Monitoring of Operational Testing and MIL-STD-810

Monitoring of Operational Testing

Monitoring of Operational Tests

Monitoring of operational tests and the recording of all critical performance parameters has become a requirement in MIL-STD-810H.

Operational testing has been a part of MIL-STD-810 since Revision C in 1975.  It refers to testing the item in a manner that represents service use as documented in the mission profile.  Successive revisions have placed more stringent requirements on this mode of testing.  Monitoring of operational tests is one such requirement. 

Requirements  as specified in Revision G change 1 Part 1, paragraph 5.10 reads as follows:

Performance check. Monitoring and recording of test item’s critical performance parameters is required before and after all tests. Monitoring of performance parameters is not required during non-operational tests such as storage and transportation. Monitoring of performance parameters during operational tests is strongly suggested.

Where cost concerns preclude monitoring during an operational test, consideration should be given to the consequences of undetected, intermittent failures.”

Revision H has changed the wording of the last two sentences of that paragraph to:

Monitoring and recording of the critical performance parameters during operational tests is required. If unable to monitor during operational tests, obtain test sponsor approval prior to the start of testing and document rationale in the test report.”

Monitoring of Operational Testing

Development of Monitoring and Simulation Equipment

Environmental testing has the capability of inducing intermittent failures in equipment.  Detection of these failures is critical in Developmental Testing and Evaluation to ensure a product’s capabilities during field testing and deployment.  These increased requirements call for a more diligent approach to the design and planning of monitoring equipment used in operational testing. 

Designing, building, and programming the required (off chamber) equipment requires time and resources.  Monitoring equipment should be capable of detecting recording and capturing intermittent failure conditions.  It should then notify test personnel of failures.  It should record all critical functions and exercise the Unit Under Test (UUT) to simulate in service operation. 

Additionally, it should be able to aid in the performance of functional and operational tests.  These tests are used to verify all modes of operation of the UUT before, during and after environmental tests.

Evolution of MIL-STD-810 Environmental Testing

Many issues have evolved during various revisions of MIL-STD-810.  A study of the history of these issues show a repeated effort by those writing the standard to stress areas where materiel developers have fallen short in developmental test and evaluation.  This has been the case with test parameter tailoring, power requirements, and yes, the methods utilized in operational testing.

There are numerous issues that can cause intermittent issues in electrical and electronic equipment: 

  • Tolerance stacking of components can often lead to intermittent failures during temperature testing. 
  • Humidity can cause intermittent reductions in the electrical isolation of signals. 
  • Dynamic testing, especially where higher frequencies are present, i.e. Pyroshock testing, can cause piezoelectric effects. 

These intermittent failures can lead to unexpected behaviors from equipment that can result in a number of safety related issues especially when the equipment being tested is mission critical.  The increased requirements in MIL-STD-810 no doubt can be traced to issues encountered during operational testing or during service.

In essence, a “green light” on the UUT is no longer a suitable solution, if indeed it ever was.  Properly designed equipment is required monitoring operational tests during tests. It is impossible for a human to monitor a test of long duration or perceive short intermittent failures.

Other Requirements for Monitoring and Simulation Equipment

Such monitoring equipment is also useful in EMI/EMC testing for detecting susceptibility issues.  It can also exercise the equipment under test to provide representative operation necessary for adequate evaluation of equipment emissions.  Operational testing is a requirement for most EMI/EMC testing. 

It is definitely a requirement for MIL-STD-461 testing.  Operation of equipment in standard modes is required for modes of testing in this standard including conducted emissions, radiated emissions, conducted susceptibility, and radiated susceptibility. 

For emissions testing, exercising the Equipment Under Test (EUT) exercises it to create a nominally characteristic level of electromagnetic behavior.  During susceptibility testing however, great care must be taken to monitor the EUT for operational failures caused by the presence of electromagnetic fields and electrostatic discharges.

The same holds true for electrical compatibility testing.  This testing includes standards such as MIL-STD-704, MIL-STD-1275, and MIL-STD-1399-300B parts 1 and 2.

CVG Strategy Product Test and Evaluation Experts

Our experts at CVG Strategy have extensive experience in Environmental and EMI/EMC testing and evaluation.  We have expertise in a number of industries and products, both military and commercial.  CVG Strategy specializes in Independent Developmental Testing and Evaluation including: Development of Life Cycle Environmental Profiles, Test Plans, Test Program Management, and Test Witnessing.

CVG Strategy also offers MIL-STD-810 Webinars that stress methods for employing this important test standard to get the most out of your test and evaluation program.

CVG Strategy is a consultancy offering coaching, mentoring, training and program development focused on areas including Product Test and Evaluation Business Process Improvement, Export Compliance, Cyber Security and Quality Management Systems.

