TechnologyToday
H IGHLIGHTING R AYTHEON ’ S T ECHNOLOGY
2007 Issue 2
Raytheon Secure Systems and Networks
Delivering Mission Assurance in a Hostile Cyberspace
A Message From
Dr. Taylor W. Lawrence
Vice President of Engineering, Technology and Mission Assurance
The Information Age is dramatically changing the scope of threats our customers
must be prepared to counter. They need systems that can quickly put actionable
information into the hands of the appropriate personnel who need it, when they
need it, over absolutely secure channels. This requirement is something I regularly
hear from our customers, and something I spent considerable time on while I was
staff director for the U.S. Senate Select Committee on Intelligence.
Access and security … that is quite a balancing act. As you will read in this issue
of Technology Today, Raytheon is a leader in providing secure systems and networks
to deliver Mission Assurance in a hostile cyberspace. The following pages include
feature stories on multi-level security, information assurance and intrusion-tolerant
systems, as well as on the Compartmented High Assurance Information Network
(CHAIN) we are developing and deploying for the Defense Advanced Research
Projects Agency (DARPA).
This issue also launches a new leadership column, which presents thoughtful
comments about strategy and direction from our corporate leads in Engineering,
Technology and Research, Operations, Performance Excellence, and Mission
Assurance. In the inaugural column, Heidi Shyu, vice president of corporate
Technology and Research, discusses her approach to creating an enterprise-wide
technology vision and direction, and the importance of disruptive technologies.
Last but not least, I would like to congratulate our Excellence in Engineering and
Technology Award winners. Seventy-eight outstanding Raytheon engineers and
technologists were recognized in April with the company’s highest technical honor.
As a technology company, Raytheon is determined to stay on the leading edge of
innovation to help us fulfill our mission of ensuring customer success. The efforts
of these award recipients have made a significant contribution to this success, and
to the success of our company. For that, they all deserve our thanks and gratitude.
Until next time …
Dr. Taylor W. Lawrence
2
2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
INSIDE THIS ISSUE
Technology Today is published
quarterly by the Office of Engineering,
Technology and Mission Assurance
Vice President
Dr. Taylor W. Lawrence
Secure Systems and Networks Overview:
Addressing the Challenge of Information Warfare
Ensuring That Our Systems Can Be Trusted
The Benefits of Multi-Level Security
Intrusion-Tolerant Systems
Wireless Honeypots
Raytheon Human Review Manager
Information Assurance and Survivability Research at DARPA
CHAIN: Compartmented High Assurance Information Network
Information Assurance: A Holistic Approach
Leaders Corner: Q&A With Heidi Shyu
Eye on Technology
Architecture and Systems Integration
Processing
EO/Lasers
RF Systems
Materials and Structures
4
5
8
12
14
15
17
18
20
21
23
24
26
27
28
Raytheon Enterprise Process Group Workshop
30
Software Engineering Process Group Conference
31
Excellence in Engineering and Technology Awards
31
CMF Profiles: Driving Innovation Into Everything We Do
32
Getting to Know Your Raytheon Certified Architects
33
Managing Editor
Lee Ann Sousa
IPDS Version 3.2: Delivering a Streamlined Process Foundation 34
Editorial Assistant
John Cacciatore
Raytheon Six Sigma Business Excellence
U.S. and International Patents
Art Director
Debra Graham
EDITOR’S NOTE
Photography
Rob Carlson
Alain Ekmalain
Dan Plumpton
Bob Tures
Publication Coordinator
Carol Danner
Contributors
Sue Booth
Kelly Lei
Matthew Rixon
Larri Rosser
Sharon Stein
Kevin Wynn
36
38
Picture a scenario where the power goes out. Your cell phone is dead, the Internet is
inaccessible. Airports, trains, banks, traffic lights, power grids, telecommunications are
all shut down. You hear that the United States has been attacked — not by conventional weapons, but by cyber attack. This threat is very real. In fact, very recently, Estonia’s
civil and financial infrastructures were crippled by cyber attacks in what some are calling
the first cyber war. It is a threat to our homeland and to the warfighters who defend
our freedom.
This issue highlights Raytheon’s efforts to detect and deter an ever-growing barrage of
cyber threats to our systems and information at home, as well as those mission-critical
systems our warfighters depend on to complete their mission. You’ll get a look at the
Human Review Manager system being developed out of Raytheon’s IIS business, as well
as the wireless honeypot research Raytheon’s NCS business is co-sponsoring with the
University of Florida, to name a few.
You’ll read about urban warfare challenges, gallium nitride technology and metamaterials, as well as the upcoming release of IPDS version 3.2.
We hope you enjoy this issue, whether in hard copy or online at
http://wwwxt.raytheon.com/technology_today/current/index.html.
If you have any ideas or suggestions for future articles, please drop us a note at
techtodayeditor@raytheon.com.
As always, I look forward to your comments. Enjoy!
Lee Ann Sousa
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2
3
Feature
Addressing the Challenge of
Information Warfare
feature overview
I
t is no surprise that information assurance, or information security, is a top
priority concern for Raytheon and our
customers. Information assurance protects
systems and networks from loss of availability, integrity, confidentiality, authenticity
and control or ownership. It includes measures taken to detect and respond to cyber
threats. It is what makes systems and networks secure. This is critical to delivering
Mission Assurance in the age of information warfare. When members of the armed
forces rely on our technology, they depend
on us to do the job right — regardless of
whether they are facing an enemy on the
battlefield or in cyberspace.
Our military customers need secure systems
that also handle multiple levels of security.
Modern security classification practices
have been used since the mid-20th century
to protect sensitive information at various
levels, granting individuals access to information according to their “need to know.”
In today’s world, many military systems
must create, transmit, store and process
dynamically changing information at multiple levels of security and deliver it to the
right users at the right time. Information
must not leak from one security domain to
another, either by accident or by the malicious intent of a user, administrator or an
external attacker. Several articles in this
issue discuss how Raytheon is addressing
4
2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
Our nation needs secure computers and networks that deliver Mission Assurance even
in hostile cyberspace. Information warfare is
a valid strategy for attacking military forces
as well as a nation’s critical infrastructures.
A war could be won in cyberspace without
firing a shot, by successfully compromising
information systems and networks that are
essential to banking, utilities, industry and
our national defense.
different challenges in engineering multilevel secure information systems.
Raytheon has established a dependable and
repeatable process for engineering information assurance into its systems. Our process
incorporates federal standards and guidelines with Raytheon best practices to ensure
that the systems we develop can be trusted.
It covers engineering activities from information assurance requirements development
through system certification and accreditation (C&A). The process addresses many
challenges, such as developing a secure system that contains COTS hardware and software components that were not designed
with information assurance in mind.
Network architectures, links, routers and
protocols must be secure, reliable and
robust, delivering a high quality of service
under attack. Our dependence on networks
will only grow as the military realizes its
vision for the Global Information Grid (GIG)
and its Net-centric Enterprise Services
(NCES). This global network of systems will
manage and deliver information on demand
to warfighters, their leaders and support
teams. Networks will need to be self-healing; they must know their attackers, learn
their goals and adaptively respond.
One of the steps Raytheon is taking toward
that goal is highlighted in the article on a
honeypot for wireless networks. A honey-
pot is an information system that is used to
attract, confuse and observe attackers, and
to identify the threats they pose so that
these threats can be mitigated.
Raytheon is conducting internally funded
research to address anticipated and real
customer needs that no currently available
security technology can meet. An example
discussed in this issue is intrusion tolerance
— the ability of a system to tolerate malicious faults. This enables a system to operate under sustained cyber attacks, including
new and unknown attacks. Coupled with
self-regeneration, the ability to automatically and fully restore all services after an
attack, intrusion tolerance will be a major
step forward in delivering Mission
Assurance in hostile cyberspace. Raytheon
recently participated in DARPA’s SelfRegenerative Systems (SRS) program, and is
now working to transition the results of
SRS and other DARPA programs described
in this issue to make such capabilities realizable in future systems.
Raytheon is also teaming with universities
and small businesses to develop and apply
technologies that address security challenges on many fronts, such as improving
the survivability of wide area networks, and
mitigating the “insider” threat presented
by malicious users. •
Tom Bracewell
bracewell@raytheon.com
Feature
Ensuring That
Our Systems
Can Be Trusted
T
he systems we build must be trustworthy. That is because the information they provide is used to make
decisions on matters of national defense,
national security and public safety. Often,
these decisions directly concern the safety
of the military personnel and public officials
of the United States and our allies.
Therefore, the end users of our systems —
our customers — demand trustworthy
information.
Decommission
System
5
Initiate and plan IA C&A
• Register system with DoD
component IA program
• Assign IA controls
• Assemble DIACAP team
• Review DIACAP intent
• Initiate DIACAP
implementation plan
Decommission
DoD Information Systems
• Disposition of the DIACAP
registration information
and system-related data
4
1
• AIS Applications
• Enclaves
• Platform IT
Interconnections
• Outsourced IT-Based
Processes
2
Maintain authority to operate
and conduct reviews
• Maintain situational awareness
(revalidation of IA controls must
occur at least annually)
• Impact IA posture
3
Implement and validate
assigned IA contracts
Make certification determination
and accreditation decisions
• Execute and update DIACAP
implementation plan
• Conduct validation activities
• Compile validation resuls in
DIACAP scorecard
• Issue certification determination
• Make accreditation decision
Figure 1. DIACAP Activities Summary
All information technology (IT) systems
must be certified and accredited in accordance with national policies, federal standards and agency guidelines — regardless
of the sensitivity of the information
processed on those systems. These standards and guidelines define the certification
and accreditation (C&A) processes1 and
information assurance (IA) requirements2
used to ensure that IT systems can be trusted to protect the confidentiality, availability,
integrity and non-repudiation3 of the information they process.
systems and to implement C&A processes. In
2005, Raytheon integrated the ISSE process
into its common engineering and product
development process.
The C&A processes and Raytheon’s ISSE
process are integrated into system development from the program startup through
deployment. They affect requirements
analysis, system design, development, testing and deployment.
Certification and Accreditation
Proving that our systems are trustworthy is
the focus of our customers’ C&A processes.
The end goal of C&A is to achieve the
approval to operate a system by verifying
that it provides protection at an acceptable
level of residual risk.
The customers’ C&A processes do not tell us
how to successfully turn a system concept
into a secure, certifiable system, and they do
not provide a common, unified process for
achieving C&A. A common process was first
developed by the Information Assurance
Technical Framework Forum (IATFF) and
termed the Information System Security
Engineering (ISSE) process. It provides a standard, dependable way to engineer certifiable
Our customers’ C&A processes are all variations on DoD IA C&A Process Guidance
(DIACAP). DIACAP is derived from the DoD
Information Technology Security
Certification and Accreditation Process
(DITSCAP), an earlier standard that it recently superceded. Different customers have tailored versions of the C&A process, but they
all work largely as DIACAP does today.
The DIACAP process (see Figure 1) consists
of five phases or activities:
1. Initiate and Plan IA C&A (Definition) –
Define and agree on the system
requirement and mission security levels
2. Implement and Validate Assigned IA
Controls (Verification) – Verify that the
design works and provides the right
security
3. Make Certification Determination and
Accreditation Decision (Validation) –
Test the system to ensure it meets all
relevant security requirements and can
operate at an acceptable level of risk
4. Maintain Authority to Operate and
Conduct Reviews (Post Accreditation) –
Ensure that the system maintains its
security configuration and all changes
are properly documented
5. Decommission System
The C&A process and system development
begin with analyzing program objectives,
identifying the specific standards and
guidelines applicable to the program, and
translating these into system level requirements. At this stage, it is important to
forge an agreement with the key stakeholders involved in the system development
and C&A process.
A continuing partnership must be established at the beginning of the program
between the customer program office and
Continued on page 6
1C&A processes are defined by DITSCAP, DIACAP, DoDIIS C&A Guideline, NIACAP, NISCAP and NIST SP 800-37.
2Principal IA requirements documents are DCID 6/3, DoD 8500.2 IA controls and NIST SP 800-53A.
3Non-repudiation is a property achieved through cryptographic methods which prevents an individual or entity from denying having performed a particular action related to data
(such as mechanisms for non-rejection or authority (origin); for proof of obligation, intent, or commitment; or for proof of ownership).
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2
5
Feature
Ensuring That Our Systems Can Be Trusted
Continued from page 5
the various stakeholders involved in the
C&A process. Early involvement keeps the
stakeholder aware of the challenges in
securing the system. The typical stakeholders include the program management
office, systems developers and integrators,
the designated approving authority (DAA),
certification authorities and the user organization. This partnership is often referred to
as a security accreditation working group
(SAWG). It uses a disciplined vetting
process to tackle and resolve security issues
in order to help achieve accreditation.
diagrams, process maps and documents to
support execution of the DIACAP. It offers a
workspace for DIACAP users to develop,
share and post lessons learned, best practices, and IA events and news. It also provides developers with an online tool for
C&A documentation development.
During development, the engineering team
must design a system to be compliant with
applicable security policies and directives.
The C&A engineer works closely with other
engineers to ensure this compliance, and to
ensure that IA operational details are captured
in required IA documentation. The working
relationship between the C&A engineers and
others can make or break the accreditation of
the program’s cost and schedule.
• Type accreditation – Multiple instantiations of similar systems with similar configurations, and similar environments at
various locations. Each instantiation is
under the same Principal Accrediting
Authority (PAA).
All hardware and software components are
analyzed to determine whether they are IA
or IA-enabling products that provide or
support security functionality to protect
sensitive information. These products
include commercial off-the-shelf (COTS) or
government off-the-shelf (GOTS) operating
systems, firewalls, intrusion detection systems (IDS), and virus protection or encryption devices. During system development,
engineers, technicians and managers conduct trade studies to select IA products
from a common criteria–evaluated products
list of approved IA hardware and software.
Products must be evaluated in accordance
with specific standards.
Engineers are supported throughout the
C&A process by a Web-based knowledge
service (KS) provided by the DoD
Information Assurance Certification and
Accreditation Program (DIACAP). This service provides an authoritative source of C&A
information. It contains a library of tools,
6
2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
There are several types and levels of accreditation. The system owner will seek formal
accreditation for one of the following:
• Site-based accreditation – All systems at
a single site are consolidated under a
single set accreditation
• Accreditation of similar systems – Similar
systems are essentially the same based
on need to know and access level. The
Master Systems Security Plan
(SSP)/Systems Security Authorization
Agreement (SSAA) may be used for this
type of system under the same PAA.
An accreditation boundary that contains all
the hardware and software that composes
the operational system defines the scope of
the system to be accredited.
A system must be accredited to operate
at a particular protection level or Mission
Assurance category. These levels and categories determine how much security is
required based on the sensitivity of the information processed, who has access to the
information, and what assurances the system will provide to protect the information.
Accordingly, they affect the level of effort
required for certification and accreditation.
There are a number of critical success factors
in executing the C&A process, including:
• Ensure that program and security managers develop a C&A strategy and get
early buy-in from stakeholders
• Make certain that engineering and
security management collaborate on the
design to ensure that functional and
security requirements are nailed down
• Select hardware and software products
that meet the assurance levels according
to the common criteria
• Keep accreditation boundaries simple
so they are clearly understood by the
accreditation authority
• Use the security accreditation working
group to resolve IA issues;
preserve meeting minutes for records of
activities discussed and agreed upon
during discussions
• Include all C&A activities in the
master schedule
• Pay particular attention to CT&E and
ST&E activities to ensure all relevant test
cases are developed and the results of
those test activities validate the security
features and functions
• Separate security deliverables from functional deliverables; security deliverables
are reviewed and approved by officials
with concerns that are separate from
functional requirements
• Plan adequate time and resources to
fix the findings after the evaluation
is complete
The Raytheon ISSE Process
Raytheon’s Information System Security
Engineering (ISSE) process is a systems
engineering process that addresses the
security needs of the system owners and
users. It is a generic process designed to
meet our diverse customer base. Its purpose is to build trust into the systems we
deliver in a reliably repeatable manner.
The steps in the ISSE process mirror those
in the systems engineering process we use
to define and decompose our customers’
requirements, and develop and deliver their
systems at the consistently high level of
quality they expect. The process is formalized into five process activities. The integration of ISSE steps with each phase of the
various C&A processes is shown in Figure 2.
ISSE
Process
Define
Design
Discover
System
System
Information
Security
Security
Protection
Requirements Architecture
Needs
Develop
Detailed
Security
Design
Step 4: Develop a detailed security design
Accredited
Deployed &
Operational
System
Implement
Systems
Security
Assess information protection effectiveness
Definition
Initiate and plan the IA C&A (Phase 1)
Verification
Retire
System
Implement & validate IA Controls (Phase 2)
DIACAP
(Phase 5)
Certification determination
Validation Post accreditation
(Phase 3)
Definition
(Phase 4)
Development and verification
Validation and testing
DoDIIS
Post accreditation
NIST
Initiative
Certification
Accreditation
Step 5: Implement detailed security design
Mentoring
Figure 2. C&A and ISSE processes
Step 1: Discover customer’s information needs
The first activity in the ISSE process is to
discover the information needs of the customer. This involves gaining a thorough
understanding of the user and the user
environment of the system, as well as the
data on the system and any data movement into or out of the system (i.e., data
flow). Understanding this lets the security
engineer develop a sense of the security
risks associated with the final deployment
of the system. Continued communication
with the customer is critical to fully understanding their view of the necessary security of the system. In these discussions, however, both sides should also agree that
security is not an absolute — building security into the system must be a risk mitigation activity. The focus of the second activity is the acceptable level of residual security
risk that shapes the security requirements.
