Video Recording, Storage, and Encryption

Network attached storage UAV

Deployed Sensors and Cameras

Modern aircraft are being equipped with an increasing number of sensors. The aircraft range from fixed wing versions like fighters, ISR (intelligence, surveillance, and reconnaissance), transport, and refuelers to rotary wing versions like helicopters. In addition to onboard sensors, many aircraft are also being equipped with external pods that hold additional modular instrumentation under the wing or the fuselage. While many aircraft have an onboard crew, an increasing number are now unmanned.

In addition to radar and other similar sensors, many cameras are now being included in the sensor suite. Whether they're infrared for nighttime operations or traditional daytime cameras, they have higher resolution than ever and continuously stream data (frames). This video is being used by the onboard crew in manned vehicles or by the ground crew in unmanned vehicles. The video is also saved for post-mission analysis.

deployed aircraft, camera, rmc, DTS1, encryption,

Figure 1: Transport of Unclassified RMC

However, cameras and other sensors stream data continuously and at increasing volumes.  Sensor data may be sent directly to single board computers (SBC) or digital signal processors (DSP) for refinement and distribution.  Sensor data may also be stored first in network attached storage (NAS) or direct attached storage (DAS) devices.  Increasingly, network attached storage devices are being used based on Ethernet protocols.  All data on the aircraft are at increasing risk to exploitation.  See the Curtiss Wright whitepaper regarding such threats:  Data-At-Rest Encryption Series: Data Threats and Protection White Paper.

For the stored data on aircraft, known as data at rest (DAR), there are several problems to solve.  Data storage is one problem which can be solved by adding storage capacity (more or larger disks).  Data speed is another problem which can be solved by faster processors, faster disks, and faster networks.  Data security is another problem which is increasing solved with innovative encryption techniques like that used in the network attached storage example in Figure 2.  Data format is another problem for system designers.

This blog focuses on the problem of camera data format but also touches on the capacity, speed, and security. 

Capturing Video Streams

Modern aircraft are now deployed with Ethernet networks, which require a network attached storage device (also called a network file server) to store data. Network clients (including mission computers, sensor management computers, digital signal processors, radars, other sensors, and cameras) can store data on, and retrieve it from, the network attached storage.  Gigabit Ethernet (1GbE) is very commonly used and supported by network attached storage devices like the example in Figure 2.

DTS1, NAS device,

Figure 2: Curtiss-Wright Data Transport System (DTS1) Network Attached Storage Example

The high-resolution cameras stream video using Moving Picture Experts Group Transport Stream (MPEG-TS) packets with H.264-encoded video. MPEG-TS is an industry-standard video format for transmitting and storing audio and video data. MPEG-TS is widely used by the military and by commercial broadcasters. MPEG-TS was originally developed for the motion picture industry. H.264, also known as Advanced Video Coding (AVC) or MPEG-4 Part 10, is a video compression standard which reduces the amount of data required to be transmitted.  There is a wide base of industry support for MPEG-TS and H.264.

The Curtiss-Wright Data Transport System 1 slot (DTS1) product shown in Figure 2 is an example of a modern network attached storage device. The DTS1 is a very small, rugged network attached storage system currently deployed by numerous United States government entities on manned and unmanned aircraft. The DTS1 protects top secret data with two layers of AES256 encryption prior to storage.  Information regarding the DTS1 can be found in Appendix I and at: DTS1 Data Transport System – NIAP Common Criteria certified, NSA CSfC approved.

In addition to supporting numerous standard network storage protocols (NFS, CIFS, FTP, HTTP, iSCSI), the DTS1 simultaneously accepts multiple real-time protocol (RTP) streams with MPEG-TS packets. It supports a variety of video formats, including 720p30 and 1080p30. The RTP streams can be received on either of the two GbE ports while standard protocols are also being used.  

While the standard network protocols use Transmission Control Protocol (TCP), RTP instead uses User Diagram Protocol (UDP).  TCP is more reliable with guaranteed delivery but is slower.  UDP is less reliable but is faster than TCP.  This speed difference is critical for video streaming via Ethernet.   