SuperMicro Hardware Hack on Server Motherboards

Supermicro Hardware Hack
Supermicro Hardware Hack

Bloomberg reported on February 12, 2021 that a Supermicro hardware hack had been conducted on server motherboards by a Chinese espionage program.  This report follows previous reports by the news agency in 2018 and illustrates the susceptibility of technology manufacturers to supply chain attacks. 

The hack involved embedding a small integrated circuit into the trace on a multilayered printed circuit board.  This malicious hardware was inconspicuous enough to not be detected in quality assurance testing.  Its purpose was to send data from the server to China.  This hack has placed unknown numbers of data centers at risk in the public, private, and defense sectors at risk.

Spy Chips Found in Department of Defense Servers

In the Bloomberg article the United States Department of Defense (DoD) found that large numbers of its servers were sending data to China in 2010.  Previous devices with malicious chips were found in Lenovo laptops used by the U.S. military in Iraq in 2008.  It is not known how much data was compromised by these laptops in Iraq. 

The incident in 2010 involved Supermicro servers on unclassified networks.  While the implanted servers did not send any data regarding military operations, they did provide the Chinese with a partial map of the DoD’s unclassified networks.  Supermicro has stated in response to questions that it had “never been contacted by the U.S. government, or by any of our customers, about these alleged investigations.”

According to Bloomberg sources security experts surmised that the implanted devices could be setting up networks for more extensive hacks or sabotaging entire networks in the event of a conflict between nations.  In 2013 U.S. intelligence agencies including the National Security Agency decided to keep the discovery a secret, install countermeasures, and begin gathering intelligence on China’s motives without alerting it.

Supermicro Hacks Extend Beyond Hardware

Further investigations into the Pentagon breach ascertained that malicious instructions had been embedded in the servers’ BIOS, a set of instructions to the computer configuration that are executed during system start up.  These types of malware are difficult to detect by means available even to users with good security protocols.  These hacks were apparently conducted by Chinese agents early in product development.

Supermicro servers have also been exploited by a security breach generated by firmware updates generated from the company’s site.  These breaches were detected by Intel security executives in 2014.

Hardware Hack and Supply Chain Vulnerabilities

This series of incidents point out the vulnerability to industry supply chains.  Outsourcing manufacture of electronic assemblies to foreign countries is a common practice to reduce costs.  However, business as usual may no longer be an acceptable practice. 

U.S. government officials have in recent years been beating the drum about securing the supply chain, and while this may have immediate ramifications to the public and defense sectors, products destined for the private sector will continue to pose threats for network security and proprietary information. 

Industry has been slow to engage in even basic cyber hygiene practices.  Its willingness to apply stricter controls on its supply chain and manufacturing processes will be interesting to note.  Clearly the Supermicro case along with the SolarWinds hack calls for a serious reassessment of industry protocols and diligence.

Challenges for Information Security Management Systems

Information Security Management Systems (ISMS) are a compilation of policies, procedures, and controls to identify and mitigate risk to data security.  While incident response and asset management are features of these systems, assuring the security of the hardware, firmware, and bios of those assets provides sources of concern beyond the scope of many ISMS currently in place.

The National Security Agency (NSA) Cybersecurity Directorate has released Hardware and Firmware Security Guidance for aiding DoD administrators in the verification of systems currently in use.  This repository is continually updated as new information and guidance become available. 

Although this site is targeted towards the defense sector, it is applicable for organizations in the public sector as well.  A list of hardware and firmware vulnerabilities can also be found in a post on INFOSEC which outlines a number of other vulnerabilities.

CVG Strategy Cybersecurity Solutions

Security of data is essential for any organization.  This includes proprietary data, and the sensitive data of partners and customers.  This latest report on the Supermicro hardware hack underlines the rapidly changing parameters of data security risks. 

CVG Strategy is committed to helping businesses in all sectors, secure their sensitive data.  We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. 

We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.

The Department of Defense has been undertaking efforts to secure Unclassified Controlled Information (CUI) in its supply chain by the implementation of the Cybersecurity Maturity Model Certification (CMMC) program.  CVG Strategy is helping DoD contractors prepare to for these requirements while meeting interim DFARS 252.204-7012 assessment requirements.

International Trends in Cybercrime 2021

international trends in cybercrime
international trends in cybercrime

International trends in cybercrime show an increasing sophistication by both organized crime and hostile nation states.  These cybercriminals are continuing their efforts against high-value targets that include the industrial, IT, and infrastructure sectors.  This activity is occurring at a time when many organizations are struggling to develop integrated cybersecurity solutions.