Step 2: Define specific system
security requirements
Defining specific system security requirements is the goal of the second activity in
the ISSE process. Using the customer
understanding gleaned in activity one, the
security engineer must define system secu-
Once a system architecture has been
defined that meets both sets of requirements, the fourth ISSE process activity can
begin: developing a detailed security
design. In this activity, security engineers
use their knowledge of security products,
security functionality of non-security
products, the interaction of these products
with the custom code being developed
for the system, and the underlying hardware and software standards to create a
build-to design that meets the security
requirements and aligns with the
approved architecture.
rity requirements that will ensure the security needs of the customer are met. This
also includes ensuring that the system will
meet any and all C&A standards levied on
the system. Other than being security-specific, these requirements must adhere to
the common requirement writing guidelines
to which all requirements should adhere. A
well-written set of security requirements
paves the way for activity three.
The final ISSE activity is to implement the
detailed security design. It is here that the
security engineer interacts with other
system implementers to create the system
captured in the system architecture above.
It is also here that shortcomings of the
detailed design or in the system architecture come to light, causing the design and
sometimes even the architecture to be
tweaked. The security engineer must be a
part of all such tweaks to ensure that the
security requirements are eventually met.
All necessary testing to sell off security
requirements and to meet C&A expectations also occurs during activity five.
Step 3: Define a system architecture
The third ISSE activity is to use the requirement set defined above and the understanding of the customer’s needs to define
a system architecture. Here it is critical for
the systems engineer and the security engineer to work together to create a system
architecture that meets all of the functional
and security requirements. Inevitably, this
requires compromise on both sides. As
with functional requirements, meeting
security requirements must be balanced
with the customer’s cost and schedule
needs. On the other hand, the security
requirements of the system often create
the need for the functional requirements to
be met with new approaches.
The ISSE process allows us to assure our
customers that we can reliably address
their security needs. Addressing our customers’ security needs instills trust in the
data our systems process and store. It also
verifies that the data has not been tampered with and that it will be available
when needed to all those (and only those)
who need the data. In turn, this increases
our customers’ trust in us. •
Robert Batie
robert_b_batie@raytheon.com
Jay Coleson
jay_c_coleson@raytheon.com
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2
7
Feature
The Benefits of
Multi-Level Security
M
Col. Roger Shell was
the deputy director of
the National Security
Agency’s (NSA)
National Computer
Security Center (NCSC)
as it was formed in the
early 1980s. Dr. Kenneth
Kung joined NCSC in
1984 as one of the
system evaluators using
the famous Orange
Book. He learned his
information assurance
techniques from
Dr. Shell and other
early pioneers in this
field (e.g., Steve Walker,
David Bell, Marv
Schaefer, Earl Boebert,
etc.). Dr. Kung is the
co-author and
contributor to several
other Rainbow Series of
guidelines, while NSA
remains the premier
organization to learn
the latest information
system and weapon
system protection
techniques.
8
ulti-level security (MLS)
has been a holy grail ever
since the early days of
applying computer systems to meet
the automation needs of military
and intelligence systems. In the
1970s, MITRE published a series of
papers (by Bell and LaPadua) that
describe the issues and rules of
determining access rights of individual users to information, based on
their credentials. In fact, in 1971,
Dr. Roger Schell (then a U.S. Air
Force major) conducted his Ph.D.
research at MIT on the Multics OS
protection rings.
Although multiple initiatives in the
1980s and ‘90s were launched to
tackle the MLS “problem,” the issue
is still with us today. This article
addresses the background of the
issues involved in solving the general MLS problem. It also describes
both the security functionality and
the assurance needs of the
Department of Defense (DoD) community of users and possible solutions to address those needs.
The DoD has a goal of fielding
systems that provide the right information at the right time to the
right person. In many cases, this
goal is difficult to achieve due to
the security classification of
the data. To properly safeguard
information today, many DoD information systems are separated in
domains at the highest classification level of any data in the
domain. They are commonly
referred to as “system high”
domains. If an individual does not
possess a security clearance to
access a domain, they are denied
access to all information within the
domain, even though some of the
information may have originated at
a lower classification and thus
2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
should be accessible to the individual. To ameliorate this problem,
high-speed guards requiring additional hardware and processing
overhead, or labor intensive procedures such as manually reviewing
data, are commonly used when
moving data between domains.
The single-level security domain
paradigm is not compatible with
this time-sensitive collaborative processing environment needed to
support net-centric operations and
the systems of element approach
where information is first published,
then later subscribed. The concept
of using single-level security
domains results in over-clearing personnel, over-classifying data and
creating system inefficiencies and
redundancies. To minimize or eliminate these problems, the concept
of MLS systems was developed.
MLS eliminates the need for these
separate domains. MLS systems
reduce the total cost of ownership
by eliminating hardware and software redundancies. Top secret,
secret, confidential and unclassified
data all can reside in a single MLS
domain. MLS provides the ability to
simultaneously receive, process,
store and disseminate data of multiple classifications within a domain
where not all users have the security clearance to access all the data
within the domain. MLS needs to
permeate into the computing environment (workstations, servers and
operating systems), the network,
the database and the mission applications — all must work together
to maintain trust. MLS systems
must assure that users are granted
access to all the data, systems and
services for which they are authorized, while denying them access if
they are not authorized.
Figure 1 illustrates a traditional
configuration using guards between
security domains on the left and an
MLS enclave on the right.
Multinational
Information Systems
The next major research milestone
is to tackle the issue of multination-
Traditional: one domain per
security classification
Multi-level security (MLS)
Data Store
Unclassified
Domain
Secret
Data Store
Computing
Environment
Switch/Router
Top Secret
Data Store
High Speed Guard
Data Store
Secret
Domain
Computing
Environment
Switch/Router
High Speed Guard
Top
Secret
Domain
Data Store
MLS Domain
with
Unclassified
through
Top Secret
Computing
Environment
Switch/Router
Figure 1. Traditional vs. MLS Enclaves
Switch/Router
Unclassified
Data Store
Computing
Environment
al information systems (MNIS).
MNIS are inherent in battle command to ensure the timely
exchange of information across all
coalition member domains and
government agencies. Raytheon is
doing research with the DoD to
identify the issues and potential
solutions under a study contract.
With the proliferation of coalition
operations and joint operations, the
issue of information separation
becomes even more challenging.
Not only must the information be
separated by clearance levels with
each country’s security policy, but
well-defined information must be
shared across multiple countries,
where agreements to share are on
a bilateral basis. Information
releasable to certain countries is
not releasable to other coalition
partners. This complicated set of
access control rules makes the BellLaPadula hierarchical security model
of “write up, read down” traditionally used in MLS systems look simple. Raytheon is currently working
to solve this demanding challenge
of sharing information in the presence of multiple compartments
within single security levels.
difficulties, customers often prefer
less trustworthy operating systems
such as Windows.
Multiple Independent Levels
of Security
Another approach being developed
to provide MLS capability is called
Multiple Independent Levels of
Security (MILS). Raytheon has been
working with the Air Force Research
Laboratory Information Directorate,
the Cryptographic Modernization
Program and the National Security
Agency for several years on the
foundational components for this
high assurance architecture to support systems with MLS requirements and/or Multiple Single Levels
of Security (MSLS).
The goal of the MILS program is to
establish a viable commercial market for high assurance, standardsbased commercial off-the-shelf
(COTS) products that can be used
to produce NSA-accredited systems.
By leveraging COTS products that
conform to the DO-178B safety
standard, it is anticipated that the
wider customer base for these products will result in a lower cost to
DoD security customers.
Trusted Operating Systems
There are several common
approaches when attempting to
provide MLS capability. One is to
use a trusted operating system that
attaches sensitivity labels to all
objects within the domain. (Sun’s
Trusted SolarisTM is an example of a
trusted operating system.)
Sensitivity labels identify security
classification and handling restrictions of the object. The sensitivity
labels are compared to the user’s
security clearance and privileges to
determine if access to the object is
allowed. These operating systems
are proprietary, tend to be very
difficult to administer, and are at
times extremely cumbersome to
use. Because of their size and complexity, they have typically been
evaluated only to a medium level of
robustness. Due to administrative
MILS have a layered architecture
that enforces an information flow
and data isolation security policy.
At the bottom layer of the architecture is a small but highly trusted
separation kernel. A separation kernel executes on processors such as
Pentiums and PowerPCs to provide
a virtual machine upon which a
variety of COTS operating systems
(e.g., Windows, Lynux, Solaris, etc.)
can be hosted. The separation kernel provides a high robustness reference monitor1 to enable this separation and to control communication between untrusted applications and data objects at various
levels of classification/caveats on a
single processor. It also enables
trusted applications to execute on
the same processor as untrusted
applications, while ensuring that
the trusted applications will not be
compromised or interfered with in
any way by the untrusted applications, (see Figure 2). Security policy
enforcement mediated by the separation kernel is non-bypassable,
always invoked and tamper-proof,
because it is the only software that
runs in privileged mode on the
processor. Thus, systems with applications at different security
levels/caveats require fewer processing resources.
The separation kernel’s security
requirements are specified in the
NSA’s U.S. Government Protection
Profile for Separation Kernels in
Environments Requiring High
Robustness, now in its final draft. A
separation kernel can be evaluated
to a high level of assurance
(Evaluation Assurance Level (EAL
6+), because it is very small — on
the order of 4,000 lines of
C-Language code. Although originally targeted to real-time, embedded systems, the Separation Kernel
Protection Profile (SKPP) has been
generalized to provide the security
requirements for a high assurance
virtual machine on which operating
systems with medium or no assurance, such as Windows, can execute in separate partitions without
degrading the assurance of the
overall system.
The Green Hills Software (GHS)
Integrity Separation Kernel is available commercially and is currently
undergoing evaluation at a high
robustness level by a National
Information Assurance Partnership
(NIAP) accredited Common Criteria
Testing Laboratory. It is targeted for
embedded and server applications
running on PowerPC and Intel®
processors. The Integrity Separation
Kernel is being used in the
Raytheon’s Space and Airborne
Systems NETSecure internal research
Raytheon is fielding a
product called CHAIN
(Compartmented High
Assurance Information
Network). CHAIN
permits the separation
of the information by
compartments (as the
name implies). Until
the true MLS system is
available, Raytheon is
fielding CHAIN in
multiple systems to
separate information
from different
domains using the
compartments
enforcement
mechanism. There are
multiple commercial
operating systems that
allow this enforcement.
To upgrade from
compartments to
multi-level security, the
underlying operating
system must meet the
functionality and trust
discussed in this article.
Continued on page 10
1IAEC 3285, NSA Infosec Design Course,
High Robustness Reference Monitors version 3,
Michael Dransfield, W. Mark Vanfleet.
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2
9
Feature
Continued from page 9
and development effort to develop an
MLS network processor that can be incorporated in legacy platforms such as the F/A-18
and B-2 to enable data fusion, sensor
integration, distributed targeting and
net-centric operations.
Two other COTS operating system vendors,
LynuxWorks and Wind River, have also
developed separation kernels conforming to
the SKPP that are available as Beta versions.
In addition, GHS has demonstrated a high
assurance Windows workstation running
on their Padded CellTM technology, which
is based on their separation kernel.
Separation kernels from the three vendors
have been demonstrated publicly running
a Raytheon application.
Raytheon has also conducted research in
the area of Partitioning Communication
Systems (PCS), which enables trust relationships and data separation to be established
between processors in a MILS enclave. The
PCS is part of the middleware layer of the
MILS architecture. In effect, the PCS functions as a data flow guard by controlling
the information that flows between an
application and the network.
When running in a separate partition on
top of a high assurance separation kernel
(see Figure 2), a PCS provides data separation and controls the flow of information
between processors in a manner that is
non-bypassable, always invoked and tamper-proof. The PCS also provides separation
by encrypting data before it is delivered to
device drivers or the network interface. This
enables the use of COTS network components in secure environments and may also
eliminate the need for some guards in cases
where downgrading is not required.
With Objective Interface Systems (OIS) as a
subcontractor, Raytheon is responsible for
the development of the security requirements documented in the Partitioning
Communications System Protection Profile
(PCSPP). OIS is independently developing
the first PCS, working closely with the three
separation kernel vendors and intends to
have it evaluated at a high robustness level.
10 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
Benefits of Multi-Level Security
Application (User Mode) Partitions
MILS - Multiple Independent
Levels of Security
MSL - Multi Single Level
MLS - Multi Level Secure
SL - Single Level
S
S
S
(SL)
(SL)
(SL)
Trusted Path
Console
Manager
(MSL)
Token
Service
Driver
File
System
Driver
Network
Interface
Unit
PCS
(MSL)
(MSL)
(MSL)
(MLS)
Guest OS/
Guest OS/
Guest OS/
Middleware Middleware Middleware
RTOS Micro Kernal (MILS Separation Kernal)
Supervisor Mode
MMU, Inter Partition Communications Interrupts
Processor
Figure 2. Representative MILS Architecture
The PCS has been demonstrated publicly on
the GHS separation kernel running on Intel
processors. A version of the PCS for
PowerPC is currently under development.
Protection profiles and products for other
MILS middleware components are in various
stages of development. As a subcontractor
to Raytheon under an AFRL CRAD program,
SRI International has started work on a
MILS Network System Protection Profile. A
MILS file system and MILS CORBA protection profile have also been proposed.
Trusted components such as downgraders,
firewalls, virus protection, and intrusion
detection and protection are employed at
the application level in the MILS architecture. These efforts are expected to continue
over the next several years.
Guard Technology
Evaluated MILS products are still years away
from being available in general workstations and servers. In the meantime, there is
a need to provide capabilities to connect
systems composed of various security levels
together, while granting access to only
authorized users of the data. One of the
key technologies that support data sharing
between security domains is the security
guard that sits between different security
domains. Raytheon has developed a product called High Speed Guard to support the
user community’s need for data sharing
between single-level domains.
What Is a Guard, Anyway?
Current security policies require a “trusted”
entity to independently validate data being
moved between top secret, secret and
unclassified networks. These products are
commonly known as “trusted guards,”
“high assurance guards” or just “guards.”
Guards typically function as proxies, providing security separation between the two
systems being connected. There are three
main functions for a guard:
• Network separation
• Mandatory access control
• Data validation
Network Separation
A guard’s high-security (“high”) side network interface has an IP address on the
“high” side network while the guard’s low
side network interface uses an IP address
from the low side network. Thus, the guard
provides network separation and typically
enforces source/destination IP via some
firewall mechanism in the guard.
Mandatory Access Control
Another requirement for guards is to
enforce Mandatory Access Control (MAC).
Per current security policy, a trusted operating system such as Trusted Solaris is
required to meet MAC requirements. In
a trusted operating system, the operating
system carries label information on all
components on the system — memory, file
systems, network interfaces, etc., — and
provides APIs for systems such as guards
to move data between security levels.
PROFILE: KENNETH KUNG
Msg: ABCD
Class: S
Dataset ID: Y
Current: Z
Coordinates:
12345N095432E
Classification X
High Speed Guard
Large File
Data Transfer
Message Transfer
Feed 1
Data
Feed 2
Data
Feed n
Classification Y
Msg: ABCD
Class: S
Dataset ID: Y
Current: Z
Coordinates:
12345N095432E
Figure 3. The Raytheon High Speed Guard provides a high-bandwidth, low-latency crossdomain solution for most intelligence community and DoD data types.
Data Validation
Guards must validate that the data passing
through it is authorized. Guards typically
enforce different checks depending on the
direction the data is flowing.
When data is passed from a high to low, the
main focus of data validation is to ensure
that only data authorized at the lower network’s security level is passed. Several
options exist for performing this check:
• Classification rules to independently
interrogate the data to determine its
classification
• Verify existing labels on data
• Verify upstream system’s digital
signature on data if provided
The correct option depends on a particular
system’s data formats.
The prevention of malicious content is the
primary concern when moving data from a
lower network. For file-based transfers,
virus scanning is the primary mechanism for
meeting this requirement. For streaming
data, virus scanning is problematic so data
validation can be used to verify that the
content of the data is valid and there is
no unknown content.
Raytheon High Speed Guard
Figure 3 illustrates a typical use of the
Raytheon guard.
Raytheon’s High Speed Guard was built
for high bandwidth needs within the
intelligence community. Key features of
our guard:
Performance: Currently achieves
850Mb/sec on 1 Gigabit networks and 4.5
Gb/sec on 10 Gigabit networks.
History: Our guard has been in use since
1998 and has over 144 units operational. It
has been certified by multiple agencies at
Director of Central Intelligence Directive
(DCID) 6/3 Protection Level 4.
Flexibility: The Raytheon guard supports
TCP/IP socket-based transfers, file-based
transfer, and has a Human Review capability
that utilizes digital signature validation. The
guard is also rehostable to various trusted
platforms. Raytheon’s current platform is
Sun using Trusted Solaris 8. Raytheon also
supports Silicon Graphics Incorporated (SGI)
hardware running Trusted Irix, but that OS
is being end-of-life’d in 2012. Raytheon
plans to support SELinux in the next 12–18
months and may also support Solaris 10
with Trusted Extensions.
Ease of Use: The Raytheon guard comes
with complete documentation and training,
enabling end users to maintain it, if desired.
The rules language is straightforward, but
very powerful and includes full XML parsing
capability. •
Carolyn Boettcher, cbboettcher@raytheon.com
Kenneth Kung, kkung@raytheon.com
Jerry Lebowitz, jalebowitz@raytheon.com
Kevin Cariker, kevin_l_cariker@raytheon.com
A principal engineering
fellow for Raytheon’s
Network Centric
Systems (NCS) business,
Kenneth Kung, Ph.D. has
over 26 years of system
and software engineering
experience, including
22 years with Raytheon.
Currently, he is leading
the architecture capability
area for NCS on the
Enterprise Net-centric Integration Capability
(ENIC) initiative, which seeks to change the way
we develop solutions and capabilities for Raytheon
customers. He leads the development of reference
architectures, solution architectures and architecture governance. This effort transforms our
culture by enhancing our speed to market, speed
to demo and ability to cost appropriately.
Kung represents NCS on the Corporate
Architecture Review Board. Some of the board’s
functions include developing a strategy to train
system architects, ensuring the interoperability of
various systems, and recommending Raytheon
architecture directions involving our customers.
He participates in several industry consortia and
standards committees, including the Net Centric
Operations International Consortium, the Open
Group Architecture Forum, the ISO/IEC JT1
Subcommittee 27 on Cyber Security U.S.
