The military’s network architecture is a patchwork of different systems and solutions that resulted from disparate organizations and branches operating in stovepipes to address their communications and connectivity requirements. The patchwork nature of the military’s networks extends all the way into space, where they rely upon their own communication satellites, and commercial solutions from a number of different commercial SATCOM companies to extend DoD systems, applications, and capabilities to the tactical edge.
With modern warfighting requiring collaboration across all domains and between allied nations, this lack of integration, interoperability, and a common operating picture is no longer sustainable for the DoD. As a result, there has been a military-wide focus on creating a joint operating environment across all of the DoD’s branches and organizations.
There have also been demands for an integrated satellite architecture that incorporates both military and commercial satellite assets. This would enable the military to seamlessly move workloads from satellite system to satellite system should military satellites be denied by an adversary, or should capacity requirements exceed what’s available via the military’s satellite network.
To make this work, the military needs the ability to communicate and manage disparate satellite networks that operate with different ground hardware. That is an obstacle that commercial satellite provider, SES Government Solutions (SES GS), recently took large steps towards overcoming with the introduction of their new application, Hydra.
According to SES GS, Hydra will give the military the situational awareness and satellite management capabilities it needs to build the integrated commercial and military satellite architecture that it has coveted for half a decade – or more. To learn more about how it accomplishes that, and how a DevSecOps approach to development was key to the platform’s development, we sat down with Amit Katti, a Principal Engineer at SES GS.
Here is what he told us:
GovDevSecOpsHub (GDSOH): What is Hydra? What are some of the application’s capabilities, and some of what it’s responsible for within SES?
Amit Katti: Hydra is a new Common Operational Picture (COP) platform developed entirely in-house by SES GS. It was conceived to give our U.S. government and military customers end-to-end situational awareness (SA) capability for effective decision making, rapid staff actions, and appropriate mission planning.
Hydra’s base system is a modular web-based platform that provides monitoring and control of network endpoints. It enables government and military customers to monitor and manage their commercial satellite assets in multiple orbits, and have an integrated, end-to-end managed network experience.
Hydra was designed utilizing a microservices architecture and incorporates customizable interface modules that are designed to meet specific customer mission plans. The entire system is built on free and open-source software (FOSS) technologies following DoD’s DevSecOps playbook.
Hydra incorporates the latest security and data processing technologies, such as streaming telemetry to proactively maintain continuous information feeds, remote access, and operational support for the network.
GDSOH: Why was Hydra necessary? What new advancements in satellite technology and satellite customer requirements are making this application important today?
Amit Katti: Today, everything the military is doing – and every platform and weapons system that they’re developing – is network-enabled. Connectivity at the tactical edge, the austere environments where the military operates, is no longer “nice to have,” it’s absolutely necessary and mission-critical. In this environment, going without comms, or having comms be lost or denied is simply unacceptable.
“…Hydra is a solution that will not only help make comms more assured and available for the military…[it] will give them increased visibility into their networks and make network maintenance and repair more proactive – and do so without adding security risks or vulnerabilities into their network.” – Amit Katti
Hydra enables SES GS and our government and military customers to proactively address service impairments, instead of reacting to them. The platform makes it easier to identify the problems in the entire network by putting everything – including the terrestrial network, space assets, and individual devices- all on a single pane of glass. This means that problems can be identified with an individual device or system and fixed before they cause a total failure in the network.
By becoming more proactive, we can ensure that essential comms are more assured and available for the warfighter at a time when comms are absolutely necessary for mission success. But there’s another element to Hydra that makes it important to today’s military requirements and objectives.
That same ability to share and visualize management and control data can make it easier for the military to operate a combined satellite architecture that incorporates commercial and military satellite assets. This is something that the military has been talking about and looking to accomplish for the better part of a decade, and that will even further increase comms assurance.
If an adversary denies a satellite – either disables it with a kinetic attack or jams its signal – having the ability to manage and control the network to send traffic around that satellite – either to other available military satellites or commercial satellites – could be the difference between having comms and not having comms. Platforms like Hydra are going to give the military the M&C data that they need to make that dream scenario a reality.
GDSOH: Mission assurance is essential for the DoD. You mentioned that Hydra can increase comms assurance and make the military more proactive in identifying and repairing problems with the network. How does it do that??
Amit Katti: While there is nothing revolutionary in terms of data collection technologies, we developed a tile-based platform that allows our military and government customers to develop custom dashboards that are specific to their unique mission.
In addition to providing basic M&C data, Hydra includes an inventory management system that integrates shared and dedicated devices, circuits, and the space segment into the same contextual environment. This enables the SES GS network operations center (NOC) and our government end-users to track, visualize and monitor all network resources, segments, and elements associated with a mission.
“Hydra enables SES GS and our government and military customers to proactively address service impairments, instead of reacting to them. The platform makes it easier to identify the problems in the entire network by putting everything – including the terrestrial network, space assets, and individual devices- all on a single pane of glass.” – Amit Katti
This ability to incorporate and visualize the entire network allows the customer to schedule and monitor the entire end-to-end network in a single, integrated pane of glass, diagnose problems more rapidly, and fix problems before they take applications, services, and capabilities offline.
