberg. I'm the VP of Marketing at Star Lab. I am really excited to be here today. Thank you all for joining. I'm excited to be here with Yazz, and I'm excited about what our joint partnership can do for our aerospace and defense customers. So, the first 20 minutes of our webinar will be used to discuss the partnership between Star Lab and Trenton Systems, and we'll talk about the ruggedized hardware built for harsh environments and the hardened, cybersecure software that adds a layer of cybersecurity and how it all comes together to provide the military with a complete, secure, ruggedized, high-performance computing solution. And then, we'll reserve the last 10 minutes or so for questions and answers. So, if you could please use the Q&A button at the bottom of your Zoom window to type your questions at any time, and we'll get those, and we'll address them during the Q&A session. All set to go, Yazz?

Yazz: Oh, yes, sir. Let's jump right in. So, Trenton's hardware is built to serve those that serve. It’s designed for the tactical edge, whether that's command and control, ground stations, airborne or naval platforms, SATCOM, you name it. Trenton Systems engineers spend a lot of time ensuring reliability in the harshest conditions because it matters. It matters greatly when you need to gain a technological or tactical advantage over your adversaries, and it goes without saying our troops depend on it.

Mike: Again, and just as you can't have strong software applications without dependable hardware, you can't have truly secure software without a strong hardware platform on which to build your trust, which is exactly what makes this such a powerful solution for aerospace and defense applications. We can't afford to build systems on hardware that isn't tested and cybersecurity software that isn't fielded, so when you combine the two, when you combine proven virtualization and operating system security solutions with hardware that works out of the box, you can spend time meeting mission requirements instead of fooling around with configurations and worrying about introducing a risky software stack into a complex environment.

Yazz: And these high-performance computers are designed to serve the military across all dimensions of the battlespace, designed to protect your system from physical harm, such as shock, vibe, or temp fluctuations.

Mike: And the Star Lab cybersecurity and anti-tamper software, sensitive applications, and data are secured against digital attacks, and that's what we mean with the term “full-spectrum dominance.”

Yazz: And I'll take this opportunity as a moment to properly introduce Trenton Systems. So, we design, manufacture, assemble, and support USA-made military computers using long-life components. We ruggedize and certify our systems to MIL environmental standards like MIL-STD-810, MIL-STD-461, and the like for reliability and to adhere to various military program requirements that you may have. Trenton Systems builds standard, COTS, configured, and custom computing solutions for the military.

Yazz: So, all our field-proven systems cover a wide array of military applications. So, whether you have standard 19-inch rack mounted servers and workstations for, for example, C4ISR, easily removable SWaP-C-optimized blade servers, perfect for aerospace applications, or nimble yet rugged mini PCs that are portable and small enough to fit into a military vehicle, we design it all. Over the last 30 years, we've been exposed to lots of different requirements from our MIL customers and military primes, and that experience has really taught us to be flexible, and that flexibility is where we shine. Since we design and build the major components ourselves, putting things together and tweaking things to make it just the way you need, it isn't a far stretch.

Yazz: So, every system that we send out into the field is built with the same standard. It covers what we've accumulated over the years as "Tier 1 Must-Haves" for our military customers. So, things like: It has to be cutting-edge, certified to MIL standards, field-proven, ruggedized with a long life cycle, rev-controlled, secured, and made in the USA. In a nutshell, that's really who we are. We're also an Intel IoT Solutions Alliance Partner, and we go by their embedded roadmap, which, for our customers, that translates to long life and availability for years to come. Our engineers also beat the heck out of our systems before sending them to our customers. And the cherry on top, again, we certify to MIL standards. We have these capabilities in-house as well as via third-party test labs.

Yazz: I'll cover our most popular products here that you see on the screen, which is a 19-inch rack mount system utilizing the latest Intel Core and Xeon SP CPUs, decked out with lots of PCIe slots, RAM, storage, high speed I/O, and power. Standard form factors range from 1U to 5U, but also come in various depths, depending on, of course, the application.

Mike: Systems like these are tactical virtualization platforms that I'll talk about in a bit. They really, really shine. These boxes are highly performant.

