top - download
⟦02438cd82⟧ Wang Wps File
Length: 21033 (0x5229)
Types: Wang Wps File
Notes: SFS/TN/007
Names: »3792A «
Derivation
└─⟦2c1d27607⟧ Bits:30006216 8" Wang WCS floppy, CR 0284A
└─ ⟦this⟧ »3792A «
WangText
…00……00…9…86…1
…02…
…02…
…02…
…02…
NATO
UNCLASSIFIED
NATO UNCLASSIFIED
SFS/TN/007 1983-06-06
COST ESTIMATES Page #
T̲A̲B̲L̲E̲ ̲O̲F̲ ̲C̲O̲N̲T̲E̲N̲T̲S̲
1 GENERAL .......................................
2
1.1 INTRODUCTION ...............................
2
1.2 REFERENCES .................................
2
2 BASELINE COST ESTIMATES .......................
3
2.1 SUMMARY OF BASELINES .......................
3
2.2 AVAILABILITY ...............................
3
2.3 HARDWARE COST ESTIMATES ....................
6
2.3.1 Development Costs ......................
6
2.3.2 Hardware Production Costs ..............
6
2.3.2.1 Baseline Configuration I ...........
6
2.3.2.2 Baseline Configuration II ..........
7
2.3.2.3 Multi-Channel Configuration ........
7
2.4 SOFTWARE COST ESTIMATES ....................
8
3 MODIFIED CONFIGURATION ........................
9
3.1 ISOLATION ..................................
9
3.1.1 Opto-Switch ............................
9
3.1.2 Disconnection ..........................
9
3.2 ALTERNATIVE CONFIGURATIONS .................
10
3.2.1 Multi-Channel Configuration ............
10
3.2.2 Sharing of Hardware ....................
11
3.2.3 Other System Configurations ............
11
3.2.4 Common Versus Dedicated Software .......
11
4 COST SENSIVITY ................................
13
4.1 COST/SECURITY SENSITIVITY ..................
13
4.2 COST/AVAILABILITY SENSITIVITY ..............
13
5 VERIFICATION COST .............................
14
6 COMPARISON WITH ALTERNATIVES ..................
15
6.1 ENCRYPTED DATA BASES .......................
15
6.2 DEDICATED SYSTEMS ..........................
15
6.3 MANUAL RELEASE .............................
16
1̲ ̲ ̲G̲E̲N̲E̲R̲A̲L̲
1.1 I̲N̲T̲R̲O̲D̲U̲C̲T̲I̲O̲N̲
This report represents the output of work package No.
360, Analysis of Cost Estimates, within the framework
of the Security Filter Study, performed under contract
No. FK 8219 between the Air Material Command of the
RDAF and Christian Rovsing A/S.
The report contains an estimate of the security filter
system as required for the ACBA CCIS interface (excl.
CAMPS), and it discusses the cost impact of various
types of other configurations and modified requirements.
1.2 R̲E̲F̲E̲R̲E̲N̲C̲E̲S̲
This report refers to and is based on the following
documents.
SFS/TN/003 Preliminary Sizing and Costing
SFS/TN/004 Configuration Study
SFS/TN/005 Interface Flexibility
SFS/TN/006 Verification Methods (TRW)
SFS/FS/001 Filter Specification
2̲ ̲ ̲B̲A̲S̲E̲L̲I̲N̲E̲ ̲C̲O̲S̲T̲ ̲E̲S̲T̲I̲M̲A̲T̲E̲S̲
2.1 S̲U̲M̲M̲A̲R̲Y̲ ̲O̲F̲ ̲B̲A̲S̲E̲L̲I̲N̲E̲S̲
This chapter refers to the baseline configurations
as described in Technical Note No. 4, Configuration
Study, with the following wording:
Baseline Configuration I:
One full duplex channel, fully automated, no manual
validation facility.
Baseline Configuration II:
One full duplex channel with manual validation facility.
Multi-Channel Configuration:
In the example is used a 4 channel configuration with
manual validation facility.