Technical Advisory Group, and the Systems
Architecture Forum. From these external boards,
Kung has been able to learn and exchange
lessons with others in the industry.
From 2004–2005, Kung was the Architecture
Technology Area Director at Corporate
Engineering, where he led the initial development of the taxonomy of the reference
architectures and C2 reference architecture.
Before coming to Raytheon, Kung worked
at the Aerospace Corporation, supporting the
National Security Agency on information security product evaluation. He has been lecturing
in colleges for more than 30 years on topics
such as information security and communication networks. He has also served on the
advisory boards of Harvey Mudd College
and California State University, Fullerton.
Kung received his bachelor’s degree in engineering from UCLA. He later received his master’s
and doctorate degrees in computer science also
from UCLA. He is a Certified Raytheon Six
Sigma ExpertTM and Raytheon Certified Architect.
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 11
Feature
Intrusion-Tolerant Systems
A
As a result, Raytheon is currently
working to develop an architecture for intrusion-tolerant systems.
This work leverages the results of
recent DARPA programs that have
developed and demonstrated
intrusion-tolerant technologies
and architectures. Raytheon has
participated in one of these proFigure 1
grams (Self-Regenerative Systems)
and is now working with the
research community to apply technologies
and concepts from these programs.
Current and Future Systems
Intrusion tolerance takes survivability to a
new level. While today’s systems prevent
most intrusions by blocking known attacks,
intrusion-tolerant systems must handle
12 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
unknown attacks. It is not enough just to
detect intrusions; a system needs to decide
on a course of action that will effectively
respond to the attack. Data from multiple
sensors must be correlated in order to better diagnose, isolate and respond to
attacks. Today’s responses usually involve
human diagnosis and interaction, which is
slow and often inaccurate. To handle varying attacks, operating scenarios and prevent
damage, diagnosis and response need to be
automatic, adaptive and at machine speed.
an attack by gracefully degrading its level of
service and its non-critical functions as needed. It will recover its full functionality and
level of service automatically after the attack.
Looking farther into the future, we can
expect systems to reason about attacks,
develop more effective responses to new
attacks, and improve their survivability over
time by identifying and removing vulnerabilities. This idea is illustrated in the “Lifecycle
Survivability” flow in Figure 1. In addition,
networked systems will
share their insights with
Add/Remove Vulnerabilities
one another, so that
(Design, Removal, Blocking,
whole families of similar
System Communities)
systems can rapidly gain
immunity from new
Prevent Intrusions
attacks and remove their
(Access Controls, Cryptography,
common vulnerabilities.
Trusted Computing Base, Multiple Security Levels)
Detect Intrusions, Limit Damage
(Firewalls, Intrusion Detection Systems,
Virtual Private Networks, PKI)
Tolerate Attacks
(Redundancy, Diversity, Graceful Degradation,
Deception, Wrappers, Proof-carrying Code)
Restore System
(Diagnosis, Learning, Reconfiguration,
SW Rejuvenation, Reflection, Cognition)
Conduct Forensics
(Auditing, Pattern Recognition)
In addition to blocking and detecting most
intrusions with mature security technologies,
an intrusion-tolerant system will use new
generations of security technologies to tolerate the intrusions that penetrate these
defenses. This idea is illustrated in the
“Operate Through Attack” flow in Figure 1.
An intrusion-tolerant system will respond to
Operate Through Attack
Today’s systems are not intrusion
tolerant, as security mechanisms
can only prevent or detect some
intrusions. Because of this limitation, a system may fail to perform its mission when an attack is
successful, and it may be unable
to recover quickly, if at all. What’s
more, it may fail to detect an
intrusion that compromises its
confidentiality or integrity. Clearly,
if today’s systems are to deliver
Mission Assurance in the face of
information warfare, they need to
be more secure than they are now.
Lifecycle Survivability
s a nation, we need information
systems that continue to operate in
the presence of a sustained cyber
attack. Our systems cannot afford to lose
their availability, confidentiality or integrity
when an attack becomes an intrusion —
that is, when an attack successfully penetrates a system’s security mechanisms to
form a malicious fault. The need for a system that can tolerate malicious faults,
deemed “intrusion tolerant,” is based on
the reality that some attacks will inevitably
succeed, and therefore must be
tolerated without compromising
system integrity.
Automating vulnerability
diagnosis and removal
will make lifecycle survivability improvement
practical. A system’s survivability naturally tends
to degrade during
deployment, as attackers
discover its vulnerabilities
and new attacks emerge.
Today, vulnerability diagnosis and removal are
complex, manual timeconsuming activities,
creating lengthy vulnerability windows during
which vulnerabilities can
be continually exploited.
This is a common problem
today among systems
connected to the Internet.
Ongoing DARPA research seeks to automate vulnerability diagnosis and removal at
the application level. Its goal is to develop a
software execution infrastructure that monitors and augments application behavior so
that multiple copies of an application
behave as a self-aware community. In turn,
this community would collaboratively
diagnose attacks/bugs/errors; generate
appropriate configuration changes, patches,
filters, etc.; and generate a communityspecific situation awareness gauge that
predicts the likelihood and timing of imminent problems. Eventually, this will lead to
automation at the system level.
Architecture Principles
Intrusion tolerance cannot be achieved by
simply adorning a system with security technologies after it has been designed. A system’s architecture must support intrusion
tolerance as well. A number of architecture
principles apply:
• The architecture should first maximize its
intrusion prevention and detection capabilities using mature security technologies
and techniques.
• The architecture must tolerate Byzantine
failures. This is because malicious faults
can asynchronously occur in any replica
and yield Byzantine failures.
• Static diversity, or implementing a function in multiple ways, should be used to
avoid common vulnerabilities. For example, research has made it practical to
automatically generate diverse executables from the same source code.
• Runtime diversity, which implements a
function differently at different times, will
make it harder for attacks to succeed. For
example, a system could be designed to
automatically change its configuration
from time to time to confuse the attacker.
• Attack isolation and containment will
prevent damage from spreading and bind
the set of elements that a system must
reconstitute after an attack.
• Correlating alerts from multiple intrusion
sensors will allow a system to better
diagnose, isolate and adaptively respond
to each attack.
• Adaptive response will enable a system
to respond appropriately to different
types of attack.
• Graceful degradation will prevent an
abrupt or catastrophic loss of service
during an attack.
• Self-regeneration after an attack will
automatically restore full functionality
and level of service. Automation will
speed the process and make it reliable.
• Architecture should make weak assumptions about the integrity and availability
of its operating environment.
A Common Architecture
The common architecture for survivable
systems applies these principles. It is based
on a prototype architecture that was
demonstrated on DARPA’s OASIS
(Organically Assured and Survivable
Information Systems) program.
A common architecture offers the advantages of repeatable results and economy. The
abstract architecture can be the basis for many
system designs. Its reusable software components can be used across many systems.
The architecture is transparent to mission
applications, making it easier for the architecture to support legacy applications, as
well as new ones. These applications must
be model-able as loosely coupled service
providers and consumers that use pub-subquery transactions. While the architecture
cannot support hard real-time transactions,
real-time systems such as radars can be
included as mission applications within a
larger system that the architecture supports
(such as a C2 system). This protects real-time
systems from attack if they are not directly
accessible from outside the larger system.
The architecture provides concentric layers
of protection to mission applications, system operations and system/security management — placing management functions
in the most highly protected zone. These
zones are replicated in a Byzantine fault
tolerant manner.
A survivable middleware builds security
mechanisms on top of a common multicast
protocol to enhance integrity, access control, resiliency and graceful degradation.
The middleware has redundant protocols
and can change its transport protocols
dynamically. Session keys and cryptographic
credentials are used to manage access con-
trol. Messages, which are checked for valid
size, frequency and signature, are briefly
held in escrow so that if the publisher
appears corrupt, a message is not forwarded. The middleware provides redundant
channels that connect each mission application to the core zones of the architecture. If
all channels to the core fail, the middleware
attempts to attach mission applications
directly to one another. Heartbeats are generated by the middleware to indicate that
each mission application is alive.
Policy-driven protection “domains” help
protect system, process and network
components from attack. Domains are used
to isolate components, limit their privileges,
prevent corrupted processes from accessing
critical resources, defend application-specific
resources and disallow actions that exceed
privileges. Attempts to violate policy
generate alerts.
System/security management monitors
these heartbeats and alerts. Correlated
sensor data helps identify suspicious assets,
and contain and isolate attacks. System/
security management provides adaptive
responses, which are executed by actuators
placed throughout the system. Responses can
be reactive or proactive. For example, if sensors detect a process’s attempt to transition
to root, an actuator might kill the offending
process (a reactive response). However, if
sensors detect file corruption, the system
may decide to check and restore files (a more
proactive response). If the system determines
that a host is compromised it may disconnect
the host and reconfigure the system.
Conclusion
Raytheon is working to take the lead in
making intrusion tolerance a reality in
defense systems, by engaging the research
community and our customers to transition
technologies and concepts into working
systems. This will make it possible for systems to withstand sustained cyber attacks
and achieve Mission Assurance in the face
of information warfare. •
Tom Bracewell
bracewell@raytheon.com
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 13
Feature
Wireless
Honeypots
Innovative software technologies
to identify wireless attacks
and perform risk management
C
omprehensive Mission Assurance
involves the disciplined application
of systems engineering, thorough
risk management, superior quality and
sound management principles to achieve
mission success. In a DoD network-centric
environment, the warfighter is faced with
both wired and wireless network–based
threats. To mitigate wireless threats, innovative software technologies can be applied
to identify wireless attacks and perform risk
management. One such technology is the
wireless honeypot.
A honeypot is an information system
resource whose purpose is to attract attackers, provide them with misinformation,
cause confusion and monitor their actions.
Even more importantly, a honeypot gathers
valuable information to determine if a
threat exists, and then provides details to
help mitigation of these threats. A wireless
version of a honeypot entices its attackers
through a simulated wireless access point.
Raytheon Network Centric Systems in St.
Petersburg, Fla., recently sponsored a wireless honeypot research project at the
University of Florida to help address wireless
threats. The goal of the project, which was
dubbed “The Hive,” was to design, build
and test a simulated environment for a
wireless networked system, or honeypot.
In order to track and log suspicious nodes
and traffic in mobile environments, the Hive
research team developed a wireless honeypot as a live Linux bootable mini-CD. The
Hive Linux is a Live-CD version of Debian
Linux that was scaled down for operating
system security, and contains the tools
needed to run a standalone wireless honeypot with virtual services. It is currently available at the Hive’s project website1.
14 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
Using a Hive Linux CD, any personal computer (including laptops) can easily be
turned into a wireless honeypot. The experimental system operates on the IEEE
802.11g wireless standard and instantiates
a honeypot as a simulated wireless access
point with tracking capabilities.
The Hive honeypot runs Honeyd, a GNU
Public License (GPL) open source honeypot
program. Honeyd is described on its website as “… a small daemon that runs on
both UNIX-like and Windows platforms. It is
used to create multiple virtual honeypots
on a single machine. Entire networks can
be simulated using Honeyd. Honeyd can be
configured to run a range of services like
FTP, HTTP or SMTP. Furthermore, a personality can be configured to simulate a certain
operating system. Honeyd allows a single host
to claim as many as 65536 IP addresses.”2
The Hive lures its attacker by broadcasting a
modifiable service set identifier (SSID) over
the network. As an attacker attempts to
connect to the honeypot, its Dynamic Host
Configuration Protocol (DHCP) assigns the
attacker an Internet Protocol (IP) address so
that the attacker is placed on a simulated
network. For the proof of concept, it was
important to allow the attacker to see and
gain access to the network. (An encrypted
and secured wireless network would make
the establishment of a network connection
far more difficult, but may lure the more
experienced attacker.)
One of the first things that an attacker may
do is to “fingerprint” computers that are
local to their subnet. This can be done by
port-scanning local nodes. In our case, the
attacker port-scans the honeypot’s virtual
services. The system tells the attacker that
ports 22, 23, 80 and 110 are open, while
Honeyd logs the probe. When an attacker
connects to port 22 secure shell (SSH) or
port 23 (Telnet), an authentication script is
executed. The attacker may try a brute
force attack to guess username and password combinations; such an attack can be
done easily with a program named Hydra3,
and all connection attempts can be logged.
Once the attacker gains access, all commands entered are logged. This connection
is similarly made for the virtual services of
port 80 Web and port 110 Post Office
Protocol 3 (POP3).
The honeypot itself is composed of a Linux
operating system running a DHCP server,
HostAP, Honeyd, and Sebek with Syslog.
HostAP is a driver for Prism2-based wireless
client cards that allows them to appear and
act as a wireless access point. Sebek4 is a
data capture tool designed to capture the
attacker’s activities on a honeypot, without
their knowledge. Syslog is the system logger, which is similar to the Event Viewer in
Microsoft® Windows.
The Hive was able to integrate and test the
DCHP server, some scripts, the logging with
Sebek, Honeyd, Syslog and the wireless
access point emulation. This integration cre-
Virtual Services
Attacker
802.11
Honeypot
Simple Wireless Honeypot Diagram
Feature
ated a functional prototype wireless honeypot. Additional work would be necessary to
keep this system from being used as a tool
for an attack. For instance, honeypots have
been used to collect malware5.
Technical challenges are not the only issues
we must address to make wireless honeypots practical. Legal issues also impede the
deployment and use of wireless honeypots.
For instance, federal wiretap laws prohibit
interception of electronic communications,
including traffic monitoring across a network, except for network protection.
However, these laws do not easily apply to
honeypots, because a honeypot is set up
with the intention of being attacked.
Furthermore, legal analysts believe the use
of honeypots does not lead to entrapment,
because entrapment occurs when someone
is enticed to do something they would not
normally do. Therefore, the question that
needs to be asked is, “Do you own all of
the resources and how will you be using
this information?” If your network is isolated
and cannot cause harm to others, it may be
feasible to run a honeypot. The information
gleaned may enable increased security measures in areas that present the highest risk.
The following resources provide further
insight into creating and operating
honeypots:
• The Hive
(http://www.cise.ufl.edu/class/thehive)
• Honeyd (http://www.honeyd.org)
• Honeynet (http://project.honeynet.org)
• Project Honeypot
(http://www.projecthoneypot.org)
• The Distributed Honeynet Project
(http://www.lucidic.net)
• Malware Collection
(http://www.mwcollect.org)
• Wireless Honeypot Trickery
(http://www.securityfocus.com/
infocus/1761) •
Randall Brooks, CISSP, ISSEP
randall_s_brooks@raytheon.com
1http://www.cise.ufl.edu/class/thehive
2http://www.honeyd.org
3http://www.thc.org/thc-hydra
4http://www.honeynet.org/tools/sebek
5http://www.mwcollect.org
6For a discussion of legal issues see
Raytheon
Human Review Manager
T
he ability to effectively share
information among security domains
of differing classification levels,
and with coalition partners, is essential
to the daily operations of our customers.
The challenge with these data transfers
is that they must be carefully scrutinized
to ensure that inappropriate data is not
inadvertently released, and harmful data
is not imported into a domain.
Raytheon has a long history of providing
solutions that meet our customers’ needs
in this area. One of those is Raytheon’s
High Speed Guard, which is designed to
provide data transfers and structured data
reviews in a multi-security level (MSL) environment. However, release of data that is
not well structured (e.g., images, MS
Office files, etc.) usually involves a human
review of the data being released. Human
review has traditionally been performed
largely through an inefficient and unstructured manual release and review process.
In early 2005, Raytheon Intelligence and
Information Systems undertook an effort
to improve this process by creating the
Human Review Manager (HRM) — an
extendable Web-based workflow system
for streamlining and automating (where
possible) the human review of file transfers
from one security domain to another. The
HRM was specifically engineered to complement the Raytheon High-Speed Guard
and support its digitally signed release
format, which allows data that has been
reviewed and signed to seamlessly flow
among interconnected security domains of
differing classification levels. The HRM also
works independent of the Raytheon High
Speed Guard and supports data release by
a number of mechanisms, including file
transfer protocol (FTP), secure shell (SSH)
and CD/DVD media burning. The HRM
can easily be extended to support other
release mechanisms through its “widget”
plug-in framework.
An innovative aspect of the HRM is its
power and flexibility in the data
release/review process. In addition to its
widget architecture, the HRM has a workflow engine (Pending Patent #064747.1150)
that allows the HRM to support complex
release processes, including fully automated non-human processing. The HRM can
also support a similar but complementary
function of importing data through a
structured workflow process.
The HRM is capable of multiple workflows,
allowing it to manage data flows from
multiple destinations and sources simultaneously. These workflows are defined and
managed by a privileged user and are configured through the HRM’s built-in
Workflow Editor.
Under a typical use scenario, the HRM
workflow allows a file owner (publisher) to
submit one or more files for review as part
of a single release request. The HRM
accepts these requests through either the
Web-based GUI Request Manager interface or through the use of a JAVA Request
Client API. Files can also be imported into
the HRM from local file systems or through
FTP/SSH interfaces with appropriate widgets.
As part of the release process, the HRM
allows a publisher to choose the set of
actions to be performed on a particular
data release request through selecting a
workflow. Each of these actions is carried
out by HRM widgets as the workflow is
advanced through the release process. As
the HRM steps through these widgets, it
not only enforces a consistent release and
review process, it can also automate
tedious or time-consuming tasks for the
reviewer, including scanning for imbedded
inappropriate data (e.g., “dirty words” that
cannot be released, unapproved file-types,
or malicious content such as viruses).
Continued on page 16
http://www.securityfocus.com/infocus/1703
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 15
Human Review Manager
Continued from page 15
A workflow is usually comprised of several
steps. A typical Two-Person Review workflow is shown below.