Yazz: So, some applications, depending on your program, may require lots of CPU power, easy access, and an ultra-rugged design. Our modular blade servers that you see here are the perfect choice for that task. A fun fact here: We put this system to the test by throwing 750 pounds of force against it, and it barely made a dent. It’s a cool video you'll find on our blog. But essentially, a 2U blade server, which you see right here, can host four individual server blades, each with two Xeon SP CPUs. So, that's eight CPUs in a 2U ruggedized server, tool-less removal of each blade, and it’s certified to MIL standards. Honestly, the best way to describe this system is on the slide: high-density computing

Yazz: Now to one of our newest additions, a rugged mini PC, the ION. It fits in the palm of your hand, but it's rugged enough to play with the big boys. We've already sent these off into aerospace and naval programs and even outside of the military sector. It's perfect for space-constrained requirements, clearly, but the cool thing about the ION is its tough shell and its dense design. You can see it measures about seven by seven inches and is about an inch-and-a-half high, and still packs a punch with two SODIMM slots, M.2 and SATA storage, high-speed I/O, and super-fast Intel Core CPUs. And now the really, really cool thing: a standard five-year warranty and limited lifetime support like the rest of our products at no extra charge. This is actually one of my personal favorites on our product line.

Yazz: Switching gears again. My goal here is to show you the flexibility Team Trenton really has. So, we went from military servers and workstations to removable server blades to embedded mini PCs. And what you see here is a fully integrated server, whether stationary or in the transit case. What comes to mind here, as far as applications or use cases, is, I'm thinking forward operating bases, ground stations, command and control, even data centers. We can build a fully integrated rack system with all the bells and whistles and ship it to your desired location ready for operation.

Yazz: Now, the next few slides, I want to discuss add-ons to our systems. They enable you to "get more out of your setup.” For example, what you see here is our NVMe storage systems. These JBODs are made to expand your storage capabilities using NVMe drives. Twenty-four individually removable drives or 24 drives split across three magazines holding eight SSDs each. So, the top left photo that you see on the slide, that's our 3MAG JBOD, which was specifically designed for a military customer that needed tool-less removal of the drives at a moment's notice. So, you're able to quickly remove and add eight drives at once without having to take off gloves or bring tools into the mix. Either way you go, these NVMe SSDs get a crazy-fast 27 GB/s second throughput, are hot-swappable, and again, come with a tool-less quick replace, a really cool storage array to add to your arsenal.

Yazz: And as with the previous slide, as with the NVMe storage solution, our PCIe expansion system enables you to add more PCIe slots to your setup. You essentially turn one of your PCIe slots into as many as 18 slots. This reminds me, we've actually worked on an application where we daisy-chained a couple of our 18-slot backplanes to enable the customer to get even more PCIe slots. So, in essence, you can get more than 18 slots, as long as your BIOS can support it. And as a side note, we control the BIOS in our systems as well. So, we can make tweaks to that if need be.

Yazz: Our ever-expanding product line is filled with the critical components that allow the military to rely on our systems for various missions, programs, and tasks at hand. Whether in a climate-controlled environment or at the tactical edge, we design to outlast the competition. That's why our average life cycle is well over a decade. This means less requalifying, recertifying, and an extended life cycle means much lower total cost of ownership, plus, when you when you have one point of contact for your entire system, it makes the point that much easier.

Yazz: For a true made-in-USA military computing system, ruggedized, certified, configured, and/or customized by an in-house team of engineers ready to assist at a moment's notice, we're really proud that the military has trusted us for over 30 years to do just that. Now, with the partnership between Trenton Systems and Star Lab, we're adding a thick layer of cybersecurity to your ruggedized military computers.

Mike: This is something we're really excited about because we're able to plug over 15 years of cybersecurity and anti-tamper experience into these embedded systems that just work out of the box. In fact, Star Lab's been around for the past five-plus years, almost six, protecting mission-critical DoD systems from tampering and reverse engineering. And just this year, earlier in January, Wind River, who's a beast in the aerospace and defense industry and well known for their VxWorks platform, acquired us and put some additional resources into helping our customers protect their can't-fail systems.