Cybercrime Exploitation of Uncertainty

Cybercrime trends show continued use of familiar methodologies, such as Distributed Denial of Service (DDoS), phishing attacks, and ransomware attacks.  They have however, been quick to adapt strategies to tailor their cyber attacks to exploit opportunities presented by issues of the day.  The Microsoft Digital Defense Report released in September 2020 showed a large number of COVOID-19 themed attacks that started in February 2020 that trailed off in April 2020. 

Similar findings were found in EUROPOL’s Internet Organised Crime Threat Assessment.  This bringss additional challenges to law enforcement agencies involved in cybercrime investigations as they must continually respond to a changing cyber threats profile.

Industry Slow to Achieve Cybersecurity Maturity

Many industrial sectors have been reluctant to adopt systematic approaches to cyber hygiene.  Effective cybersecurity for organizations must include an Information Security Management System (ISMS).  An  ISMS is a collection of policies, procedures, controls, and incident responses that systematically address information security in an organization.  It is a framework based on risk assessment and risk management.

This has been the case with numerous businesses in the United States contracting with the Department of Defense (DoD).  In 2020, the interim ruling, DFARS 252.204-7012, placed cybersecurity requirements on Department of Defense (DoD) supply chain contractors vendors to complete security compliance with NIST SP 800-171 DoD assessment methodology.  

This has left many smaller businesses scrambling to meet SPRS Cybersecurity Assessment Requirements.  Once this challenge has been met they must move towards future Cybersecurity Maturity Model Certification (CMMC) to protect Controlled Unclassified Information (CUI) in the defense industry supply chain.

Industry, Infrastructure, Internet of Things Devices, and Industrial Control Systems

Many manufacturers and public infrastructure providers have implemented Internet of Things (IoT) devices to increase efficiency and productivity.  Billions of these devices are currently in use worldwide.  These devices are used in smart home products, wearable technology, health monitoring devices, alarm systems, and transportation equipment.  They can also be found in industrial controls technology, agriculture, military, and infrastructure applications. 

Most manufacturers implement such devices to control processes and gather critical data.  Unless these devices are correctly selected and properly implemented they present vulnerabilities for data breach of personal data, proprietary data, and industrial process control.  For example, in February of 2021 a hacker was able to access controls of a city water treatment facility, increasing levels of lye to dangerous levels.

Managed Service Providers Cybercrime Vulnerabilities

Managed Service Providers (MSP) allow businesses to outsource functions such as human resources, IT, and payroll.  These companies provide tempting targets for cyber crime.  In 2020 there were numerous high profile incidents involving MSPs. 

Once the MSP has been compromised the attack can be spread throughout its clients’ information with the same administrative rights as the service provider.  The attack can then result in stolen data and/or a ransomware attack to the client.

Understanding the Players

Cybercriminals control a vast underground economy worth trillions of dollars a year.  Hacking enterprises offer their services for hire and sell their stolen private and proprietary data online.  These players specialize in specific methods to meet their clients needs.  Beyond the hackers, dealers of stolen data create wealth to fund other activities including human trafficking.

Hostile nation states are key players in cyberattacks.  While countries like China are openly engaged in stealing proprietary information to further its economic gains, others like North Korea have funded their missile development programs through cybercrime.  A United Nations panel reported that North Korea is conducting operations against financial institutions and virtual currency exchanges. 

According to the Microsoft threat report, nation state targets include IT organizations, commercial facilities, critical manufacturing, financial services, and the defense industrial base.  The goals of these attacks is to acquire proprietary and confidential information and disrupt infrastructure facilities.

Responding to the Threats with ISMS

Responding effectively to international trends in cybercrime requires an integration of technological and management measures in an Information Security Management System framework.  This framework should acknowledge that a majority of industry peers have experienced a data breach and create viable incident responses that can detect, respond, and recover.

An ISMS should maintain accurate asset inventory, identify data flows and remote accesses so that an organization can conduct risk assessments and institute effective controls, policies, and procedures. Risk management should also identify the gap between an organization’s current current state of control practices and its desired state and create gap remediation.

These controls must then be integrated with appropriate security management technology.  Such technologies include physical security, multiple layer firewalls, and breach detection.  These tools provide methods to secure, defend, contain, and monitor data.

CVG Strategy Information Security Management System Consultants

International trends in cybercrime present challenges to organizations of all sizes.  We can help you meet your information security management system goals.  CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors.  We can provide the training required to understand and engage in a ISMS and make it meet desired objectives.

New Chinese Export Control Law Released

chinese export control law
chinese export control law

The release of the new Chinese Export Control Law (ECL) were approved by the National People’s Congress on October 17, 2020 and became effective December 1, 2020.  These laws will effect the export of military, dual-use items, nuclear items, and items related to the national security interests if the Chinese government.  While a basic framework for has been now established for a unified export control regime, many details await finalization.