Initiation Phase
Upload
File
File(s)/directory structure(s)
uploaded via Web form, remote file
path or Java Applet
Select
User selects release workflow from
Workflow those they have permission to utilize
Typical Two-Person Review FTP Workflow
Step 1:
Select
Destination
User selects destination(s) from
possible destination defined
in the workflow
Step 2:
User selects appropriate classification
Select
from available classifications
Classification for the destination(s)
Step 3:
Set Remote
File Path
Step 4:
Self Sign
As a release request is processed through a
HRM workflow, the status of the request is
tracked for display on the Request Manager
Web interface, or its status is available for
query by the HRM Request Client. The HRM
also automates e-mail notifications to
reviewers, provides for release packaging
and meta-data generation, and produces a
comprehensive audit trail of the release,
review and transfer process.
The HRM has been deployed on dedicated
Windows-based or Solaris-based machines
and is comprised of two Java Servlet Web
applications with a backend mySQL database running under an Apache Tomcat
Web server. The HRM application provides
the workflow features for release and
review, while a separate Web application
known as the Login Enabler (Pending
Patent #064747.1151) provides a reusable
and extendable single sign-on and user/
group management capability, which has
been integrated into the HRM’s functionality.
User can modify the names of
file(s)/directory structure(s) for the
remote destination system
User reviews previously defined
release information and asserts the
appropriateness of the request by
digitally signing the release package
File(s)
File transfer
request
Status
Application with
Request Manager API
Publisher File(s)
HRM
File
Server
Status
Web
user
Sign
Step 7:
Approve
and Sign
Step 8:
FTP Send
System performs an automated
review of release package for
inappropriate and/or allowed
file types
“Second person” approver reviews
file(s) and the results of the
automated checks before asserting
the appropriateness of the request
by digitally signing the release
package. Release packages can
also be reverted to correct
information if required.
Signed (or unsigned) release
packages are transferred via FTP
to the appropriate destinations
16 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
Write
to DVD
E-mail
notice
Status
Step 6:
File Type
Check
FTP
Server
HRM File
System
File transfer
request
Step 5:
System performs an automated
“Dirty Word” review of release package for
Search
classification-related issues based
on contextual search of the
released file(s)
Firewall
FTP
Feature
Releasing
agent(s)
Approve
and Sign
Web user
Typical HRM Deployment Architecture
Raytheon has fielded HRMs in support
of customers in both the U.S. and U.K.
markets. The HRM meets the Protection
Level 2 (PL2) with configurations up to PL4
possible when combined with appropriate
boundary devices. Within the U.K., the
HRM has been evaluated to the SYS3
level (which approximates to a Common
Criteria 3 evaluation, without all of the
formal paperwork). •
Monty McDougal
monty_d_mcdougal@raytheon.com
P R O F I L E : J AY L A L A
Upon earning
his doctorate
degree in instrumentation from
MIT, Jay Lala,
Ph.D. embarked
on an impressive 25-year
career at Draper
Laboratory,
where he
designed and
developed
fault-tolerant
computers for mission- and safety-critical
applications. These included the swim-by-wire
ship control computer for the SEAWOLF nuclear
attack submarine and the flight-critical computer
to control all on-board functions of the NASA
X-38 crew return vehicle.
In 1999, Lala joined the Defense Advanced
Research Projects Agency (DARPA) as a program
manager where DARPA’s Information Assurance
& Survivability programs provided him with an
opportunity to achieve his vision of integrating
the two previously distinct and parallel disciplines of fault tolerance and computer security.
Working at DARPA enabled Lala to change the
security paradigm from prevention and detection
to intrusion tolerance and self-healing.
“Intrusion tolerance moves from the classical
computer and network security approach of prevention — where you build all types of forts and
moats to keep attackers out — to intrusion tolerance where you design systems that, even when
some parts fail or are successfully attacked, continue to operate and degrade gracefully to perform
all the mission-critical functions correctly,” he
explained. “Self-healing or self-regenerative systems
go beyond that — they diagnose root cause and
remove vulnerability exploited by the attacker.”
At the end of his four years at DARPA, a congressionally mandated term-limit, Lala was awarded
the Office of Secretary of Defense Medal for
exceptional public service for helping improve
the security of our nation’s networks.
Since joining Raytheon in 2003, Lala has been
integral to several key wins. He understands our
customer needs, especially in Mission Assurance,
and has a thorough comprehension of the science and technology landscape that enables him
to provide state-of-the-art solutions. Lala’s background and experiences in fault-tolerant computers, as well as changing a mindset from prevention to intrusion tolerance and self-healing
systems, is closely aligned with Raytheon’s pursuit of Mission Assurance.
Feature
Information Assurance and Survivability Research
at DARPA: 1999–2003
I
n 1999, a group of five program managers,
including myself, arrived at DARPA to
initiate a major new push in countering
the threat of large-scale, coordinated cyber
attacks against the United States by
nation-states, terrorist organizations and
other adversaries.
This new initiative, a suite of programs in
Information Assurance and Survivability (IA&S),
was started by former DARPA director, Dr.
Frank Fernandez, with ample encouragement from Congress. Seven new programs
were created in IA&S, though two did not
survive after the first year. DARPA prides
itself on funding cutting-edge, high-risk
research, and sometimes, the risk manifests
itself as an utter lack of progress. DARPA is also
quick to take action when things go awry.
The program, initially called Intrusion
Tolerant Systems, operated on a simple
premise: Some attacks will penetrate
defenses and successfully evade intrusion
detection mechanisms. Consequently, a
number of basic research questions arose.
How can we design systems to continue to
function correctly in the presence of such
inevitable compromises? How can the system operate through attacks? Can fault-tolerance techniques and principles be used to
defend against cyber attacks? (Before arriving at DARPA, my background was in
designing systems to tolerate accidental
faults, failures and errors.)
When defending against viruses, worms
and denial-of-service attacks, one is dealing
with an intelligent and adaptive adversary:
a human being. It is a greater challenge
than countering randomly occurring hardware faults or even software bugs.
Nevertheless, the research results are
encouraging in that we can, in fact, architect systems that are intrinsically resilient to
cyber mischief. The program resulted in
more than 100 referred publications, of
which 24 seminal papers were edited in a
book by this author, with a preface by current DARPA director, Dr. Tony Tether1.
Numerous prototypes were also built and
subjected to attacks by red teams.
A follow-on program, called OASIS
(Organically Assured and Survivable
Information Systems) Demonstration and
Validation, created, demonstrated and validated an intrusion-tolerant architecture for
the Joint Battlespace Infosphere2, applying
many of the concepts developed under the
earlier program. A prototype system was
subjected to sustained attacks by multiple
red teams, including one from the National
Security Agency.
For a very long time, the principal information and communication security mechanisms focused on keeping the intruder out
of critical systems. Systems were designed
with multiple defense layers, like multiple
walls of a fortress. Various forms of electronic and physical access controls and
cryptographic techniques were employed to
maintain confidentiality. This worked fairly
well until the advent of networked systems.
Cyber attacks accelerated as the Internet
provided a path for information sharing
among networked systems, while simultaneously actualizing an easy attack avenue.
As a result, DARPA started to fund research
in network-based intrusion detection in the
1990s, and MIT Lincoln Laboratory created
a network traffic representation that mixed
real network traffic with attack packets. All
DARPA-funded intrusion detectors were
tested against this ground truth. After a
few years of research, it became apparent
that detection rates had “plateaued” at
much less than 100 percent and could not
be improved without simultaneously
increasing false positive rates. These mechanisms faired especially poorly in detecting
novel attacks and zero-day worms. It was clear
that despite all the preventive approaches,
some attacks would succeed — and some of
those would not be detected. A new approach
was needed to secure information systems.
The Intrusion Tolerance approach can be
thought of as the third generation of information assurance — the first two being
Prevention and Detection. Some of the
many techniques that were researched to
provide intrusion tolerance included redundancy coupled with design and implemen-
tation diversity (to avoid same vulnerabilities in replicas), redundancy management
(intrusion detection, response and reconfiguration), randomness and deception to
confuse attackers, and proof-carrying code
to shift the security burden from consumer
to software vendor.
Intrusion and fault-tolerance can enable
the continued correct operation of a system
in the presence of attacks and faults.
However, as the system ages and components experience failures or are compromised, the system’s capacity to tolerate
additional attacks and faults is depleted. A
correctly designed system would degrade
gracefully and still continue to perform all
the critical functions. But at some point even
this will not be possible, and the system will
eventually fail to perform its mission.
The current approach to dealing with this
situation is to repair and replace failed
components or take the system offline and
purge compromised components of infections. These are mostly manual and tedious
procedures. Furthermore, back-up systems
must be brought online while repairs are
occurring. But what if systems could be
designed to be self-healing? What if they
could automatically regenerate their capabilities? Thus, a new DARPA program —
Self-Regenerative Systems — was born.
The goal of Self-Regenerative Systems is to
design systems that can automatically diagnose root causes of attacks (i.e., vulnerability exploited by an attacker), reflect on past
responses and learn, and improve its performance when similar events are encountered in the future. This fourth generation
of information security technology relies
heavily on principles from human cognition.
Accordingly, it has the potential to deal
successfully with ever-morphing novel
attacks and an intelligent and adaptive
adversary, the human being. •
Jay Lala
jay_lala@raytheon.com
1Foundations of Intrusion Tolerant Systems, Ed. by
Jay Lala, IEEE Computer Society Press, 2003.
2 DPASA Final Report, BBN Technologies, DARPA Contract
No. F30602-02-C-0134, CDRL A011, 15 June 2006.
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 17
Feature
CHAIN: A Compartmented High Assurance
Information Network
O
ne of the biggest challenges the
DoD currently faces is the need for
compartmentalized, multi-level
information sharing. Its current stovepipe
approach to data sharing significantly inhibits
the development of these capabilities. In
stove-piping, information travels freely up
and down within an organization, yet there is
little horizontal sharing among organizations.
Current solutions only address part of the
problem. Traditional multi-level security
operating systems based on information
labeling such as Sun Trusted SolarisTM provide
features that enable cross-domain information sharing, but fail to adequately address
compartmented information processing
requirements within a single domain. In
addition, desktop users familiar with
Windows-based suites such as Microsoft®
Office, are forced to adapt to unfamiliar,
sometimes arcane applications or suffer
endless delays in accessing new capabilities
due to extended certification schedules.
Raytheon has addressed this opportunity by
leveraging its expertise in commercial offthe-shelf systems integration and information assurance. Providing the capabilities
the DoD needs while keeping a high level
of security requires a tailored solution. The
Compartmented High Assurance Information
Network (CHAIN) supports those needs.
CHAIN provides the best of both worlds:
compartmented security and systems most
DoD users are already familiar with.
Raytheon has been awarded multiple contracts by DoD-classified customers over the
last five years for high assurance information management and dissemination solutions. Most recently, in March 2006,
Raytheon was selected by DARPA to implement its CHAIN operational capability for
use within its classified environment with
the express goal of collapsing its independent Special Access Required (SAR) networks
into a single interoperable Director of
Central Intelligence Directive Protection
Level 3 (multi-compartmented) fabric.
The contracts provide for both development
and long-term sustainment of the deployed
18 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
system, including the operation of 24 by 7
Network and Security Operations Center.
The contracts provide for the continuing
introduction of new technologies by
addressing both technical obsolescence and
the availability of evolving technologies.
Raytheon has invested in the development
of CHAIN for more than six years, ensuring
that its solutions are both technologically
sound and inherently secure. By relying on
components readily employed by industry
(e.g., Microsoft XP/2003) in everyday
business settings, rather than relying on
traditional Trusted Operating Systems
(e.g. Trusted Solaris), Raytheon is able to
offer users an information processing environment that requires less training and
customization, and is resistant to obsolescence. Raytheon’s continuing investment
in CHAIN significantly reduces the risk
associated with development, deployment,
sustainment, and most importantly,
accreditation and certification.
The modular approach and architecture of
Raytheon’s solution provides a solution for
any DoD, Intelligence Community, or
Homeland Defense agency concerned with
ensuring the confidentiality and integrity of
information being shared among nations,
organizations and agencies. The Raytheon
solution offers significant operational and
logistical advantages as outlined below:
• Performance/Scalability
– Scalable to a user population
exceeding 10,000
– Support for over 1,000 clearances
and compartments
– Virtually unlimited storage capacity
– Object-oriented storage eliminates
restriction on data types
• Security
– Authentication, authorization and
auditing
– Identity management
– Single sign-on (SSO)
– Digital shredding
– Encrypted communications
– Repository encryption and digital
signatures
– Digital rights management
– Mandatory access control
– Low impact to vehicle signature
– Public key
• Easy Integration
– Support for global, distributed repository and open, standards-based architecture for seamless integration with other
data and content sources
– Supports geographically distributed
environments with a distributed
architecture supporting content
replication and federated management
• Services
– SMTP mail
– Web
– Instant messaging
– White boarding
– Text, voice/video chat
– File sharing
The Chain Solution
Raytheon’s CHAIN architecture is designed
and implemented in accordance with the
latest commercial and military standards.
This ensures CHAIN is able to directly, or
indirectly, support most data models and
operational concepts. By virtue of the components used in the implementation of
CHAIN, standards-based application programming interfaces are readily available to
allow for their integration and interoperability into and with existing systems and applications, respectively. Support is readily available for both machine-to-machine and
man-to-machine data transfers.
CHAIN’s rule-based data processing and dissemination features support reducing the
occurrence of data overload. Inherent within the CHAIN architecture are capabilities
that allow rules to be established that
determine the appropriateness of information exchanges based upon user and
process roles, the context of the information being processed, the time of day, the
priority of the transmission, etc. Rights
determination is made through a complex
process that uses information contained
within various external authoritative
sources. This process, as applied to e-mail,
is depicted in Figure 1.
CHAIN is capable of operating as an independent information network or as an
overlay within an existing network. The
CHAIN security architecture framework also
includes the use of Internet Protocol
Security (IPSEC) VPNs, based upon the
Advanced Encryption Standard (AES) 256bit algorithm. IPSEC VPNs are used in combination with data labeling and digital signatures to allow independent and redundant networks to be collapsed into a single
IP fabric, while insuring with a high degree
of integrity that data leakage is unlikely.
The required cryptographic material is
obtained from a high assurance Public Key
Infrastructure (PKI) Certificate Authority
(CA) internal to the CHAIN architecture.
Figure 1. User CONOPS/E-mail
Figure 2. User CONOPS/Data Sharing
At the application layer, the CHAIN architecture incorporates multiple security safeguards to insure that information is
exchanged among users or processes only
when the sensitivity of the information is
dominated by both the originator of the
information and its intended recipient.
Metadata associated with the data object is
used to determine the appropriateness of
the exchange. Additionally, the information
transmitted is protected both at transit and
at rest through the application of data-level
or storage-level encryption. The integrity of
the data and its associated metadata may
also be protected through the incorporation
of digital signatures. All these features are
critical for the successful integration of data
sharing and collaboration capabilities.
Figures 2 and 3 provide a high-level view of
these capabilities.
CHAIN addresses what traditional stovepipe
solutions could not address: the need for
compartmented shareable data. In addition
to addressing existing conditions, it supports a transformation to a more flexible,
scalable and interoperable system. The
result is higher efficiencies and reduced
training costs. By integrating security into
common office functionality, Raytheon has
created a system that capitalizes on existing
skill sets, while preserving PL3 certification
requirements. •
Ricardo J. Rodriguez
ricardo_j_rodriguez@raytheon.com
Dan Teijido
dan_teijido@raytheon.com
Figure 3. User CONOPS/Collaboration
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 19
Feature
PROFILE: STEVE HAYNES
Information Assurance:
A Holistic
Approach
Post-9/11, it became apparent that creating
a physical “ring of steel” around chosen
environments where security was the cornerstone for safety and security was counterproductive. It did not restore confidence in
our economy, our industries or our citizens.
A realization grew quickly that what was
needed was the ability to authenticate a
person claims, while still maintaining confidentiality. These claims include 1) a person’s
identity, 2) their permission to be at a certain place at a certain time,
and 3) their authorization to
perform certain activities.
This is not necessarily physically bound — it is both
real and virtual.
Information Assurance (IA)
is the “process” by which
we protect and defend our
information and information systems in order to
ensure confidentially,
integrity, availability and
accountability. IA also
extends to restoration,
with protect, detect,
monitoring and reacting capabilities. Even if
you don’t understand
what this means, it is
still changing your
world.
Just as we experience in real life,
accountability closes the loop on any holistic approach to IA. The access control environment must allow an audit loop to be
established with someone responsible for
the activity in the loop. Hence, the holistic
principle of IA becomes confidentiality,
integrity, availability, accountability and
restoration. This means that IA becomes a
people-directed activity, with clear links of
responsibility to the individual through
association by identification.
As the real world becomes more and more
digitized, so does the need for irrefutable
authentication of people involved with
permission to be in that digital environment.
Authentication — or the ability to prove in
20 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
a non-repudiation approach that you are
who you say you are — then became integrated with all other daily processes. At
that point, IA reflected the issues that safeguard daily life. This is an important point
because it means that IA is, in fact, the way
we view digital life, and not a “bolt” in the
way information security, engineering security, or operations security has been in the
past. In fact, IA is an integrated approach
to security, incorporating policy, technology
and security (personal, physical and environmental) components, and must be
“baked” into the “process.”
Accordingly, real-life issues such as privacy
are justifiable ones for IA. Indeed, it will
become the principal issue to overcome:
the ability to prove your identity and that
you are entitled to the list of permissions
associated to you and the information you
access or distribute. This suggests that the IA
world is one of permissions (not rules or law).
As society embraces the net-centric world,
it is becoming overwhelmed with information. We experience the knowledge age
(the application of information) as a society
hungry for information (some productive
and other destructive), so much so that
entire programs have been built around
achieving greater efficiency to access and
process knowledge.
I believe what 9/11 taught us is that people
matter. People must be identified in a nonrepudiatable manner to allow society to
continue to operate in a safe and secure
way. Therefore, IA is not just about technology, information or even infrastructures; it is
about protecting our most valued asset —
our homeland, citizens and way of life.