Mike: So, in a nutshell, we've been doing that by hardening Linux operating systems and virtualization platforms on embedded boards. We protect the confidentiality and integrity of the applications and data on these systems, whether during runtime or at rest and all with extremely minimal performance or development impact.

Mike: So, how we do that is through our main solution that we call the Titanium Security Suite. Titanium Security Suite is composed of three products that cover cybersecurity and anti-tamper through your whole system. Titanium Linux provides file and process protection; it effectively hardens your Linux distribution from tampering and reverse engineering. Titanium Secure Hypervisor is an embedded hypervisor for secure tactical virtualization; it removes the enterprise functionality that complicates an embedded system while also providing hardware separation and isolation for your virtual deployments. And then, finally, Titanium Secure Boot ties your entire environment to the hardware, ensuring that your system starts up without any boot kits, without any malicious modifications, essentially establishing trust in your system from the moment you power it on, all the way up through runtime.

Mike: Now, one big differentiator that makes Titanium Linux stand above any other solution is our approach to security. So, most products attempt to keep the attacker out; they're trying to keep the bad guy from getting root or administrative access. We actually assume that the attacker is already in the system, and we put the right countermeasures in place to ensure that, even with root administrative access, they cannot access your sensitive applications and data. And this is done through mandatory access controls, CSfC-certified data at rest encryption, and attack surface reduction, and so, with a simple one-time configuration tool, shown here, you can define a policy that's important for your system and lock that Linux distribution down.

Mike: Now, on the virtualization side, Titanium Secure Hypervisor is based on the Xen Type 1 hypervisor framework, which many of you may have heard of before, and it has literally billions of hours of operational use. So, we started with the Xen framework by first reducing the attack surface, and what that means is stripping it of all the enterprise functionality that just isn't necessary for a system; it adds complexity, and it adds vulnerabilities to that system while really doing nothing for a tactical embedded system. And from there, we added encryption to protect your critical data. We are enforcing hardware isolation to protect those boundaries between different virtual machine machines, and we're allowing systems engineers to deploy security service domains, such as VPN domains, cryptographic service domains, security monitoring demands, and encrypted storage domains.

Mike: And finally, Secure Boot. This monitors the environment from the moment that you power on your system, and it ensures that the authenticated software is only decrypted and booted if the boot measurements are correct. If your environment is correct, Titanium Secure Boot demands that the system that you deploy is the system that starts up, preventing the introduction of any sort of malicious code at boot time.

Mike: At the end of the day, and this is where the rubber hits the road, we're helping our customers meet their anti-tamper cybersecurity and commercial solutions for classified or CSfC data at rest requirements rapidly and affordably. Our products have been deployed on many systems successfully. They've successfully gone through stringent anti-tamper evaluations. They meet 100 percent of the NIST SP 800-53 cyber controls and are approved through multiple commercial solutions’ classified protection profiles that are shown here, and all this while meeting performance requirements and with a 100-percent success rate in the field.

Mike: So, what's great is, when you combine this with the Trenton hardware, you end up with some of the most advanced cybersecurity and tamper-resistant ruggedized military technology available today.

Mike: And the way we like to think about it - think about it this way, right. Trenton’s high-performance ruggedized hardware boots up, and the environment is measured by Titanium Secure Boot. If everything checks out, then the boot image, the hypervisor, and the OS are decrypted and kicked off, and they’re started, only if everything checks out. Then, Titanium Secure Hypervisor takes over locking individual virtual machines to specific hardware components and isolating them from each other. So, Titanium Secure Linux is running in one or more of those VMs, and it's protecting the confidentiality and the integrity of the data and the applications running on the system. So, it's full system protection from the hardware all the way through boot to your applications and data, and it's helping you meet those anti-tamper, cybersecurity, cyber RMF and CSfC data at rest requirements.

Yazz: Thanks, Mike. And so, once you pick the system and configure the software to go along with it, you pick and choose how standard, configured, or custom you want your military computer to really be.