2.2 A̲V̲A̲I̲L̲A̲B̲I̲L̲I̲T̲Y̲
Availability is defined as the probability of finding
an item (system, module, unit, and part thereof) in
a functioning condition at a given time.
Mean Time Between Failure (MTBF) is defined as the
statistical mean of the functioning time between failures.
(Agreed scheduled preventive maintenance of the equipment
shall not be counted when estimating mean time between
failures).
Mean Time to Repair (MTTR) is defined as the statistical
mean of the distribution of times-to- repair. This
repair time shall include all actions required to detect,
locate, and repair the fault.
A repair is the restoration of an item to the state
in which it can provide its specified functions. When
the item is a replaceable module, the exchange operation
is considered the repair operation.
The estimates used in this availability calculation
are based on comparison with existing modules of similar
complexity.
a) B̲a̲s̲e̲l̲i̲n̲e̲ ̲C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲ ̲I̲ (No manual validation
facility).
Module Lambda MTBF MTTR
----------------------------------------------------
Multi Purpose 70 14,286 0,5
Processor
Gate Keeper 27 40,000 0.5
2 Line Terminators 2x30 16,666 0.5
*) Tape Recorder 500 2,000 0.25
̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲
̲ ̲ ̲ ̲ ̲ ̲
System 655 1,526 0.309
Lambda = number of failures in 10…0e…6…0f… hours.
Based on these estimates the availability of the
security filter system can be calculated as follows:
Availability = ̲ ̲ ̲ ̲ ̲1̲5̲2̲6̲ ̲ ̲ ̲ ̲ ̲ ̲ = 0.9997975
1526 + 0.309
(Down time: 1 hour 46 min per year)
The MTTRs do not include procedures for personnel
access to the security filter. The presence of
a resident site technician and spare parts is a
prerequisite.
*) An ordinary tape recorder of the cassette deck
type has a very low MTBF (approximately 1,000
hours) based on the fact that the mechanics
are very vulnerable. Since the tape recorder
of the security filter is expected to write
only illegal messages, the activity will be
very low compared with tape recorders of ordinary
systems. Accordingly, the wear must be expected
to be much less, and the MTBF much higher.
We are not in possesion of experience with
the MTBF of rarely used tape recorders, but
as an MTBF of 2000 is arbitrarily used here,
we consider our estimates on the conservative
side.
b) B̲a̲s̲e̲l̲i̲n̲e̲ ̲C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲ ̲I̲I̲ (With manual validation
facility).
Module Lambda MTBF MTTR
----------------------------------------------------
Multi Purpose 70 14,286 0,5
Processor
2 Gate Keepers 2x25 20,000 0.5
2 Line Terminators 2x30 16,666 0.5
Terminal 100 10,000 0.25
Tape Recorder 500 2,000 0.25
̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲
̲ ̲ ̲ ̲ ̲ ̲
System 780 1,282 0.308
Availability = ̲ ̲ ̲ ̲ ̲1̲2̲8̲2̲ ̲ ̲ ̲ ̲ ̲ ̲ = 0.9997598
1282 + 0.308
(Down time: 2 hours 6 min per year)
c) M̲u̲l̲t̲i̲ ̲C̲h̲a̲n̲n̲e̲l̲ ̲C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲ (with manual validation
facility). In this example 4 channels are used.
Module Lambda MTBF MTTR
----------------------------------------------------
Multi Purpose 70 14,286 0,5
Processor
2 Gate Keepers 2x25 20,000 0.5
8 Line Terminators 8x30 4,166 0.5
Input Control 5 200,000 0.5
Output Control 5 200,000 0.5
Terminal 100 10,000 0.25
Tape Recorder 500 2,000 0.25
̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲
̲ ̲ ̲ ̲ ̲ ̲
System 970 1,030 0.345
Availability = ̲ ̲ ̲ ̲ ̲1̲0̲3̲0̲ ̲ ̲ ̲ ̲ ̲ ̲ = 0.999665
1030 + 0.345
(Down time: 2 hours 56 min per year)
2.3 H̲A̲R̲D̲W̲A̲R̲E̲ ̲C̲O̲S̲T̲ ̲E̲S̲T̲I̲M̲A̲T̲E̲S̲
2.3.1 D̲e̲v̲e̲l̲o̲p̲m̲e̲n̲t̲ ̲C̲o̲s̲t̲s̲
Although the development during Phase II of the study
has brought some alterations to the architecture of
the security filter hardware equipment, it has not
shaken the development costs very much.