Raytheon is and has always been a customer-focused organization. While everyone else rushed to the IA “gold mine,”
Raytheon has been more vigilant, waiting
for others to catch up and really understand what the issues are — truly adding
value to our clients’ mission-critical requirements. So whether it is our clients’ highly
classified operating environment, a commercial business, protecting our employees
at home and work, or our own business
operations, we practice what we preach.
We take pride in our holistic information
assurance program, and we enjoy a privilege
that we do not take for granted: being considered your partners in transformation. •
Stephen R. Haynes
stephen_r_haynes@raytheon.com
Steve Haynes
is an entrepreneurial, broadbased thought
leader specializing in
Information
Assurance, an
integrated
approach to
security. Haynes
has extensive
hands-on
experience in
the strategic and tactical implementation of
e-commerce, e-government and e-business related
products and services. “With security, it’s no
longer about assessing or even managing the
risk,” said Haynes, “it’s about governing the risk.”
His 15 years of exemplary service in the security
field, coupled with 20 years in the credit card
industry, has earned him the respect of his
industry. “I take pride and pleasure in serving
my clients and focusing on their enterprisewide mission critical needs.”
Noted for his visionary leadership and proactive
problem-solving approach, Haynes’s holistic
focus is on the process of protecting and defending information and information systems. “My
goal is to make clients successful by providing
what we have learned and help them become
thought leaders in the Information Assurance
industry. This will enable them to meet their
mission-critical goals and objectives. That’s what
will keep them coming back again and again.”
An Information Assurance instructor at the
National Defense University, Haynes is periodically asked to assist the U.S. government by
engaging in strategic joint agency tasks/initiatives. He is also on retainer to the Executive
Office of the President and has been an advisor
to three presidential administrations and
numerous senior levels of management on a
regular basis. He is called upon to define overall corporate strategic positioning and tactical
implementation to enhance corporate level
value and provide business advantage. A leader
by example, Haynes empowers resources to act
with speed, simplicity and self-confidence.
“My great grandfather used to say, ‘It’s not
enough to do things right, it’s as important to
do the right thing.’ And at Raytheon, we strive
to serve our clients with holistic solutions that
work — the first time, every time.”
LEADERS CORNER
Heidi Shyu
Vice President, Corporate
Technology and Research
R
ecently Technology Today talked with
Heidi Shyu about technology and
innovation, and her new role as vice
president of Corporate Technology and
Research. Shyu discusses her approach to
creating an enterprise-wide technology
vision and direction, the importance of
disruptive technologies and radical innovation, and her penchant for taking on —
and reaching — “unachievable” goals.
TT: Throughout your career, you’ve held
many senior leadership positions. Can you
share with us some of the attributes you
believe are essential to effective leadership? And how do those attributes influence your new role as vice president of
Corporate Technology and Research?
HS: First, I always try to look at the big
picture, and figure out how all the pieces
of the puzzle fit together. Even from the
early stages of my career, when I was
given one task that was part of a huge
effort, I always tried to understand,
“Here’s my little piece of the puzzle, now,
how does it fit into the big picture? What
is the right thing to do for our customer?”
Second, you need to communicate your
vision and your plan. You can never communicate enough. People fail because
they don’t communicate clearly. Therefore,
your ability to articulate and communicate
is very essential.
One other thing that has always helped
me is I have always had a passion to do
whatever task I am given. I just dive right
in; whatever the challenge is. That
becomes infectious. When troops see that
you really care about what they are doing
and the goal that you have set, they then
realize we are really trying to aim for the
same goals. Namely, we are trying to do
the best thing for the company, the best
thing for the customer and to beat our
competition, not each other.
TT: How has your past experience
prepared you for this role?
HS: I think that as I grew in my career, I
faced many things that I have tried to figure
out how to orchestrate. One of the early
tasks I was given was developing modeling and simulation, and I tried to figure
out, “How does my piece fit into that big
picture?” I then took the initiative to lay out
the entire simulation, and show my little
piece in the overall big picture. I am always
trying to figure out “How does this work?”
I know my project manager was delighted
that I took the initiative to do that.
Another key: Never stop learning. Each
step, wherever I am in my career, I look a
couple of ladders above me and I observe
the people there. What are things that
they know, that I don’t know? Those are
things I need to learn. What attributes do
they have, that I currently don’t have, and
I can learn? Find out your own shortfalls.
It’s good to get independent assessments of
yourself, and figure out how you need to
grow as a person throughout your career.
TT: What people or programs influenced
your career?
HS: When Dr. Peter Pao asked me in 1997
to lead the Joint Strike Fighter Active
Electronically Scanned Array development,
it seemed insurmountable at the time
because we had an incredibly short period
of time to develop something that seemed
unachievable — weight reduction, reliability improvement, reducing the observability, improving the survivability, reducing
cost … and do it in record time. Most
people told me I was crazy to take that
job, but I never came to that conclusion.
The way I approached it was, “OK, truly
here’s an opportunity to do something
that’s incredibly important for the company.”
So you have to not be afraid of challenges.
Then you have to methodically figure out
how to do it. You can’t eat the whole elephant in one bite, so what is your path?
What is your plan? How do you put your
arms around this incredibly difficult problem? I think a lot of the “thinking
through” early on and planning the steps
that you have to take is so important.
TT: In your new role, you’re responsible
for the development and execution of an
integrated enterprise-wide technology and
research vision and strategy. How do you
go about formulating a vision that encompasses Raytheon’s breadth of technologies,
programs and priorities?
HS: Again, the approach I take from the
beginning is to figure out the big picture.
I read the Quadrennial Defense Review —
the 20-year vision of the capability we
would like to have. I then think about the
capability we would like to achieve. What
are the threats out there that we are facing today? What are our capability shortfalls that we have relative to the threats in
the environment we are facing? Then you
take a systems approach to decomposing
the problem. What are the opportunities
out there for us? What are the enablers
that can help you achieve this capability to
fill the gap that we have, and what are
the technology options that we have to
close this capability gap?
Then, from the technology options we
have, how well are we doing in this particular technology relative to our competition? Are we ahead of the pack? Nose to
nose? Or are we lagging? Then consider
are there other companies out there that
we can team with to help us bridge this
gap? Then you flow down: Are there
CRAD (Contract Research and
Development) opportunities? Are there
IRAD (Internal Research and Development)
opportunities we should be pursuing?
What is our road map for getting there in
the near-term, in the mid-term and in the
long-term?
Continued on page 22
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 21
Q&A With Heidi Shyu
LEADERS CORNER
Continued from page 21
TT: One of your major areas of focus —
influencing enterprise-wide research collaboration and technology opportunities —
requires a substantial commitment to crossbusiness engagement and knowledge sharing. How do you facilitate this dynamic in a
company like Raytheon?
HS: This year, I’m having a week-long IRAD
meeting with all the businesses, where
we’ll talk with all the technical directors to
understand what capabilities their customers want, then figure out how that ties
into the technology road map. With all the
technical directors from the company there
at the same time, what you often find is
that you are trying to solve the same problem from a slightly different angle. This
way, we can put our resources together
and figure out the different ways of solving
the same problem. So the joint IRAD week
is something new this year.
What I am also trying to do is give each technical area director a much broader breadth, a
broader perspective of the company’s work
at this IRAD review. At the same time, we
have technology networks — RF technology
network, EO technology network, materials
and structures technology network, etc. I am
going to invite them along to all these crosscompany IRAD reviews so they too can see a
much bigger picture and understand the
breadth of our capabilities and the problems we are trying to solve. You also want
to nourish the bottom up, so I am trying to
take the technology leaders and make
them understand the breadth of the problems we’re trying to tackle, so they can go
to the next layer and help out.
TT: This year Raytheon has redefined our
core markets and is looking to grow in our
Strategic Business Areas. Tell us about your
organization’s role in this process, and which
areas you believe Corporate Technology
and Research can influence most.
HS: We need to expand from a single phenomenology focus to multiple phenomenologies in order to increase the information content that we can get on a target.
For example, one of the Technology
Challenge areas that I have set up this year
is “Assured ID and Continuous Persistent
Track.” There are many ways to get ID: One
can use synthetic array radar (SAR) map, or
22 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
EO imagery, IR imagery, vibrometry, hyperspectral imaging, hyper-temporal, 3D ladar,
taggant, SIGINT, HRR, etc. Any one of the
phenomenologies will have strengths and
weaknesses. This combination will produce
additional information on the target.
The technical area directors have taken the
initiative to work with the EC leads on
Multi-INT, the ET leads on ATR, prior
warfighters and users of our products, as
well as the tech directors from each business. We just had a Technology Innovation
Workshop in June and the tech directors
from each business are identifying a crossdiscipline list of innovators from their businesses to participate. So Corporate
Technology and Research can help to be
the catalyst in expanding our core markets.
TT: There is a new emphasis on emerging
disruptive technologies and radical innovation. Tell us more about these concepts
and how they can influence Raytheon’s
future success.
HS: When the Wright brothers helped to
develop the first airplane, that was pretty
disruptive because you were no longer
stuck in a two-dimensional world on the
ground. That is very disruptive in terms of
how it changed our lives. So think of “disruptive” as something that enables you to
have a capability you simply don’t have
today. It is not incremental change; it is a
quantum jump in capability.
What we are looking for are nuggets that
can provide us a revolutionary increase in
terms of capability across our customer base.
This year, I focused this disruptive technology
effort into two tough technology challenge
areas: Assured ID and Continuous Persistent
Track of targets and Novel Effects.
TT: In what ways can a large, super-structured company like Raytheon nurture a
culture of radical innovation?
HS: One of the things we need to do is not
squash ideas. Sometimes we have a tendency to say “it doesn’t work,” and that
statement can squash a younger engineer’s
ideas so they stop attempting to come up
with something innovative, because they
don’t want to feel stupid. You become risk
adverse, and one of the key things to do is
create an environment in which it’s OK to
throw out ideas, to think outside the box.
My other hat is the Air Force Scientific
Advisory Board chair. One of the things that
I’m always so impressed with is that young
AF officers are incredibly creative in trying
to figure out how to solve the problem,
because they’re not restrained by the past.
This younger generation is coming up with a
fresh perspective in attacking the problem
from a very different angle. I think we need
to create that culture within our company.
TT: The diversity of Raytheon’s workforce
continues to grow, and with it, opportunities
to broaden the company’s scope of expertise
in many areas. How do you build productive,
diverse teams and why is it important?
HS: We each have certain experience,
knowledge and education, so diverse teams
are important. There are so many different
ways of looking at the problem and it is the
exact same thing with skill sets. That’s one
of the reasons why the Air Force Scientific
Advisory Board looks across 25 different
disciplines and finds people from across very
broad, diverse backgrounds. The problems
that are brought to us are very difficult,
and I’d rather have a room full of people
with very diverse backgrounds thinking very
differently to try to come up with solutions.
TT: Can you share an experience that
helped provide you inspiration or guidance?
HS: I have always tried to have a mentor in
my career, and talk to somebody who is
probably two levels up, because I like to
have somebody that has a broader perspective. We’ll periodically chat about career
prospects, what you’re doing and whether
you ought to do something else.
TT: What are the ways we as professionals
can help youngsters get excited about
math and science?
HS: I think you have to make the problem
interesting. I applaud DARPA for having a
Grand Challenge competition, in which
participants design an unmanned robotic
vehicle to travel a course. So what you
have to do is create challenges and incite
their curiosity. Kids are very curious about
things and incredibly creative. If you make
the problem interesting enough, you will
gain their interest. You have to capture
them at an early age. Bottom line: Help the
kids get interested in a little problem.
Challenge them and make it fun. •
on
ARCHITECTURE & SYSTEMS INTEGRATION
Technology
Warfighter Challenges
in Urban Environments
T
oday’s warfighter faces many challenges
in the urban environment. Usually, these
challenges stem from having to relearn lessons from bygone events and yet accommodate the influx of innovations in technology
and emergent social context.
The relearning comes about primarily from
the transition of traditional force-on-force
encounters — which still must be executed
and effectively managed — into the much
publicized re-emergent asymmetric interactions. Historically, our warfighters have intimately known asymmetric warfare and its
derivatives. During the Revolutionary War,
the Minutemen displayed the power of
asymmetric warfare against the British.
During World War II, as the allies advanced
across Europe, the warfare devolved into
the house-by-house urban conflicts resembling today’s engagements.
But much is different as well. New locations
with new cultures provide challenges that
previously have not been encountered, or
have little commonality in social structures
and norms. In short, the evolution of technology across the globe has developed
other new challenges — both as capabilities
for, and obstacles to, the warfighter.
One of the most significant recent operational challenges is the integration and transition of the operational environment into a
continuum, with the open-field foreign
force projection of traditional warfare on
one end, and the civil support aspects of
homeland defense and homeland security
domains at the other. This merged environment isn’t the familiar force-on-force scenario complete with neutral parties and
bystanders; rather it’s a complex environment of socially ambiguous people groups
and multifaceted structures and subterranean areas. Phrases like PMESII (political,
military, economic, social, information,
infrastructure), DIME (diplomatic, informa-
Foreign Ops
Homeland Defense Ops
3 Block War
Force on Force
Homeland Security Ops
Stabilization
Asymmetric
Operations
Civil Ops
Disaster Response
Military Operations
Other Than War
The problem space being addressed by the warfighter has expanded significantly.
tion, military, economic) and MIDLIFE (military, information, diplomatic, law enforcement, information warfare, financial, economic) are used to illustrate the complexity
of the problem sets being addressed across
strategic, operational and tactical levels.
The modern-day warfighter is further challenged with increasing shifts in technology
and operational tempo. On one side, technology migration favorably impacts capabilities available to the warfighter. However,
these technologies often have deployment
processes and availability time cycles that
become problematic in the face of evolving
operational tempos and the asymmetric
enemy’s adaptability. These detrimental
deployment-driven effects on the warfighter
are exacerbated by trends to increase the
efficiency of our troops. In other words, the
expectation is to accomplish more with less by
engaging fewer people (but with more skills
individually), less equipment, less organizational structure and lower cost of execution.
One particularly ubiquitous technology need
is in the area of communications and the
related field of interoperability.
Communications needs are escalating —
Y E S T E R D AY … T O D AY … T O M O R R O W
more bits are needed by more users who
are working in a more net-centric environment. This communication capability is also
needed in very harsh, communication-dense
urban terrains with complex building structures to be traversed. In this environment,
there is very little tolerance to latency, data
loss, and information and presence compromise. On the other hand, these communications and information-sharing networks
need to interoperate with, and quickly
adapt to, more systems, groups and
domains than ever before. Additionally, policies that enable these technologies for
deployment are slow to change, because
demonstrated improvement is required
before lives are put on the line.
Although today’s evolving landscape is challenging for the warfighter to navigate, there
are mechanisms, born from technology, that
are available to help. One mechanism is
truly a recent addition to the world’s arsenal: net-centric capabilities. Not only does
this general approach — brought about by
unprecedented levels of information connectivity — provide operational advantages
to the warfighter operating in command
Continued on page 24
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 23
on
Continued from page 23
and control echelon levels, but it also provides significant opportunities to the individual on the front line. Furthermore, net
centricity provides unprecedented capabilities to validate the operational utility of
these same technologies and emergent
methodologies prior to deployment. Thus,
it validates Mission Assurance and the
effectiveness of solutions, from the frontline warfighters’ environment through all
levels of upper command operations.
The recent Cooperative Research and
Development Agreement (CRADA) between
JFCOM and Raytheon is oriented toward
establishing the framework and supporting
mechanisms to allow just such a RDT&E
capability for urban environments. This
CRADA, titled Networked Urban Operations
Test Bed (NUOTB), is establishing an open
access framework to capitalize on existing
sites through the exploitation of networks.
By networking training environments,
acquisition authorities, and technology
providers into a cohesive environment and
process, complex system solutions can be
quickly evaluated, operationally validated
and readied for deployment to the by the
using customer throughout the RDT&E evolution. By embedding technology testing,
evaluation and product evolution as part of
the existing training skills development of
the end user community, the operational
utility is aligned with the evolution of the
conflict area. And by embedding the
acquisition process up front in the other
areas, the customers DOTMLPF (Doctrine,
Organization, Training, Materiel,
Leadership, Personnel, Facilities) concerns
are addressed early, and therefore the
“Need” to “Deployed Solution” cycle can
be shortened significantly. Furthermore,
solutions in this environment can be scrutinized not only for tactical effectiveness, but
for operations and strategic levels of effectiveness as well.
Although challenges still exist and continue
to evolve, our nation is developing solutions
to meet these challenges at the technology
level, the employment level, the effect level
and the timeliness level. The real challenge
is expending enough effort to bring these
solutions to bear. •
Timothy R. Morris
timothy_r_morris@raytheon.com
24 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
Technology
PROCESSING
After Solid Success
Raytheon Presses Forward With MDA
M
odel-driven architecture (MDA®) is an
established software development methodology put into practice across Raytheon’s
businesses. Raytheon Missile Systems (MS)
has been using MDA for more than 10
years; Integrated Defense Systems (IDS) has
a half-dozen projects where contractually
delivered software has been developed
from MDA (each at a greater productivity
level than traditional software methods);
and Network Centric Systems (NCS) has an
initiative to have MDA deployed at each of
their sites across the country.
As such, Raytheon engineers and other
experts have authored a number of papers
and presentations touting the benefits of
MDA. These benefits include:
• An increase in productivity
• A decrease in defects
• Better communication between systems
and software engineering
• Better communication with our customers
• An increase in reuse and product line
development
• Portability
For these reasons, the adoption of MDA
may be inevitable. The most compelling
argument for its adoption, though, might
be that our customers are beginning to
demand it.
As the value and maturity of MDA is
increasingly recognized, the larger question
becomes: “Should the government make
the delivery of compilable models a contractual requirement?” Based on Raytheon’s
MDA briefings to Pentagon representatives
and the Office of Naval Research, the message is now clear. The acquisition offices of
the DoD are seriously considering the productivity improvement, the software quality
Finance
Manufacturing
Space
E-Commerce
Model-Driven
Architecture
Transportation
Telecom
Health Care
More
and the potential for reuse that represent
the promise of MDA.