Yazz: So, from a systems perspective, and as mentioned before, we can certify to MIL standards, as you see pictured here, and many others, based on the application’s requirements. And we do that in-house or via third-party test labs. When you receive our system, the goal here is to supply you with a turnkey solution, out of the box, ready to go, mission-critical, cybersecured, ruggedized, and ready for battle.

Mike: And more so, we don't just throw this hardware and software over the wall. We really pride ourselves in helping our customers get up and running and walk through the stringent security requirements found on any mission-critical, secure military system. So, we'll stand by our products and you as you bring your system to market.

Yazz: And we believe this partnership matters because it provides the military and the military primes an added layer of security, reliability, and peace of mind knowing that you chose to work with two trusted partners with decades of combined experience in making the hardware and software necessary to complete a mission successfully and securely each and every time.

Mike: So, that's the end of the presentation. Thank you so much for your time. We really hope this gives you a good idea on developing and deploying secure mission-critical systems. And we'll jump over to see what questions came up during the event here. So, stick around for as long as you want. We’ll be here to answer your questions. We've held this Zoom meeting room a little bit longer than the than the time and will also follow up with an email after the show, sharing this recording, the slides, and our contact information in case you'd like to schedule a more in-depth review demonstration. Do we have any questions, Yazz?

QUESTIONS

Yazz: We do, actually. So, one of the questions here, it says: What does your BSP entail in terms of a fit into the packages you discussed. Is there an extra fee?

Mike: Yeah, so the boards for packages side to, you know, protecting the Linux distribution. It can be the distribution of your choice. As for a Titanium Secure Hypervisor, right, that would sit on your system and it would kick off, you know, the virtual machines, which may include, you know, your version of Linux with Titanium Linux securing that distribution. Those are separate products. And so, we could talk with you about, you know, what the cost of those are. If you get the virtualization option, it comes with Titanium Linux and Titanium Secure Boot. If you just are running a Linux distribution, that comes with Secure Boot, and you can also, you know, procure Titanium Secure Boot independently. In short, all three of those products work together, or they work independently, just depends on what your configuration is.

Yazz: We do have another question here saying: Are your boards really made in the USA? Do you use Supermicro boards?

Yazz: All right, I'll get off my soapbox here. So, yes, we actually design our very own boards for our systems. We have a team of mechanical, electrical, software, and support engineers in-house. So, the design, manufacture, assembly, and support of our boards is done in the USA. If really anything, remember us by this phrase, if you will: We innovate, not just integrate. Part of the reason is that some of our biggest competitors are also our customers. We control so much more than just the integration of the components, but I'll get off my soapbox here and say yes. Yes, those are our boards, we design our boards, and no, we do not integrate Supermicro.

Mike: Yeah, I see a follow-up from James that we can just answer live here. So, what you're saying is, you pick your options, and you load it up and ship?

Mike: Yeah, that's essentially the case. Now, with security, there's an important step that we help you work through, which is to help you define what is important or what is going to help you meet those cybersecurity or anti-tamper or CSfS data at rest requirements. Once you know what those requirements are, then you know you can use these policy editors to basically define what's important in your system, what needs to be protected at rest, what needs to be protected at boot time, and which applications can access which data. And that's very simple to do. We just were able to, you know, with time constraints, show one screenshot. We're happy to show that live in a demonstration, but it's very simple to do through this policy editor, and then, it all integrates into your built environment, so that every time you build your package before it gets distributed, you know the proper things are encrypted, the proper things are protected with the right countermeasures.

Yazz: And I do see that we have another question here. It says: Many systems integrators use boards from around the world. Do you also have total BIOS control?

Yazz: Yes, so we control the whole BIOS. We start at the order code and work our way from up there. So, yes, to answer your question, we do control the BIOS.

Yazz: I think another one just came in.

Mike: Oh, yeah, I see it now. So, somebody asked: You said you meet all NIST SP 800-53 controls. Is this just for tamper resistance and data at rest or all controls?