In principle only a few refinements have been added
to the baseline configuration, and they will of course
add some effort to the original estimate.
Without being able to place the increased effort on
the tasks otherwise than arbitrarily we now assess
the total hardware development effort to be 54 man
months.
2.3.2 H̲a̲r̲d̲w̲a̲r̲e̲ ̲P̲r̲o̲d̲u̲c̲t̲i̲o̲n̲ ̲C̲o̲s̲t̲s̲
The recurring price comprises mainly the production
costs delivery tests with test documentation. The costs
as estimated here are based on a delivery of a series
of not less than 10 complete security filters of one
configuration.
2.3.2.1 B̲a̲s̲e̲l̲i̲n̲e̲ ̲C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲ ̲I̲
For the fully automated full duplex, one channel security
filter, the following price is estimated:
M̲o̲d̲u̲l̲e̲ Q̲t̲y̲ P̲r̲i̲c̲e̲
̲U̲S̲$̲
a) Multi-Purpose Processor 1 6,000
b) Gate Keeper 1 5,000
c) Line Terminator 2 2,750
d) Tape Recorder 1 2,500
e) Crate, Power Supply, Fan Unit 1 4,000
̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲
̲ ̲ ̲
Total System 23,000
2.3.2.2 B̲a̲s̲e̲l̲i̲n̲e̲ ̲C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲ ̲I̲I̲
For the full duplex, one channel security filter with
manual validation facility, the following price is
estimated:
M̲o̲d̲u̲l̲e̲ Q̲t̲y̲ P̲r̲i̲c̲e̲
̲U̲S̲$̲
a) Multi-Purpose Processor 1 6,000
b) Gate Keeper 2 5,000
c) Line Terminator 2 2,750
d) Tape Recorder 1 2,500
e) Crate, Power Supply, Fan Unit 1 4,000
f) Terminal, TEMPEST proof 1 5,500
̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲
̲ ̲ ̲
Total System 33,500
2.3.2.3 M̲u̲l̲t̲i̲-̲C̲h̲a̲n̲n̲e̲l̲ ̲C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲
For the multi-channel security filter with manual validation
facility the following price is estimated, using as
an example a filter servicing 4 full duplex channels:
M̲o̲d̲u̲l̲e̲ Q̲t̲y̲ P̲r̲i̲c̲e̲
̲U̲S̲$̲
a) Multi-Purpose Processor 1 6,000
b) Gate Keeper 2 5,000
c) Line Terminator 2 2,750
d) Tape Recorder 1 2,500
e) Crate, Power Supply, Fan Unit 1 4,000
f) Terminal, TEMPEST proof 1 5,500
g) Input Control 1 500
h) Output Control 1 500
̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲ ̲
̲ ̲ ̲
Total System 51,000
2.4 S̲O̲F̲T̲W̲A̲R̲E̲ ̲C̲O̲S̲T̲ ̲E̲S̲T̲I̲M̲A̲T̲E̲S̲
Assessing the software costs is a task connected with
great uncertainty. It can be broken down into small
modules which are assessed one by one and since added
to a total. Or the software can be looked upon as larger
packages which are comparable with previous efforts.
For this estimate the latter way has been used, and
the result of the assessment is:
Line Termination Software 4 man months
Validation Software 18 man months
Exception Handling S/W 6 man months
Additional Filter Tasks 10 man months
Message Description Converter 14 man months
Test Software (TDG, OTA) 1̲8̲ ̲m̲a̲n̲ ̲m̲o̲n̲t̲h̲s̲
70 man months
This assessment includes firm establishment of requirements,
system specification and definition, coding and module
testing, integration and system test, and documentation,
but not secretarial assistance.
Verification and certification costs are not included
in the assessment.