From a business perspective, an argument
can be made that the industry transition
from current software development
practices to MDA is similar in nature to
the adoption of the Capability Maturity
Model (CMM®).
When the CMM was first released in the
early 1990s by the Software Engineering
Institute (SEI) at Carnegie-Mellon University,
acceptance ranged from total buy-in to outright hostility. The norm may have been
somewhere in the middle, between cautious optimism and mindful skepticism. All
arguments were settled when various government factions required CMM certification as part of the acquisition process.
As the customer community explores the
possibility of requiring MDA products as
deliverables, Raytheon will continue to
expand the use of this technology.
Our continued success with model-driven
architecture is based on a practical strategy.
After pathfinding the new technology on
several internal research and development
projects in IDS, MS and NCS, we started
Y E S T E R D AY … T O D AY … T O M O R R O W
• The Real-Time Model-Driven Computing
Technology Interest Group has met
monthly for three years; it also sponsors
a well-attended track of presentations at
two Raytheon symposia each year.
Short-term Benefits
Faster Code Development (>2x)
Lower Defect Rate (up to 90%)
Automated Documentation
Tactical
Earlier Testing (before HW is available)
Automated Testing
• A Raytheon intranet website on MDA
provides links to internal and external
MDA sources and experts.
Raytheon IDS funds travel to customer
sites, the Pentagon and Raytheon
Technology Days events to present our
experiences to interested customers.
Long-term Benefits
Portability
Reusability
Maintainability
Strategic
Production Quality Software
Raytheon realizes strategic and tactical benefits by leveraging separation of concerns
delivered by MDA.
applying MDA selectively to customer-funded programs and delivering software developed with MDA. We have successfully integrated new MDA components with legacyreused components, COTS and GOTS into
deliverable systems. As we continue down
this path, we are building an ever-larger
team of MDA experts at Raytheon, and
applying it to larger and larger problems.
To facilitate the transition, we have:
• Developed detailed deployment guides in
both NCS and IDS, specific to the
toolsets being used
• Updated process documents to include
the use of MDA and created sample
process documentation
• Established a Raytheon-wide repository
of MDA-related data
• Held a Raytheon-wide MDA workshop in
2006 to share information and tackle
issues like process and tool standardization
Raytheon has a diverse development community serving different customers, providing a range of software capabilities. To help
propagate our MDA successes and lessons
learned across our development organizations, we have implemented a multipronged communications strategy:
• Raytheon has developed overview training targeted to Integrated Product Team
(IPT) leads, department managers and
technical leads.
What does all this mean to our customers?
It means that we are tremendously encouraged by our successes to date, and we plan
to grow those successes by making higher
quality software — while still reducing the
cost to our customers. If the customer community requires a transition to MDA, then
Raytheon is ready. Regardless of mandates,
we are prepared to champion the implementation of this proven technology.
For more information, visit the IDS Software
Engineering Directorate MDA website at
http://sweng.ids.ray.com/technology/Model
DrivenArchitecture.html or the Real-Time
Model-Driven Computing TIG website at
http://home.ray.com/rayeng/technetworks/
pstn/runtime.htm. Also visit the Object
Management Group™ MDA standard at
http://www.omg.org/mda. •
Ken Neidorf
kenneth_a_neidorf@raytheon.com
Terri Potts
terri_potts@raytheon.com
• Established a Raytheon-wide working
group to produce a pamphlet that is
tool-agnostic and will standardize the
use of MDA across Raytheon
• Developed training courses
• Standardized the metrics to be collected
and shared for MDA programs
• Conducted ongoing work with vendors
to guide tool development
• Conducted ongoing work with the
Object Management Group to guide
standards development
Y E S T E R D AY … T O D AY … T O M O R R O W
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 25
on
E O / L A S E R S
Technology
Fiber Communication Technology
Benefits Eye-Safe Laser Development
O
ver the past couple of decades, an
enormous amount of effort and investment
has been made in the area of fiber optic
communications technology and equipment. This area is now providing a great
deal of benefit toward the development of
the next generation of highly efficient and
compact eye-safe laser sources.
Existing Eye-Safe Tactical Laser
Technology
Most existing eye-safe tactical laser systems
start out with a non-eye-safe Nd:YAG laser
source that transmits at 1.064 micron. The
non-eye-safe wavelength is then converted
to an eye-safe wavelength using a Raman
cell (1.54 micron) or an Optical Parametric
Oscillator (OPO) that emits at 1.57 micron.
These conversion techniques are effective but
are inefficient, add weight and consume
additional space. Wall plug efficiency of a
system like this is generally around 8 percent.
Adapting Fiber Communication
Hardware for Tactical Eye-safe Lasers
Erbium-doped fiber amplifiers (EDFA) have
become a main component of the telecommunications industry. A typical EDFA in
telecommunications is used to amplify a
signal to be transmitted over extended
distances. Telecom uses erbium-doped
silica fibers that transmit in the Near
Infrared (NIR), because they have less
attenuation and dispersion than visible.
Also EDFAs intrinsically transmit in this
same NIR region.
Signal
Source
Amplified
Output
• 1538 nm, C-Band
• 1617 nm, L-Band
Diode Pump Source
• 1480 nm
• 980nm
Figure 1. Simple Er-doped fiber amplifier
26 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
Corner Cube
Pump Resonator
Output Coupler
Er:YAG Laser Rod
1.617 Microm Output
Q-Switch
Assembly
Pump Diodes
1480 nm
1.617 um Energy
Figure 2. Direct eye-safe 1.617 um laser resonator
The laser diode pump sources with output
wavelengths of either 1480 or 980
nanometers are used to optically pump the
erbium-doped fiber and provide a significant (30 dB) signal gain out of the overall
amplifier at 1538 or 1617 nanometers. Both
of these diode sources are widely available
today because of the investments made by
the telecommunications industry. The 1538
nanometer output is within the C-Band or
conventional band (C-Band: 1530-1570 nm)
of operation. The 1617 nm output is within
the L-Band, or long band (L-Band: 15701620 nm) of operation.
980 Nanometer GaAs vs. 1480
Nanometer InP Pump Diodes
The erbium-doped silica fibers have an
extremely long absorption length enabling
practical 980 nm pumping with the higher
maturity GaAs-based diode sources.
Although the quantum efficiency of 980 nm
pumped EDFAs is only ~65 percent, the
overall efficiency of the 980 nm pumped
EDFA is still respectable due to the 100 percent pump absorption within the long fiber
gain length and high wall-plug efficiencies
(>50 percent) of the 980 nm diodes.
In a bulk Er-doped crystal (e.g. YAG), 980
nm pumping is not practical unless a high
co-doping of Yb is utilized. In crystal hosts,
however, the Yb-Er energy transfer is poor,
therefore rendering this type of pump
implementation impractical for efficient
pumping of bulk lasers. Er-doped crystals
are preferentially pumped at the resonant
state near 1500 nm (1480nm) where the
absorption is much stronger and broader
than at 980 nm. This enables efficient pump
absorption and, therefore, the overall high
efficiency operation of short bulk Er:crystal
gain geometries. Pumping an Er:YAG 1617
nm laser with a 1480 nm source correlates
to a very high 92 percent quantum efficiency. The high quantum efficiency and broad
absorption range of erbium at 1480 nm
makes these diodes an ideal choice for
pumping bulk solid state laser sources for
tactical laser sensor applications.
Although less mature as compared to the
GaAs-based 980nm diodes, the 1480 nm
InP–based diodes are gaining in wall-plug
efficiency and power levels that rival the
980 nm devices. Kilowatt class multi-bar
stack diode arrays are currently available
from a number of suppliers. These larger
packages can be incorporated into solid
state laser transmitters that utilize a much
larger laser gain medium than an erbiumdoped silica fiber. Gain medium such as a
rod or slab made of Er:YAG are ideal for
these applications. Figure 2 shows a simplified block diagram of a direct eye-safe
1.617 micron laser. Wall plug efficiency of a
system like this is 35 percent or greater.
Recent development work in this area has
yielded impressive results. An experiment
using a 30 mm long Er:YAG laser rod and
1480 nm pump sources demonstrated 7
watts of average output power at three different pulse rates (3 kHz, 4 kHz and 5 kHz).
Utilizing this technology, eye-safe laser systems can be created with significant pulsed
output energies and a variety of pulse formats that are capable of filling numerous
current and future sensor needs. •
Douglas A. Anderson
daanderson@raytheon.com
Kalin Spariosu
kalin_spariosu@raytheon.com
Y E S T E R D AY … T O D AY … T O M O R R O W
on
RF SYSTEMS
Technology
The Benefits of
Gallium Nitride Technology
I
n recent years, gallium nitride (GaN)
technology has created quite a stir in the
microwave electronics community, as well
as the press. Here are what industry insiders
are saying about this exciting technology.
“The GaN ‘revolution’ will have an
enormous impact on future military
radar and communication systems.”
– Mark Rosker, DARPA program manager,
CompoundSemiconductor.net, April 2005
“This [GaN] is the leap ahead in
technology, the building blocks for the
next generation of radar.”
– Mark Russell, Raytheon IDS VP of
Engineering, Boston Globe, April 25, 2005
efficiency) of an equivalently sized GaAs
MMIC typically operating at less than 10 volts.
So-called high voltage GaAs pHEMT MMICs
can be engineered to operate at higher
voltage (10 to 20 volts) but at the expense
of operating current, limiting power density
to 1.5 to 2 times that of a typical GaAs
pHEMT. Amplifiers of equivalent total power
can be made more compactly using GaN
because of the higher GaN power density.
In addition, the higher voltage of GaN
results in higher matching impedance,
which enables broader bandwidth design
than GaAs. Table 1 compares GaAs and
GaN device properties.
Table 1. GaN vs. GaAs comparison
“From broadband wireless to compact
radars, countless future scenarios depend
on the high power and high frequencies
that only gallium nitride can deliver.”
– Lester F. Eastman and Umesh K. Mishra,
IEEE Spectrum, May 2002
What exactly is GaN and why is everyone so
excited about its potential? Like silicon and
gallium arsenide (GaAs), gallium nitride is a
semiconductor transistor technology. GaN
transistors, however, have a high frequency
power handling capability well beyond silicon, GaAs or any other semiconductor yet
fabricated. This capability will make it the
technology of choice for the monolithic
microwave integrated circuits (MMICs) that
are the building blocks of the RF portions of
next-generation defense systems. Use of
GaN MMICs will lead to weight, range, sensitivity, prime power, cooling and cost
advantages at the system level.
GaN’s material properties allow it to support
device operation at much higher voltages
than the GaAs that dominates today’s
defense systems. GaN MMICs easily operate
at 28 volts, have ~2 times the maximum
channel current and can produce five to 10
times the power (with comparable gain and
Parameter
Output
power
density
GaAs
GaN
0.5 – 1.5 W/mm 3 – 6 W/mm
Operating
5 – 20 V
28 – 48 Voltage
Breakdown
voltage
20 – 40V
> 100V
Maximum
current
~ 0.5 A/mm
~1 A/mm
47
390(z)/490 (SiC)
Thermal
conductivity
(W/m-K)
system sensitivity at no increase in cost
(THAAD). Now, RRFC is leading the development of GaN MMIC technology to
enable the next generation of military radar,
communications, electronic warfare and
missile systems.
Raytheon is one of three prime contractors
awarded the DARPA Wide Bandgap
Semiconductor Phase 2 program. On this
program, Raytheon is teamed with Cree to
demonstrate state-of-the-art X-band GaN
transistor and MMIC performance. The
aggressive program goals include the demonstration of a reliable, 1.25 mm periphery unit
cell transistor operating at 40V with 6.4W/mm
of output power, 60 percent power added
efficiency (PAE) and 12 dB of gain at 10 GHz.
The Raytheon team is already well on its way
to achieving these goals, having already
passed the program’s interim goals of
demonstrating 1.25 mm periphery unit cell
transistors operating at 28V with greater
than 5W/mm of output power, 55 percent
PAE, and 10 dB of gain at 10 GHz.
Raytheon’s Leadership Position
Raytheon RF Components (RRFC) center has
a long history of providing enabling
microwave and millimeter wave semiconductor technology. GaAs MESFET (metal
semiconductor field effect transistor) MMICs
developed at Raytheon enabled the first
MMIC-based solid state radar, the Ground
Based Radar (awarded to Raytheon in
1991). But even at the time of this award,
RRFC was developing an improved technology known as GaAs pseudomorphic high
electron mobility transistors (pHEMTs),
which allowed Raytheon to offer its Army
customer a substantial improvement in
Y E S T E R D AY … T O D AY … T O M O R R O W
Figure 1. Fixtured GaN MMIC
In terms of reliability, Raytheon’s GaN is
state-of-the-art. As announced in a January
2007 press release, more than 8,000 hours of
successful RF operational testing on 28V fixtured GaN MMICs (see Figure 1) have been
Continued on page 28
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 27
RF SYSTEMS
on
Continued from page 27
completed, affirming Raytheon’s leadership
position in the development of this technology. This testing was done at elevated temperatures and operating conditions to simulate performance over a much longer period
of time. Three temperature DC Arrhenius
tests of Raytheon’s 28V GaN have also been
completed, and the results predict a mean
time to failure (MTTF) of greater than 1 million hours at a standard transistor channel
temperature of 150 Celsius. These test
results have given Raytheon customers confidence in the use of Raytheon’s GaN for
future defense systems.
To support these efforts, RRFC is presently
transitioning the fabrication of GaN MMICs
into its high-volume 100 mm diameter wafer
production fabrication facility (see Figure 2).
This transition will make GaN available with
the quality (RF performance, reliability and
yield), quantity and affordability necessary
to support systems requirements.
Technology
Metamaterials:
Materials That Perform the Impossible
I
magine if you could create a
“cloaking” device by surrounding an
object with a new and special material.
How would you design an optical
system if the lenses could be any
shape and size you desired?
How could you utilize an antenna
that conforms to the shape of
an airframe?
Would a material that converts waste
heat into THz energy (with no
moving parts) be of interest to you?
Metamaterials are materials that gain their
properties from their periodic structure,
rather than from their composition —
particularly when the resulting properties
are not found in naturally formed substances. For example, index of refraction,
a property used to describe how light is
bent as it passes through an interface
between two materials, is traditionally a
positive number between 1.0 and 4.0.
Metamaterials can effectively create
negative indices of refraction (so-called
“left-handed” materials). Since the index
of refraction is also directly related to
permittivity (dielectric constant) and magnetic permeability, these same unusual
behaviors open up entirely new possibilities in materials and structures exposed to
any form of electromagnetic energy.
These are just a few of the advanced
concepts made possible by a new technology field that merges physics and materials science. This wide-ranging field, called
“metamaterials,” bases macroscopic
behaviors on nano-scale building blocks.
The metamaterials field is now being studied worldwide at universities and
companies including Raytheon.
Investigators have found, for example, that
creating controlled patterns of defects in
materials — where the defects are of the
same scale as the wavelengths of the
energy they wish to control — can be
used to channel energy much as waveguides are used. Similarly, split-ring
formations etched on printed wiring
Figure 2. A 100 mm diameter GaN wafer
produced at RRFC
GaN is a disruptive high-power semiconductor
technology that will enable a new class of
microwave and millimeter wave RF systems
envisioned for the near future. Raytheon is at
the forefront of GaN development, having
demonstrated outstanding microwave performance and industry-leading reliability.
This performance gives Raytheon a strategic
advantage in the development of nextgeneration defense systems.
Nick Kolias
nicholas_j_kolias@raytheon.com
28 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
The effects of a the typical refraction of an object in a positive index of refraction material
(left) compared with the effect of a negative index of refraction material. (Courtesy of W.
Padilla, Boston College and D. Smith, Duke University)
Y E S T E R D AY … T O D AY … T O M O R R O W
M AT E R I A L S & S T R U C T U R E S
µ, ε Space
µ
Waves in Media:
∇ 2 E = εµ
n = εµ
ε
No propagation
k = ω εµ
∂ 2E
∂t 2
Upcoming Engineering and
Technology External Events
No propagation
The behavior of electromagnetic waves with effective negative permeability (ε) and permittivity
(µ). Waves will propagate in regions when both values are positive or both negative. (Portions
borrowed from V.G. Veselago, Sov. Phys. USPEKHI 10, 509 (1968))
American Institute of
Aeronautics and Astronautics
(AIAA) Space 2007 Conference
and Exposition
Sept. 18–20, 2007
Long Beach, California
http://www.aiaa.org/space2007
substrates on a scale matching the wavelengths of RF energy can create strong
responses in specific frequencies, causing
them to act as antennas.
This past March, a group of Raytheon engineers converged in Dallas to participate in
a metamaterials workshop. The engineers
listened to academia and industry experts
discuss the current state-of-the-art technologies, as well as potential applications
for Raytheon products. Representatives
from across Raytheon also described ongoing or planned efforts in metamaterials in
their respective businesses.
New developments and ideas are continually being announced in the metamaterials
field. Fortunately, Raytheon’s expertise
in sensor and RF circuit design and
fabrication is an ideal fit for this exciting
new technology.
A photograph of an early split ring oscillator
array usable in creating antennas with
nearly flat profiles. (Courtesy of D.R. Smith,
W. J. Padilla, D.C. Vier, S. C. Nemat-Nasser,
S. Schultz, Phys. Rev. Lett. 84, 4184, (2000))
For more information, contact Bill Owens at
520.545.9528 or wrowens@raytheon.com.
Steve Tunick
satunick@raytheon.com
Y E S T E R D AY … T O D AY … T O M O R R O W
CMMI® Technology Conference
and User Group
Nov. 12–15, 2007
Hyatt Regency Tech Center
Denver, Colorado
http://www.ndia.org/Template.cfm?
Section=8110&Template=/ContentM
anagement/ContentDisplay.cfm&Co
ntentID=15079
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 29
Events
Raytheon Enterprise Process Group Workshop:
The Good, the Bad and the Ugly
The Enterprise Process Group (EPG) actively
supports, facilitates and executes the
Integrated Product Development Process
(IPDS) development, management and
improvement activities. It is organized to
facilitate the employment and institutionalization of process goals, objectives, directives
and activities across our company.