Mike: So, this is for, this is 100 percent meeting the operational technical controls of the NIST SP 800-53. So, there are thousands of controls. A lot of them have to do with, you know, configuration of your system and what not, but when it comes to the operational technical controls, we help you meet 100 percent of those with the products that we discussed. 

Yazz: So, we do have one question that says: Are you open to custom solutions with NRE?

Yazz: Yes, se sure are. Actually, the customization of our systems is really where we shine most. I would love to follow up with that. I'd love to get you in touch with our technical team to discuss your requirements in further detail. 

Mike: I would say on that question, from a software and cybersecurity, anti-tamper perspective, you know, a lot of times we do work with, you know, your specific version of Linux, your specific distribution, I should say, of Linux, or your particulars for virtualization. And so, we're, you know, I’d have to work an NRE for those to make sure that we're customizing the cybersecurity and the tamper resistance into your particular system.

Mike: I actually can take the next one, too. Another question: Do you support DevSecOps for deployment and/or updates?

Mike: You know, last year, I probably would have said no to that. But actually, since our company, Star Lab, was acquired by Wind River, there's quite a lot of DevSecOps experience in-house, as well as some tools that we're building right now. And so, I'm not an expert in that field, but I can certainly connect you with somebody who is at Wind River to sort of get to the bottom of your question there and answer that in better detail.

Yazz: I do see a question says: Tell me again about the warranty offered by Trenton Systems.

Yazz: So, our warranty, we have a standard five-year warranty that is on our products. So, single-board computers, embedded motherboards, all warranted to be free from defects, the material workmanship, five years from the date of delivery to the purchaser. It covers various aspects. If you have any specific questions as far as what the warranty covers, I'd be more than happy to get on a call with you and go over our warranty terms if you're interested.   

Yazz: We have another question coming in: What is your lead time for products, currently?

Yazz: So, that really varies based on the system that you're choosing, and I hate to give you that answer because I know it's so broad, and I could easily say, you know, between six to eight weeks or eight to 12 weeks, but it really does depend on what system and what components you're looking for. Again, as with everything else, I'd love to jump on a call with you, get our FAEs on the call to discuss what you were thinking about, and we would be able to quickly get you a lead time and what not. 

Mike: Another question came in: So, how are the Windows technical cyber controls met if I am running a Windows 10 server?

Mike: So, our solution Titanium Linux is specific to a Linux distribution. It can be any Linux distribution, but it does not currently protect Windows 10 or Windows 10 server. The same goes for our virtualization platform. So, we are doing some work to support other operating systems. And I'd have to check with our team on where Windows lies on the roadmap. At the moment, it's very effective at securing those technical cyber controls for Linux distributions, and that's the current support matrix. I would mention, too, in addition to answering that question, our mother company, Wind River, does have a virtualization platform. I believe it supports Windows. However, it's not as focused on cybersecurity as it is on safety-critical deployments. And so, you know, that might be just a discussion that, you know, we could have live if you're interested, about what the possibilities are and supporting, you know, the virtual environment for your Windows 10 deployment.

Yazz: Alright, so I think I'll take the next question here: I heard you mention that Trenton doesn't integrate third-party motherboards. Oftentimes, programs require certain boards. Will this push Trenton out of the opportunity?

Yazz: So, to answer that, we do integrate if there's an absolute must for the program, for the application, and you already have something that you're working with from a components perspective. We can integrate. It's just that, with most of our opportunities, we actually do the boards ourselves, the chassis, the system from a holistic perspective. But yes, we can integrate if that is what your requirement is with your application or program.

Mike: Looks like the next question is sort of targeted at the software. So, what is the average selling price of your software options? What is the tie to the Wind River model? Software can run you 40K to 50K.