3̲ ̲ ̲M̲O̲D̲I̲F̲I̲E̲D̲ ̲C̲O̲N̲F̲I̲G̲U̲R̲A̲T̲I̲O̲N̲
3.1 I̲S̲O̲L̲A̲T̲I̲O̲N̲
Isolation between the two communicating ADP systems
can be done either as an isolation, while no data exhange
between the systems takes place, e.g. by an opto-switch,
or as the filter never being connected to both systems
at the same time, e.g. by disconnecting the line terminators.
3.1.1 O̲p̲t̲o̲-̲S̲w̲i̲t̲c̲h̲
Isolation between the two systems while no data exchange
takes place can be done by using the electro-optical
switch as described in technical note No. 4, Configuration
Study, section 7, and shown on the block diagram of
the line terminator (Opto-Isolator).
The cost impact (incremental) is estimated to:
Development effort 2 man months
+ verification 2̲ ̲m̲a̲n̲ ̲m̲o̲n̲t̲h̲s̲
Non-recurring 4 man months
Recurring costs on a per Line Terminator module basis:
Parts and material US $ 500
Assembly and test U̲S̲ ̲$̲ ̲ ̲2̲0̲0̲
Total US $ 700
3.1.2 D̲i̲s̲c̲o̲n̲n̲e̲c̲t̲i̲o̲n̲
If the security filter must never be connected to both
systems at the same time this can be done by isolating
the input as well as the output of the line terminators
with electro optical isolators and assuring by combinatorial
(trusted) hardware that the line terminator connected
to system high will always be isolated while the line
terminator connected to system low is connected and
vice versa.
The cost impact is estimated to:
Development effort 2 man months
+ verification 2̲ ̲m̲a̲n̲ ̲m̲o̲n̲t̲h̲s̲
Total non-recurring 4 man months
Recurring costs on a per line terminator module basis:
Parts and material US $ 1,000
Assembly and test U̲S̲ ̲$̲ ̲ ̲ ̲4̲0̲0̲
Total US $ 1,400
3.2 A̲L̲T̲E̲R̲N̲A̲T̲I̲V̲E̲ ̲C̲O̲N̲F̲I̲G̲U̲R̲A̲T̲I̲O̲N̲S̲
3.2.1 M̲u̲l̲t̲i̲-̲C̲h̲a̲n̲n̲e̲l̲ ̲C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲
Cost impact (incremental)
Development effort:
o Input and output control H/W 4 man months
o Input and output control S/W 2 man months
o Test S/W (built-in) 8 man months
Verification 6̲ ̲m̲a̲n̲ ̲m̲o̲n̲t̲h̲s̲
Total, non-recurring 20 man months
Recurring costs for the common part of the hardware
(excluding line terminators):
Parts and material US $ 600
Assembly and test U̲S̲ ̲$̲ ̲ ̲ ̲2̲0̲0̲
Total per system US $ 800
Recurring costs for each channel (2 line terminators)
Parts and material US $ 200
Assembly and test US $ 200
Extra EPROM US $ 1,000
Integration testing U̲S̲ ̲$̲ ̲ ̲ ̲4̲0̲0̲
Total per channel US $ 1,800
3.2.2 S̲h̲a̲r̲i̲n̲g̲ ̲o̲f̲ ̲H̲a̲r̲d̲w̲a̲r̲e̲
The sharing of hardware between a number of security
filters is limited to the tape recorder and/or the
operator terminal.
The additional cost is given by the cost of the Tape
Recorder Swicth and/or the Terminal Switch as described
in technical note No. 4, Configuration Study, section
3.
Cost impact is estimated to:
o Tape Recorder Switch
(non-trusted)
development 6 man months
Recurring for an eight-
input unit US $ 4,000
o Terminal Switch (trusted)
Development 6 man months
Verification 3̲ ̲m̲a̲n̲ ̲m̲o̲n̲t̲h̲s̲
Total, non recurring 9 man months
Recurring for an eight-
input unit US $ 5,000
3.2.3 O̲t̲h̲e̲r̲ ̲S̲y̲s̲t̲e̲m̲ ̲C̲o̲n̲f̲i̲g̲u̲r̲a̲t̲i̲o̲n̲s̲
Installation outsite the area of system high will not
affect the cost of the security filter but only the
cost of providing the necessary access control for
the area and the cost of additional crypto units:
The case of unclassified system low may require special
protection of the input. This will, however, not have
significant impact on the cost (EMP protection is not
considered relevant).