The EPG at Missile Systems (MS) is an enterprise-wide group that is responsible for all
the processes associated with IPDS. They are
responsible for supporting the maintenance,
sustainment and improvement of those
processes. More importantly, they do it by listening to the customer base — namely, the
program managers, chief engineers and
other key personnel. By making constant
improvements, they help keep infrastructure
fresh and value-added for the business.
This year, MS sponsored the 6th annual
Raytheon EPG Workshop in Tucson, Ariz.,
April 17–18, which was attended by 134 participants. The event’s theme, “The Good, The
Bad and The Ugly,” was a light-hearted nod
to Raytheon’s current process behavior. One
of the event’s highlights was an entertaining
seven-act drama called “The Initiative,” which
was performed by conference committee members throughout the two days.
According to Michael Scott, the workshop
sponsor, EPG is really a collaboration of all
the process professionals at Raytheon striving
toward common process improvement.
“That’s why we put on these kinds of events:
to give us some opportunity to get together
and share our lessons learned,” said Scott.
“The workshops are greatly beneficial.
What’s mostly valuable, I think, is establishing
those people-to-people networks, learning
about other people, meeting other people
and then engaging with them after the
workshop.”
The event’s keynote speaker was Raytheon’s
Don McMonagle, a former astronaut at
NASA who flew as a mission specialist on the
space shuttle Discovery, piloted the shuttle
Endeavor and commanded the shuttle
Atlantis. “Its all about anticipating problems
30 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
and communicating knowledgeably with the
effective communication of people,” said
McMonagle. He went on to stress the need
to focus on strategically marketing IPDS and
process-driven behavior and adoption.
Ron Carsten, chief engineer at MS, delivered
a presentation called “The Challenge of a
Knowledge-Based Process.” In it, he indicated that one of the problems we face with
process-driven behavior is forcing the process
people to be in more of a push mode, rather
than having the programs in a pull mode.
Like McMonagle, Carsten contends that we
do not market our product effectively.
“There’s no activity that I can see, for marketing our tools.”
Active marketing is really about understanding customer needs and then helping them
with a solution. Providing a champion to
meet with the customers will instill ownership, as well as provide them the assurance
that they are speaking with someone who
actually understands and can help bring
resolution to their problems.
Eric Ziegler, Raytheon’s process project manager and presenter of “IPDS v3.x: Law &
Order in the Wild West,” had this to say
about IPDS v3: “We’re definitely striving to
get the top layer of IPDS to be more streamlined, so that it’s more representative of what
happens on a generic program.”
An EPG council, consisting of enterprise
process leaders from across Raytheon, is in
the initial stages of being formed. With its
varied resources, the council will address several key issues now facing Raytheon, including
CMMI®, Mission Assurance and AS9100.
To access the presentations from the 2007
EPG Workshop, visit:
http://docushare1.app.ray.com/docushare/ds
web/View/Collection-174043.
To view additional EPG information, visit the
Technology & Process Library Web page at
http://home.ray.com/rayeng/technetworks/tab
5/tab5.htm. •
Marcilene Pribonic
marcilene_pribonic@raytheon.com
Excellence in
Engineering and
Technology Awards
2006
2007 SEPG
Conference
C
ontinuing its longstanding relationship
with Carnegie Mellon University’s Software
Engineering Institute (SEI), Raytheon made
a strong showing at the SEI-sponsored
Software Engineering Process Group (SEPG)
Conference in Austin, Texas, on March 26.
The conference, now in its 20th year, is
dedicated to highlighting the latest trends,
techniques and technologies in systems and
software process improvement.
More than 1,500 government and industry
experts from around the world participated
in the conference’s 170 lectures, presentations, panel events and exhibits. Attendees
arrived at the SEPG Conference in search of
innovative methods of transforming software
and systems performance in industry and
government. They left as agents of change,
armed with new ideas, skills and contacts.
T
he Smithsonian Institution’s National Air
and Space Museum in Washington, D.C.,
was the setting for the Raytheon Excellence
in Engineering and Technology Awards ceremony. Seventy-eight people were recognized for their outstanding technical
achievements at the April 11, 2007 event,
which attracted the Raytheon leadership
team, customers, colleagues and guests.
The awards are Raytheon’s highest technical honors, and the 2006 winners comprise
15 team and six individual examples of
excellence. They hail from across the company including two “One Company” teams
with members from multiple businesses, a
team from Raytheon Systems Limited and a
team representing Information Technology.
Presenters included Mary Balboni, who
discussed the use of agile techniques to
improve systems engineering processes,
and Kathryn Kirby, who addressed representative sampling for enterprise CMMI®
appraisals. Both speakers were from
Raytheon’s Intelligence and Information
Systems business.
The SEI operates at the leading edge of
technical innovation. They have advanced
software engineering principles and practices and have served as a national resource
in software engineering, computer security
and process improvement. The SEI works
closely with defense and government
organizations, industry and academia to
continually improve software-intensive systems through research, pilot programs,
knowledge sharing and best practices. •
During the evening program’s opening
remarks, Taylor W. Lawrence, vice president
of Engineering, Technology and Mission
Assurance, celebrated the anniversary of
his first day on the job — the 2005 awards
ceremony. He recounted the incredible
accomplishments the award winners
achieved in just one year, and what
Raytheon, as a company, achieved in the
last year. He noted how we are driving
change, and how we are driven by it,
requiring us to continue to excel and innovate for the success of our company and
our customers.
The evening’s keynote was delivered by
Raytheon Chairman and CEO Bill Swanson,
who spoke about his childhood fascination
with the way things work — a major factor
in his decision to pursue an engineering
career. This inquisitiveness, he said, is a cornerstone of the way engineers turn ideas
into functioning technology and solutions.
He also noted that making new connections is an important part of innovation. To
illustrate this point, Swanson juxtaposed a
series of images from the Hubble telescope
with similar unnamed images here on Earth.
Raytheon congratulates and applauds this
year’s winners for helping keep Raytheon on
the leading edge of innovation. To view the
complete list of winners, visit the Raytheon
Excellence in Engineering and Technology
Awards intranet spotlight feature at
http://home.ray.com/feature/rtn07_eiet07. •
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 31
People
ET&MA
Professionals
Exemplify
Raytheon’s
CFM Strategy
CHAIN High Assurance APIs for MS Office
and Web Publishing Environments Team
Driving Innovation Into Everything We Do
Highlighted below are three of the 15 teams who captured awards at Raytheon’s Excellence in
Engineering and Technology Awards, held April 11, 2007. The award is Raytheon’s highest honor for
technical achievement that contributes to the company’s success and continued growth.
Each winning team is responsible for keeping the company on the leading edge of innovation so we can
meet our customers’ evolving needs. Moreover, their outstanding performance challenges the entire company to meet and exceed the new standard of excellence they have set.
Project JFires Team
Global Information Grid (GIG) Appliance
Demonstrator Team
Russell A. Hendrickson, Robert C. Moehl, Thomas
Farley, Frank L. Prioleau Jr., Tyson D. Vooge
Michael J. Townsend, Danion T. Dugger, Mark A.
Phelps, Brian L. Bultemeier, Charles S. Kuehl
This team was honored for developing the
Compartmented High Assurance Information
Network (CHAIN), resulting in Raytheon winning the
$56 million DARPA Classified IT services contract.
These five dedicated engineers were acknowledged for developing the Global Information Grid
(GIG) Appliance Demonstrator — a secure, COTSbased publish-and-subscribe mechanism that
enhances situational awareness and supports the
migration of legacy avionics systems to ServiceOriented Architecture, Internet Protocol networks.
CHAIN provides breakthrough sharing abilities to
users operating at high classification levels across
compartments. The team integrated security services with Microsoft applications and created a
life-cycle Web-publishing environment offering
commercial IT quality collaboration services with
Protection Level 3+ accreditation. The unprecedented combination of strong security, familiar
office capabilities and maintainability was the key
to winning the $56 million DARPA contract.
“Working on IRADS can be both exhilarating, as
new concepts are explored, and challenging,
since a diverse team with different skills must
come together to solve customer challenges,”
said team member Robert Moehl.
CHAIN was selected as the worldwide collaboration environment for Coalition Warfighter
Interoperability Demonstration 2007, a forum for
new and emerging technologies to be used and
evaluated by operators from all armed services,
DoD agencies and coalition members. CHAIN
establishes Raytheon as a provider of leadingedge information assurance solutions validated to
meet compartmented and multilevel secure
requirements.
“For the CHAIN team, our most critical challenges
were the availability of skilled subject matter
experts and training on new technologies and
products,” said Moehl. “The CHAIN IRAD team
has and continues to be in high demand on programs like DARPA, Firewalker and Starburst, as
well as supporting proposal efforts.”
32 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
Kenneth L. Pratte, Philip M. Green, Christopher
Dow, Dennis E. Woods, F. Allen Bouressa
The Project JFires team received their award for
designing a prototype Department of Defense
(DoD) Protection Level 3 system capable of interconnecting multiservice networks and demonstrating joint interoperable functionality.
The Project JFires team successfully partnered
with Raytheon Integrated Defense Systems
Security, the Defense Security Service and local
Raytheon site security offices to achieve
Raytheon’s goal: establishing an infrastructure to
prototype, evaluate and demonstrate joint interoperable functionality to improve and extend
warfighter capability.
“With JFires, everything is new, often never done
before, and a big challenge — but with a potential huge payoff for our customers and warfighters,” said Robert Wilcox, JFires Integration of
Labs (IOL) IPT lead. “That’s what it’s all about.
We have to consistently run at faster than Ramp
Speed; we call it JFires Speed, and we love it! As
is often said in the Navy, a ship underway makes
a wake. And believe me, JFires knows how to
make a wake!”
The GIG Appliance Demonstrator serves as a
presentation layer for warfighters to connect to
the GIG to share or receive sensor information
needed to enhance situational awareness. The
GIG Appliance Demonstrator team designed it to
support legacy avionics system migration to
Service-Oriented Architecture, Internet Protocol
networks, and to provide systems that upgrade
easily, adapt to evolving commercial technology
and resist short-term obsolescence.
The COTS-based GIG Appliance can affordably
morph into any required form factor, level of enduser network capability, and command/control
human interface under a multilayer of security.
“The greatest obstacle our team faced in developing our COTS demonstrator for the AF Airborne
CRADA Capstone Flight Test event,” said Charles
Kuehl, the team’s principal systems architect and
systems engineer, “was establishing our system’s
networking value to airborne RF communications,
using the OSD NetCentric Checklist guidance to
support our SOA telecommunications development approach.
“After an exhaustive team-coordinated approach in
defining what OSD’s GIG publishing and consuming
really encompasses, a ‘Customer Vision of GIG
Deployment’ conops document was developed for
IPDS Gate 6 to provide our team some NetCentric
Checklist (Data & Transport Tenets) requirements
clarity on how the customer is envisioning GIG
‘Edge’ Interoperability for the warfighter.”
Getting to Know Your Raytheon Certified Architects
The Raytheon Certified Architect Program (RCAP) is the culmination of Raytheon’s systems architecting
learning curriculum. RCAP focuses on providing our customers with the expertise needed to support their
long-term transformational goals. In recognition of their certification, we continue to highlight our
Raytheon certified architects.
Edwin Lee
Senior Principal
Engineer, Space and
Airborne Systems –
Years with Raytheon: 20
Q: Can you tell us about
your current program?
A: My current program
is called the Raytheon
Reference Architecture Enterprise Campaign,
Hard Real-Time. It just started this year. Before
that, I worked on the Raytheon St. George
Enterprise Campaign for two years. Enterprise
campaigns are corporate-level programs with
participation from all Raytheon businesses.
Q: In terms of the three pillars of Customer
Focused Marketing (CFM) — Performance,
Relationships and Solutions — what’s been
lacking in your current role, and what has
worked well?
A: In my current role as IPT lead, my customers include stakeholders in the Corporate
and Local Technology, Business Development,
and Engineering areas. Trying to satisfy the
needs of all these areas and promoting the
use of our product (Reference Architecture)
has been challenging due to its exploratory
and “disruptive” nature. On the other hand,
by using a combination of remote collaboration (using tools such as teleconference and
Sametime), face-to-face meetings, workshops
and awareness seminars, we are producing
good results.
place will be open to more competition, and
customer expectations will continue to increase
in terms of fast turnaround time and costeffective solutions.
Q: What about your job keeps you up at night?
A: There are indeed moments when my job
keeps me up at night. Luckily, they’re mostly
good moments when I found a solution to a
problem or have a creative idea for expressing a
concept. I like those moments! However, there
are also moments when I feel like pulling my
hair out searching for an answer.
Q: How would you describe your job
parameters?
A: My job has no requirements in the traditional sense. Only very high level guidelines
and objectives are given. That leaves lots of
room to explore, investigate and create, along
with opportunities for problem solving. I think
“degree of challenge” could be a good job
parameter; the other one may be “opportunity
of innovation.”
Mike Stemig
Program Chief
Engineer, Space and
Airborne Systems –
Years with Raytheon: 23
Q: How would you improve Raytheon’s
Performance, Relationships and Solutions?
A: Get out of the comfort zone, think out of the
box, reach out to peers and other experts across
the company, and participate in community
activities inside and outside of the company.
Most of all, share, collaborate and leverage
with each other to create a “force multiplier.”
Q: How long have you
been working with your
current program?
A: My current program
is Silverthorn, and I’ve been working on it
from the proposal stage in January 2005
through the present time. Our Period of
Performance lasts through 2012, so it’s a fairly
long program. Since early this year, I’ve taken
on the role of being a program chief engineer.
It’s a relatively new role within SAS, and I’m
excited about being on the frontier, both technically and organizationally.
Q: How do you see CFM affecting the future?
A: CFM will still be a key measure of customer
satisfaction. In fact, I believe it will become
more critical in the future because the market-
Q: Why do you think you have excelled in
your career?
A: Early in my career, I benefited from identifying role models for myself, people who were
at higher levels of the business and who exhibited traits I admired. They would be my measuring sticks, and although I may never fully
measure up to the gold standard, I knew that
every step I made toward it would help me.
On the technology side, the two people I tried
to measure myself against were Joel Mellema
and Mike Wong. Both gentlemen are awesome
technically, wonderful communicators, and
always enable a positive teaming experience by
treating everyone at all levels of the organization with respect. Organizationally, my measuring sticks are Debbie Ybarra and Steve
Jackson. From them, I’ve learned enterprise
perspective, collaborative leadership, and organizational excellence. All four have the ability
to see the forest … and the trees.
Q: What advice would you offer to enhance
Performance, Relationships and Solutions?
A: Find ways to fill the white space — and
architects are ideally suited to filling the white
space. As engineers, people want to draw a
clean boundary around their components and
make sure they have everything covered.
Everyone’s components may work great on
their own, but when it comes together into a
higher level product or system, it may not
work at all. The architect’s role is to make sure
that doesn’t happen. Organizationally, the
same thing can happen, and someone has to be
willing to fill the white space. You can learn a
lot by filling the white space, and the teams
you participate in or lead will be more successful because of that.
Q: What about your job excites you? What
concerns you?
A: Interestingly enough, the same things both
excite me and concern me. System Integrity
Programs has experienced amazing growth
over the last four years. We’re a world-class
leader in a key domain that’s in high demand.
So every day, there’s interesting work waiting
for me when I walk through the door. Every
night, when I go home, I’m afraid there will
be even more interesting work the next day.
I’m usually right!
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 33
Resources
New IPDS Version
Delivers a Streamlined Process Foundation
IPDS — we love it, we hate it.
We follow its precepts (usually)
and get the desired, predictable
results that our customers expect
from our products and services.
But how rewarding (or painful)
was the journey through that
process? Or more importantly,
was the process rigorous and
process. This can be achieved by implementing the following:
• A common, tailorable process across
all businesses describing what is required
to capture, execute and support any
program
• A focus on clarity of direction vs. verbose
narrative process descriptions
sacrificing agility and speed?
The Need for Change
There’s a fine line between maintaining
process discipline and allowing freedom to
operate unencumbered — a line that must
be held tight to achieve real business success. On one hand, when discipline is not
maintained, processes are loosely followed
or not documented, which in turn results in
cost overruns, poor performance history,
diminished customer confidence and
reduced profit margin. On the other hand,
when the process becomes too unwieldy
and restrictive, the results can be just as
detrimental, including:
• A process that is open to many
interpretations
• Sub-processes that are not easily
understood or followed
• A process that’s difficult to navigate and
find what you need
• A more useful set of results of IPDP
tailoring for program planning
Additionally, the Process Asset Library (PAL)
will promote more commonality while
acknowledging business preferences. The
PAL consists of common and businessunique assets describing how IPDP tasks are
executed within programs. All assets share
a common framework and are associated
with the tasks they intend to help execute.
The Benefits
So how will version 3.2 make a difference?
The improvements will be evident in a more
streamlined, user-friendly IPDS that performs these functions:
IPDP Content
Team
Stage/Key
Function
Representation
Full
Representation
Council CCBs
Engineering
Business Development
Supply Chain Management
Operations
•
•
•
• Makes it easier for users to see what
needs to be done and how it fits into the
flow of a program
• Facilitates building an Integrated Master
Schedule and identifies the enablers that
implement tasks
• Allows programs to see an integrated
flow of tasks as the program progresses
• Eliminates redundancy, speeds tailoring
and supports key work products
• Redundant task descriptors that
often overlap
• Makes related processes available
without cluttering the IPDP layer with
redundant content
A New Approach
Governance
With the release of IPDS version 3.2, a
major focus has been to transform the
Integrated Product Development Process
(IPDP) into a concise, integrated common
One of the most significant changes to
complement IPDS version 3.2 is the implementation of a new governance model. The
need for a new model was underscored by
34 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
Key Functional
Non-Engineering
Representation
• A focus on integrating essential “whats”
from sub-processes
flexible enough to achieve performance excellence without
IPDS Governance Model as of IPDS v3.2
some specific inadequacies in the current
process. A few of these inadequacies
included lack of sufficient stakeholder
involvement on process changes, confused
responsibilities for shared content, difficulties with maintaining configuration control,
and difficulties committing and retaining
development resources.