This also allows them to request, monitor, and orchestrate commercial satellite services within their contract boundaries. And that’s essential in the scenario we discussed previously. If a military communications satellite is taken offline, being able to orchestrate commercial satellite capacity to fill that void is imperative to meeting an operation’s comms requirements without interruption.
GDSOH: Since mission assurance is so important, everything that the government and military is doing with new technology needs to be secure. What steps were taken to ensure that Hydra is a secure solution for government and military users?
Amit Katti: Hydra is built on a cloud-native architecture and is secure by design. The steps that we’ve taken and the security measures that we’ve baked into the application can be broken down or separated by the two aspects of the application – data ingest and user interface.
As it pertains to data ingest, the data collected from network and spectrum endpoints flows through a secure data supply-chain to centralized clusters in secure, double-wrapped IPSec tunnels. Endpoint data is never visible to any users except the SES GS NOC. This data is then processed using dedicated containers and visualized on custom dashboards and panels, allowing the user to view and interact with the processed data.
As it pertains to the user interface, the system uses a centralized authentication system based on OAuth 2.0 that requires a pre-approved account to login. The system also requires a user to set up a multifactor authentication (MFA) key to access the dashboards. Every customer has their own silo and the ability to customize their respective dashboards. Hydra can also allow for single sign-on (SSO) in specific use-cases, if a dedicated tenant is hosted for a customer.
The system is built on a multi-tenant architecture, and if a government user wanted to use this platform hosted in a dedicated silo, SES GS can spin up a dedicated environment, as necessary, to provide the same exact service that is available to regular users.
GDSOH: I understand that Open Source software was utilized in the development of Hydra. Why is Open Source code important for bringing applications like this to market quickly? What security implications can Open Source software have on application development?
Amit Katti: Using Open Source code and software offers portability and security. We do not want government users to feel restricted by how they can use our platform. We also want to make the setup and user experience simple and easy on the end-user. Utilizing Open Source software, code, and best practices enables that.
Spinning up a new instance of our platform takes a few seconds, and configuration and setup takes less than 30 minutes. Once we set up the system, the government users can start using the platform immediately.
“If an adversary denies a satellite…having the ability to manage and control the network to send traffic around that satellite…could be the difference between having comms and not having comms. Platforms like Hydra are going to give the military the M&C data that they need to make that dream scenario a reality.” – Amit Katti
The subsystems of Hydra are modular, so if a government user wants to exchange or remove packages – or a piece of code used in a module – that module can be modified in the user environment without impacting the overall system performance. This level of customization is only possible if we use open source software, since we don’t have to worry about protecting licensed assets.
GDSOH: Hydra was built with a DevSecOps approach to application development. Can you define what that means for the SES team? What did your development process look like? How was security shifted left in the SDLC? How did this impact the development process?
Amit Katti: For us, DevSecOps means baking security into every step of the application development process.
We architected the platform in-house and used reverse proxies for all external-facing networks. This inherently added an additional layer of security and resiliency by load-balancing instance clusters, providing TLS encryption, and denying all unintentional access to external traffic.
Any upgrades or bug fixes introduced into the platform have to go through malware scans and run in a secure sandbox before the proxy is pointed to the updated instance. All backend access is only available to selected users and that never changed when we moved the dev environment into production.
Every step of the process – from development through deployment – we are testing for security and verifying the security of the application and its updates. We’re not waiting until the end of the development process to identify and fix vulnerabilities, which not only allows us to move faster, but gives us more confidence in the overall security of the solution.
GDSOH: What tooling and technologies were utilized to help identify and eliminate vulnerabilities in this application? Is the team using static application testing and analysis solutions, interactive code scanning or other security tools to help bake security into new applications like Hydra?
Amit Katti: All traffic coming into the platform is filtered through an IDS/IPS firewall. In addition to this, because the proxy sits in a DMZ, we are able to block any unwanted traffic reaching our secure backend enclave.
“Every step of the process – from development through deployment – we are testing for security and verifying the security of the application and its updates. We’re not waiting until the end of the development process to identify and fix vulnerabilities, which not only allows us to move faster, but gives us more confidence in the overall security of the solution.” – Amit Katti
Candidly, our expertise lies in network engineering, and not particularly in web or application security – therefore we maximize the use of all Layer 2 and Layer 3 traffic filtering, in addition to using unified threat management systems that equip our environment with antivirus, anti-malware, web filtering, data loss prevention, and intrusion detection, and prevention capabilities.
In addition to letting the firewall manage external threats, we also aggregate logs from the proxies and firewalls and index these logs for further analysis in a miniature version of a SIEM system dedicated to Hydra.
Overall, we’re confident that Hydra is a solution that will not only help make comms more assured and available for the military at a time when they’re increasingly essential. It’s a platform that will give them increased visibility into their networks and make network maintenance and repair more proactive – and do so without adding security risks or vulnerabilities into their network.
For additional information on Hydra click HERE. To learn more about SES GS and their industry-leading satellite services, click HERE.