Previous export laws in China had fallen under a variety of regulations including Customs Law, Criminal Law and Foreign Trade Law.  This new centralized Export Control Law should streamline the states ability to place restrictions on export and trade.  The new ECL are similar in structure, at first glance, to many systems in effect internationally, including the United States and Canada.  It remains to be seen exactly how similar as many details await finalization.

The Role of ECL in Chinese Foreign Policy

While citing national security for its implementation of the ECL, the law is seen by many as a response to recent sanctions of the United States against Chinese companies such as Huawei Technologies.  Many importers of goods from China remain hopeful that decisions made by the government apply the laws in a consistent and transparent manner.  It is also important to note that this action occurs at a time when China is seeking to broaden its international economic influence.

State Export Control Administrative Departments

The ECL will be administered and enforced by the State Export Control Administrative Agency to control the export of goods, technologies, or services.  They will apply especially to items for military and nuclear uses and dual-uses.  They will also extend to any items related to China’s international obligations (i.e. non-proliferation treaties and any goods used for terrorist purposes. 

The State Export Control Administrative Agency will be comprised of the State Export Control Administrative Departments (SECADs).  The SECAD shall have the authority to create the Export Control Item List of controlled goods and impose temporary prohibitions for a length of two years on any items seen as a threat to the national security of China.

ECL Framework

To engage in the export of controlled items or transfers of controlled items, applications for licensing are required.  Transport of these items shall be performed by an approved enterprise. As with U.S. export law, the ECL extends to the transfer of technologies and information.  Under the U.S. International Trade in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) such transfers are referred to as deemed exports. 

While the ECL framework is at present is sparse, containing only 49 Articles, 11 of those articles deal directly with the enforcement of the laws.  To be certain, exporters in China, and those engaged in re-exports, transfers, or import of goods from China should treat these provisions with respect.  Furthermore businesses that rely on imported goods or services from China should appraise their supply chain vulnerabilities.

Viewing the ECL in the Larger Picture

The new Chinese Export Control Law is but one development in the country’s agenda.  During the last several years, China has been become a more hostile force to be reckoned with. 

Increased Hostile Rhetoric Towards Taiwan

On January 29, 2021 the Global Times, an English language newspaper operated by the Chinese government, reported that Wu Qian, spokesperson of China’s Ministry of National Defense, said that “Taiwan independence” means war.  He went further to state that, should Taiwan choose to collide with the mainland’s will that they “they will be like a moth to a flame”.

China Island Building in South Seas

The islands, which have been under construction since 2013, have been condemned by the United States and nations in the South China Seas.  The U.S took further action by adding Chinese companies involved in the construction to the Entity List.

The islands allow for the military control of some of the busiest shipping lanes in the world.  The World Court ruled that the building of islands violated the sovereign rights of the Philippines.  This ruling has been supported by Japan, Vietnam, and Australia who also contest China’s assertion of claims to the waters.

Actions in Hong Kong

For decades, the Hong Kong Special Administrative Region (HKSAR) has served as a major conduit for global finance and trade.  The Chinese Communist Party imposed severe security measures under the National Security Law on the area in 2020.  In addition to raising concerns about human rights, these actions are seen to undermine the autonomous status of Hong Kong.  As such, it is now impossible to ensure that exports are not diverted to China’s People’s Liberation Army or Ministry of State Security.

As a result the United States Department of Commerce suspended Hong Kong’s special status for the export of sensitive technologies.  The United Kingdom, has voiced concerns for human rights and trade in Hong Kong and has undertaken an effort to allow citizens of Hong Kong to move to the U.K. and eventually apply for citizenship. 

The European Union (EU) has stated its concerns about the conformity of the National Security Law with Hong Kong’s Basic Law and with China’s international commitments.  The European Union considers it essential that the existing rights and freedoms of Hong Kong residents are fully protected.  How the rest of the world reacts to this crisis will very likely change the dynamics of trade in the region.  It will be important therefore, to continue monitoring this situation.

CVG Strategy Export Compliance Consultants

Given the degree of volatility in the international arena, it is more important than ever that businesses remain aware of developments in trade laws.  The new Chinese Export Control Laws are just one example of a development that could greatly effect a company’s business operations.  CVG Strategy, LLC is recognized the world over as the premier provider of export compliance consultation. 

We can help you develop customized export compliance programs that address your organizations requirements.  We specialize in integrating compliance programs into quality management systems to ensure essential documentation, control, and assessment.  This includes ITAR and  Export Administration Regulations (EAR).  We also can provide assistance with the Canadian Goods Program.

Our ITAR compliance consultants work with businesses of all sizes.  We can provide training for your organization at all levels to keep your team up to date.  We even serve as an outsourced Export Compliance Officer for some clients, who don’t have the bandwidth to dedicate to the function but need it done on a part-time basis.