The new model addresses existing concerns
by keeping the IPDP and the PAL process
materials under the control of the IPDS
Engineering & Technology Council
Business Process Leads
IPDS Steering Committee
Business Representation
Vision/Direction
Architecture/Style Guidance
Approved Changes
IPDS CCBs
Control
Implement
Tasks
Review
Activities
Control
Engineering Common Assets
Users
Change Requests
Approved Changes
Integrated Product Development Process
Review
Architecture Use
Cases Designs
IPDS Reqs &
Arch Team
Implement
IPDS System
Team
Endorse
Process Asset Library
Business Development Common Assets
Supply Chain Common Assets
Operations Common Assets
•
•
•
IDS Assets
IIS Assets
MS Assets
NCS Assets
RTSC Assets
SAS Assets
Business CCBs
Control
Endorse
IDS
IIS
MS
NCS
RTSC
SAS
Integrated Product Development System
Configuration Control Board (CCB), corporate-level council CCBs, or business CCBs.
Endorsement of the IPDP will be given by
consensus of the business CCBs. Likewise,
PAL common content endorsement will
come from business CCBs on an asset-byasset basis.
The real value of the new governance
model comes from allowing business
endorsements to provide insight into the
ROI of “common assets,” which will help
direct our council process activities. It also
lets us identify and cull uncontrolled
assets, while still allowing users to submit
potential council or business assets for
inclusion in the PAL. Finally, this model will
drive more efficient implementation of
approved changes.
Moving Forward
Each of our Raytheon businesses is making
plans for the implementation of IPDS version 3.2 as a part of its overall process
definition and deployment over the next
few months. In parallel, key roles will be
filled by subject matter experts across the
businesses for the improvement and governance of the IPDP and the IPDS/PAL system
as a whole. These are critical steps on our
path to deploy a potent combination of
common and business-specific processes
for the benefit of Raytheon programs
and customers. •
Eric Ziegler
ejziegler@raytheon.com
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 35
Resources
R6σ Business Excellence:
Providing Capabilities to Enable Success
T
he evolution of Raytheon Six Sigma™ to
a new business-centric operating model has
already made an impact on how businesses
are using it to support strategic priorities.
According to Rusty Patterson, vice president
of Raytheon Six Sigma Business Excellence,
this is only part of a larger transformation
targeted to fuel continuous improvement at
Raytheon.
In a synergistic organizational move, R6σ®
Business Excellence was established to provide a broader spectrum of expertise, capabilities, tools and processes to enable others
(internal and external partners) to reach the
goals they’ve set for themselves — goals
that are in line with those of the company.
“We align with the strategies of the organization we’re working with, and provide the
capability to do it,” said Patterson. “In the
process, we’re setting the stage to enable
Raytheon to meets its goals as well.”
“Part of this process is
helping others see their
own vision. This ties into
our goals as individuals
and Raytheon’s goals
as a company: to nurture
an innovative,
inclusive culture.”
- Rusty Patterson, Vice President,
Raytheon Six Sigma Business Excellence
The business excellence arm of the organization fortifies its ability to take on a range
of more complex challenges, like financial
performance, operational efficiency and
innovative thinking.
36 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
Aligned to Achieve Mission Assurance
R6s Business Excellence operates within the
Engineering, Technology and Mission
Assurance (ETM&A) organization, established under the direction of Dr. Taylor W.
Lawrence in 2006. This relationship, as well
as representation on the ET&MA Joint
Council, ensures top-level connectivity with
other “enabling functions” that together,
guide the research, design and development of Raytheon’s growing portfolio of
products and programs, and drive innovation and meaningful diversity. It also aligns
R6σ Business Excellence with other organizations (like Performance Excellence,
Engineering, Technology and Research, and
Operations) on the frontlines of enabling
the delivery of Mission Assurance.
“In order to have Mission Assurance,” said
Patterson, “you need the tools, techniques
and capabilities to enable efficiency
improvements in a structured way; to perform transformation activities in a knowledge-based way. ET&MA Joint Council
member organizations have a great deal of
overlap, and because of that, we’re able to
close any gap between functions and concentrate on a shared mission.”
Same Focus, Expanded View
“Our focus will always be improving
Raytheon and its programs,” said Patterson.
“But now that the businesses are using R6σ
in areas where it makes the most sense to
them, we’ve opened our aperture to apply
this knowledge and expertise to other areas
that impact our company’s value and performance, both internally and externally.”
These areas will expand R6σ’s reach to the
extended enterprise, and allow the company to maintain its industry-leading edge in
the development and use of innovative
resources (subject matter experts, tools,
techniques, etc.), while providing the learning required to understand and take full
advantage of them. They include:
• Rapid Deployment Teams of highly skilled
resources to help the extended enterprise
resolve challenges that require targeted
expertise and quick turnaround.
• Consulting Groups to assist businesses in
applying R6σ to areas of strategic importance and provide external assistance
where it makes sense for the businesses
and the company.
• Curriculum Management & Development
that meets the needs of Raytheon businesses and provides better learning
options for employees.
• Raytheon Accelerated Collaborative
Environment™ (RACE) for complex enterprise-scale improvement and integration.
RACE is the new, trademarked change
vehicle that combines expertise, processes and technology to enable decision
acceleration, rapid prototyping and
resource alignment. The RACE process,
available to internal and external partners, can be implemented on any site or
conducted at the new RACE
Collaboration Center in Garland, Texas.
A Self-Fueling Engine for
Creating Improvement
Some of these areas involve active participation by firms outside Raytheon. “By working with external firms with varied expertise,” said Patterson, “we’re able to grow
our knowledge and capabilities, and bring
those back into the company. This way, our
knowledge base will continue to be
refreshed, we’ll gain new insight into how
issues can be solved, and build our inventory of tools and techniques in the process.”
One example is in the area of innovation.
“Since innovation is at the heart of our
company, we have someone working with
an external partner that is renown in the
creative industry,” continued Patterson.
“This is one way we will develop avenues to
improve the innovative processes.
Businesses have said what they wanted,
and we’re supplying the tools and techniques to help people make that leap.” •
Supporting Math and Science Education
When you help a student master the Pythagorean theorem, you could be supporting a future
engineer who will master nanotechnology. That’s why Raytheon created MathMovesUTM, a national
initiative designed to show middle school students that they can master math, and that it will take them to lots
of cool places. Raytheon is also proud to support MATHCOUNTS®, which motivates more than 500,000 middle
school students to sharpen their math skills each year. By working to improve our children’s proficiency in math
and science today, we’re giving them what they need to improve our world tomorrow.
www.MathMovesU.com
© 2007 Raytheon Company. All rights reserved.
“Customer Success Is Our Mission” is a registered trademark of Raytheon Company.
MathMovesU is a trademark of Raytheon Company.
MATHCOUNTS is a registered trademark of the MATHCOUNTS Foundation.
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 37
U.S. Patents
Issued to
Raytheon
At Raytheon, we encourage people
to work on technological challenges
that keep America strong and develop
innovative commercial products. Part
of that process is identifying and
protecting our intellectual property.
Once again, the U.S. Patent Office
has recognized our engineers and
technologists for their contributions
in their fields of interest. We
compliment our inventors who
were awarded patents from
January through April 2007.
JOHN R. STALEY
7171776 Weapon sight having analog
on-target indicators
DAVID J. KNAPP
7174835 Covert tracer round
WILLIAM E. COLEMAN JR
FONZIE K. SANDERS
CHRISTOPHER T. YATES II
7176774 Differential mode inductor with
a center tap
MICHAEL J. HOFFMAN
THOMAS R. KURK
THOMAS D. MINNING
H.J. WOOD
7177601 Method and apparatus for
transceiving data using a bimodal power
data link transceiver device
JEFF S. WOLSKE
7180067 Infrared imaging system with
ellipsoid reflective warm baffle and method
FERNANDO BELTRAN
JOSEPH P. BIONDI
RONNI J. CAVENER
ROBERT V. CUMMINGS
JAMES M. MCGUINNIS
THOMAS V. SIKINA
KEITH D. TROTT
ERDEN A. YURTERI
7180457 Precision wideband phased
array radiator
JEFF G. CAPARA
JUSTIN C. JENIA
LAWRENCE D. SOBEL
7178345 Stacked-plate gas-expansion cooler
assembly, fabrication method and use
KIUCHUL HWANG
7183592 Field effect transistor
38 2007 ISSUE 2 RAYTHEON TECHNOLOGY TODAY
KWANG M. CHO
7183965 Efficient stripmap SAR processing for
the implementation of autofocus and missing
pulse restoration
DANIEL P. ROMAN
STEVEN L. STERNBERG
7201582 Microstrip interconnector for
solderless connection
WESLEY T. DULL
JEROME H. POZGAY
7183969 System and technique for calibrating
radar arrays
MICHAEL G. ADLERSTEIN
7202673 Tuned MMIC probe pads
CAROLINE BREGLIA
MICHAEL J. DELCHECCOLO
THOMAS W. FRENCH
JOSEPH S. PLEVA
MARK E. RUSSELL
HBARTELD B. VANREES
WALTER G. WOODINGTON
7183995 Antenna configuration for reduced
radar complexity (automotive)
ELIZABETH R. MAYERSKI
WILLIAM B. NOBLE
HIEP T. VU
7185066 Secure data sharing system
BARBARA E. PAUPLIS
7199753 Calibration method for receive only
phased array radar antenna
MARK L. BOUCHARD
RUDY A. EISENTRAUT
PURNACHANDRA R. GOGINENI
KEVIN R. GREENWOOD
JUAN A. PEREZ
7185847 Winged vehicle with variable-sweep
cantilevered wing mounted on a translating
wing-support body
DARYL B. ELAM
7185851 Inflatable aerodynamic wing and method
GABOR DEVENYI
KEVIN WAGNER
7191674 Stepper mechanical drive system
ALEXANDER A. BETIN
NATHAN P. DAVIS
JOSEPH J. ICHKHAN
7193772 Conductively cooled liquid thermal nonlinearity cell for phase conjugation and method
KHIEM V. CAI
SAMUEL D. KENT III
LLOYD F. LINDER
7187735 Mixed technology MEMS/SIGE BICMOS
digitizing analog front end with direct RF sampling
JIM L. HAWS
RONALD RICHARDSON
7195177 Method and apparatus for humidity
control within a housing
DAVID D. HESTON
JON MOONEY
7199016 Integrated circuit resistor
BARBARA E. PAUPLIS
7199753 Calibration method for receive only
phased array radar antenna
SCOTT T. JOHNSON
DAVID T. WINSLOW
7201217 Cold plate assembly
LOUIS LUH
KEH-CHUNG WANG
7202708 Comparator with resonant
tunneling diodes
LOUIS LUH
7202762 Q enhancement circuit and method
KAPRIEL V. KRIKORIAN
ROBERT A. ROSEN
7202812 Technique for compensation of transmit
leakage in radar receiver
KAPRIEL V. KRIKORIAN
DWIGHT J. MELLEMA
MICHAEL Y. PINES
7205927 Technique for low grazing angle 3D
SAR target recognition
GORDON R. CHALMERS
SHU K. HO
7205930 Instantaneous 3D target location
resolution utilizing only bistatic range
measurement in a multistatic system
KAPRIEL V. KRIKORIAN
ROBERT A. ROSEN
7205948 Variable inclination array antenna
JAMES F. ASBROCK
GEORGE W. DIETRICH
LLOYD F. LINDER
7206062 Readout integrated circuit for laser
detection and ranging system and method for
using same
JOHN D. BRITIGAN
HANS L. HABEREDER
THOMAS L. MC KENDREE
7207517 Munition with integrity gated
go-no-go decision
DAVID D. CROUCH
WILLIAM E. DOLASH
MICHAEL J. SOTELO
7205948 Multiple-port patch antenna
G. V. ANDREWS
7209937 Method and apparatus for generation
of arbitrary mono-cycle waveforms
Raytheon’s Intellectual Property is
valuable. If you become aware of any
entity that may be using any of
Raytheon’s patented inventions or
would like to license our patented
inventions, please contact your
Raytheon IP counsel:
Leonard A. Alkov (SAS)
Horace St. Julian (MS & RTSC)
Robin R. Loporchio (NCS)
Edward S. Roman (IDS)
John J. Snyder (IIS)
International
Patents Issued
to Raytheon
Congratulations to Raytheon technologists from all over the world. We would
like to acknowledge international patents
issued from January through mid-April
2007. These inventors are responsible for
keeping the company on the cutting
edge, and we salute their innovation
and contributions.
Titles are those on the U.S.-filed patents;
actual titles on foreign counterparts are
sometimes modified and not recorded.
While we strive to list current international patents, many foreign patents
issue much later than the corresponding
U.S. patents and may not yet be reflected.
AUSTRALIA
KAPRIEL V. KRIKORIAN
ROBERT A. ROSEN
2003234414 All weather precision guidance of
distributed projectiles
AUSTRIA, FRANCE, GERMANY,
GREAT BRITAIN, ITALY, SPAIN
DOUGLAS M. KAVNER
1354306 System and method for reading
license plates
CANADA
MILES E. GOFF
2292077 Temperature compensated amplifier
and operating method
ROY P. MCMAHON
2435461 Electrical cable having an organized
signal placement and its preparation
CHUNGTE W. CHEN
RONALD G. HEGG
WILLIAM B. KING
2407790 Light-weight head-mounted display
CANADA, JAPAN
LAWRENCE P. DUNLEAVY
STEVEN M. LARDIZABAL
ROBERT S. ROEDER
MATTHEW C. SMITH
2285643 Variable microwave cold/warm
noise source
FRANCE, GERMANY, GREAT BRITAIN,
ITALY
JEROME M. DECKER
1335176 Compact FLIR optical configuration
FRANCE, GERMANY, GREAT BRITAIN
JIM L. HAWS
BYRON E. SHORT JR
1218965 Method and apparatus for cooling
with a phase change material and heat pipes
MAURICE J. HALMOS
1397697 Synthetic aperture ladar system
using incoherent laser pulses
JAMES FLORENCE
PAUL KLOCEK
1275026 Method and apparatus for switching
optical signals with a photon band gap device
ROBERT T. FRANKOT
1019746 Averaging-area-constrained adaptive
interferometric filter that optimizes combined
coherent and noncoherent averaging
FRANCE, GREAT BRITAIN, SPAIN
GARY A. FRAZIER
1266427 Digital phased array architecture and
associated method
FRANCE, GERMANY, GREAT BRITAIN,
ITALY, SPAIN
MARTIN L. COHEN
NAMIR W. HABBOOSH
1623500 Digital switching power amplifier
FRANCE, GERMANY, GREAT BRITAIN,
ITALY, JAPAN, SPAIN, TURKEY
STEPHEN E. BENNETT
CHRIS E. GESWENDER
KEVIN R. GREENWOOD
1495281 Boot mechanism for complex projectile
base survival
GERMANY. GREAT BRITAIN, ITALY,
SPAIN
KAPRIEL V. KRIKORIAN
ROBERT A. ROSEN
0998684 Processing method using an
advanced waveform for unlocked coherent and
wideband bistatic radar operations
ISRAEL
WESLEY T. DULL
LAWRENCE A. DURFEE
JEROME H. POZGAY
144486 Off-axis indicator algorithm for
electrically large antennas
RUSSIA
DAVID A. FAULKNER
RALPH H. KLESTADT
ARTHUR J. SCHNEIDER
2295102 Precision-guided hypersonic
projectile weapon system
SOUTH KOREA
JOHN L. VAMPOLA
RICHARD H. WYLES
669307 Analog load driver
ROBERT C. ALLISON
BRIAN M. PIERCE
SAMUEL D. TONOMURA
677793 Highly adaptable heterogeneous
power amplifier IC micro-systems using flip
chip and microelectromechanical technologies
on low loss substrates
MEL V. HUYNH
PHILIP G. MAGALLANES
CARL W. TOWNSEND
680082 Corrosion resistant waveguide systems
and method
JAMES FLORENCE
CLAY E. TOWERY
681784 Electronic firearm sight and
method of operating
DOUGLAS W. ANDERSON
JOSEPH F. BORCHARD
WILLIAM H. WELLMAN
697170 Optical system for a wide field of
view staring infrared sensor having improved
optical symmetry
TAIWAN
DELMAR L. BARKER
DENNIS C. BRAUNREITER
DAVID J. KNAPP
ALPHONSO A. SAMUEL
HARRY A. SCHMITT
STEPHEN M. SCHULTZ
1269876 Far field emulator for antenna
calibration
JOHN K. COOLIDGE
JOSEPH P. SMITH
STANLEY G. TURNER
1270653 Launcher platform
SHANNON V. DAVIDSON
ANTHONY N. RICHOUX
1272502 System and method for
topology-aware job scheduling and backfilling
in an HPC environment
MAURICE J. HALMOS
150373 Multi-mode vibration sensor laser
RAYTHEON TECHNOLOGY TODAY 2007 ISSUE 2 39
Do you have a great idea for an article?
We are always looking for ways to connect with you — our engineering, technology and
Mission Assurance professionals. If you have an article or an idea for an article regarding
technical achievements, customer solutions, relationships, Mission Assurance, etc., send it
along. If your topic aligns with a future issue of Technology Today or is appropriate for an online
article, we will be happy to consider it and will contact you for more information. Send your
article ideas to techtodayeditor@raytheon.com. We’re waiting to hear from you!
Copyright © 2007 Raytheon Company. All rights reserved.
Approved for public release. Printed in the USA.
Customer Success Is Our Mission is a trademark of Raytheon Company.
Capability Maturity Model,CMM and CMMI are registered in the U.S.
Patent and Trademark Office by Carnegie Mellon University.