In the DTS1, the H.264 compressed video data is processed, translated into files, encrypted (by both hardware and software layers), and stored on a removable memory cartridge (RMC). Both encryption layers are approved by the National Security Agency (NSA) for use in deployed solutions. These layers have been designed and tested to meet the requirements of the NSA's Commercial Solutions for Classified (CSfC)3 program. Appendix II provides a few more details regarding CSfC. 

The video files can also be retrieved for playback while being stored using Windows applications like VLC.

The DTS1 has room for one removable memory cartridge. After encryption, the video data is stored on the removable memory cartridge, which has a capacity of up to 8 TB. The removable memory cartridge can then be removed from the DTS1 in the aircraft and transported safely back to a base or ground station for post-mission analysis, as shown in Figure 3.

The removable memory cartridge is considered unclassified after being removed and while unpowered during transport. This is important for deployed vehicles, where classified data must be transported to and from the vehicle, as in Figure 2.

It is important to note that the removable memory cartridge has no encryption mechanisms2 and has no power source other than the DTS1. The two commercial encryption layers reside in the DTS1 only. Two separate layers of AES256-bit encryption have encrypted the data residing on the RMC.

Once the removable memory cartridge is at the ground station, it is plugged into another DTS1. The H.264 video files are then decrypted and become available to network clients for analysis.

Summary

High-definition video streams can now be captured by a rugged Network Attached Storage that is also being used as a standard file server. Critically for deployed applications, the video files are protected with NSA-approved encryption up to and including top-secret level.

With 8 TB of storage capacity in the DTS1, many video files can be stored and safely transported from the deployed aircraft to the base station, where they can be analyzed.

Appendix I: DTS1 Encryption Details

The DTS1 as seen in Figure 2 includes two certified layers of commercial encryption to protect data at rest (DAR). The outer encryption layer is hardware full disk encryption (HWFDE), and the inner layer is software full disk encryption (SWFDE).

After the data is encrypted by two layers of AES256-bit encryption, the data is stored on a solid-state drive housed inside a specially designed removable memory cartridge. The removable memory cartridge comes in various capacities, up to 8 TB. The removable memory cartridge can even be removed while the DTS1 still has power applied. This capability is known as "hot-swapping," which is important so that the deployed vehicle does not have to be powered down. Before removing the removable memory cartridge, the operator opens the latched door and then presses a button on the front of the RMC. This button initiates a shutdown procedure stopping data flow to that removable memory cartridge so that data does not become corrupted. When the LED indicators on the RMC light up in a proper sequence, the removable memory cartridge is ready to be removed for transport. A new, fresh removable memory cartridge may be inserted at that time.

The removable memory cartridge is considered unclassified when removed from the DTS1 and safely transported from the aircraft to the ground station.

Appendix II: CSfC Details

Commercial Solutions for Classified (CSfC)3 is essential for the NSA strategy to deliver secure cybersecurity solutions. The CSfC program leverages commercial encryption technologies and products to provide much-needed cybersecurity solutions quickly. Commercial encryption technologies are employed in many technologies today, such as automobiles, mobile phones, tablets, and home security systems.

To achieve mission objectives, U.S. Government (USG) customers increasingly require immediate use of the market's most modern commercial hardware and software technologies within National Security Systems (NSS). Consequently, the National Security Agency/Central Security Service (NSA/CSS) has developed ways to leverage emerging technologies to deliver more timely cybersecurity solutions for rapidly evolving customer requirements.

The CSfC program was established to protect classified NSS data with commercial products in layered solutions. Solutions handling Top Secret/Sensitive Compartmentalized Information (TS/SCI) have been approved. CSfC provides efficiency and security. Efficiency through the ability to securely communicate based on commercial standards and security through an NSA-managed program that offers a solution that can be fielded in months, not years.

For more details regarding the CSfC program, reference the Curtiss-Wright white paper "DAR Series Part 2: Commercial Solutions for Classified (CSfC)."

1  Choosing the Best Location for Your Data-At-Rest Encryption Technology

2 Commercial Solutions for Classified Program (CSfC)