Mike: We usually get an NDA in place with our customers, or I should say, we always get an NDA in place with our customers before discussing pricing and options. But I could talk a little bit about the model on this with this open audience. So, there are two models. One of them is, you know, the subscription model, in which you acquire the software. And so long as you are under that subscription contract, you receive support and maintenance and the ability to develop and distribute. Any distributions would also have a runtime license component to it, and that, like any runtime license with any other software company, will scale up or down depending on how much volume you have. The second model is a perpetual model, or it's just a one-time buy upfront. It's tied to your particular program. And programs do mean different things to different people. In this case, I'm talking about a government program; we've heard people refer to it as a project as well, maybe, if they're a, you know, a box manufacturer or something like that that's going to go into multiple programs. But there's a perpetual license upfront, and then, that same runtime license applies, again depending on the volume, right. There's more volume, means less per unit class, and we could share all of that with you, you know, if we had a one-on-one discussion and put an NDA in place.  

Yazz: Alright, I think I'll take the next question. It says: What about more rugged, small, mini ION systems?

Yazz: So, yes, we are in the works of a couple of products on the smaller-form-factor embedded PC, more rugged than what you see on the ION. So, yes, we have them on our roadmap. That's as much as I can share right now. But yes, our focus is to also start building out our SFF product line. 

Mike: James, good question. So, in the Wind River world, they would have corporate license agreements so that primes like Lockheed Martin, Boeing, etc., could have that. Will you look at following that path?

Mike: Yeah, I certainly can talk to some of the folks at Wind River about what's in place already and how we do that. I'm sorry I'm not versed on that right now, but I can certainly bring that up, you know, at an internal meeting and discuss it. So, thanks for bringing that to my attention.

Yazz: So, interesting question: What differentiates you from Crystal? I believe that was the question.

Yazz: So, for one, we're truly made in the USA. We also design our own boards. So, we don't integrate unless it is an absolute requirement by the customer. We do design our own boards from the board up all the way to the chassis and system integration. We have an in-house support team. So, that, I would say, is the biggest differentiator for us between Crystal and our competitors, and as I've stated before, because of that differentiator, it's also the big reason why a lot of our competitors do buy our boards to integrate into their systems to further strengthen their made in USA story. So, hopefully, I've answered that for you in enough detail, but if you want to know more about Trenton Systems and our differentiators again, I'd be more than happy to jump on a call with you. 

Mike: And, you know, just to add to that, it's really important that, you know, the customers that we support with cybersecurity and anti-tamper do have that US backing, and so, for example, I don't know if I mentioned it during the webinar, but 100 percent of our staff is US citizens with clearances. So, we just work in that environment, and that's why, you know, we were able to partner with Trenton, and that's why, you know, this joint partnership and the solution is differentiated against other vendors out there.

Yazz: And US citizens at Trenton as well. Yes, likewise. We're an ITAR facility, and the employees here are US citizens as well.

Mike: Oh, good one. The curveball here at the end. What preparations, if any, are you making for quantum-safe cybersecurity?

Mike: So, we certainly have people, you know, cryptographer types, mathematician types, that know about quantum safe. With security, people don't just put security on their system because they feel like it or because they want to be secure. They need to meet requirements. And so, we're monitoring those quantum requirements closely as they sort of trickle throughout, you know, the system, and they go into some of the certifications. None of them are there yet, but we are keeping an eye on it. So, the preparations that we're making aren't technical in nature. They're just sort of monitoring the field of certifications that are going to be required for cybersecurity and tamper-resistant systems, for that matter. And so, as those start to bubble up to the top, and they become more real, then we're going to get the brains behind it to, you know, make modifications to our crypto suites, to make sure that we meet those specific requirements. But as far as we can tell, you know, those are a little ways out, and we have the, you know, the knowledge to make those changes and in fairly short order. So, we're just going to keep an eye on it, and once the government starts publishing those standards or getting ready to post those standards, then, you know, we'll start migrating our products to support those so that our customers that have those quantum-safe requirements, in fact, can meet them. 

Yazz: Alright, everybody, I think that concludes our webinar. Thank you to everybody who participated, who attended. Thank you for all the wonderful questions. If you have any questions for me or Mike, Trenton Systems, or Star Lab about the partnership, please feel free to reach out. We’ll be emailing all the attendees a copy of this webinar along with our contact information, so if you do think of anything outside of this timeframe, we’ll be more than happy to address it. And again, thank you so much for joining.