3.2.4 C̲o̲m̲m̲o̲n̲ ̲V̲e̲r̲s̲u̲s̲ ̲D̲e̲d̲i̲c̲a̲t̲e̲d̲ ̲S̲o̲f̲t̲w̲a̲r̲e̲
In order to enable the security filter to accept new
or modified legal messages it is necessary to build
in a certain flexibility into the software. Hence,
our approach has been to develop one set of computer
programs, the functions of which are modified by the
validation information customized for each security
filter site.
Our approach is thus one using only common software.
Use of dedicated software will add considerably to
the development costs, since the most complex program
must be developed anyway, and less complex versions
may be derived from that. Subsequently each of the
computer programs must be verified and certified, which
task must be started from scratch for each set. Thus,
in addition to the rising development costs, the verification
costs will be multiplied by the number of different,
dedicated sets of software.
4̲ ̲ ̲C̲O̲S̲T̲ ̲S̲E̲N̲S̲I̲T̲I̲V̲I̲T̲Y̲
4.1 C̲O̲S̲T̲/̲S̲E̲C̲U̲R̲I̲T̲Y̲ ̲S̲E̲N̲S̲I̲T̲I̲V̲I̲T̲Y̲
The invitation for bid states a requirement for a Probability
for Security Breach (PFSB) of 10…0e…-8…0f…. This means that
caused by hardware and/or software failure only one
out of 10…0e…8…0f… false messages may be transmitted.
A PFSB that low cannot be verified by any known method,
and it is practically equal to a PFSB of zero. Accordingly,
the development and verification efforts must aim at
a totally fault proof system.
Any deviation from this goal means bringing the PFSB
up into the measurable area. Hence, there are no possibilites
for cost savings on the security side without compromizing
the security requirements.
4.2 C̲O̲S̲T̲/̲A̲V̲A̲I̲L̲A̲B̲I̲L̲I̲T̲Y̲ ̲S̲E̲N̲S̲I̲T̲I̲V̲I̲T̲Y̲
The availability, which is calculated in chapter 2.2,
can be increased in two ways, either using one of them,
or combining them.
M̲e̲t̲h̲o̲d̲ ̲a̲)̲ Dualizing of the complete Security Filter
System, introducing a manual switch-over
If the time used for a switch-over is estimated to
5 minutes, this method will decrease the annual down-time
from 2-3 hours to 30-45 minutes.
The cost will be a doubling of the recurring hardware
costs.
M̲e̲t̲h̲o̲d̲ ̲b̲)̲ Higher level quality control
By requiring a higher level of quality control than
described in AQAP-1 it is possible to increase the
MTBF. The higher level of quality control may be requirements
for extremely reliable components and very high standards
of engineering and craftmanship.
A rough, but not verified estimate says that a doubling
of the MTBF will add 60 per cent to the hardware costs.
5̲ ̲ ̲V̲E̲R̲I̲F̲I̲C̲A̲T̲I̲O̲N̲ ̲C̲O̲S̲T̲
For obvious reasons it will be advantageous to contract
a company or institution independent of the main contractor
to perform the verification tasks.
The efforts, in terms of manpower and automated tools,
necessary to perform all tasks of the verification,
are very difficult to estimate in beforehand. Hence,
an institution, which will contract for the verification,
will most likely demand payment for the manpower and
other cost, rather than offering a firm fixed price.
If a firm fixed price is requested it will most probably
be on the safe side.
In previous efforts, verification including model and
requirement validation, design correspondence, and
documentation review, has resulted in a 30-100 per
cent increase in development cost.
6̲ ̲ ̲C̲O̲M̲P̲A̲R̲I̲S̲O̲N̲ ̲W̲I̲T̲H̲ ̲A̲L̲T̲E̲R̲N̲A̲T̲I̲V̲E̲S̲
The main purpose of the security filter is to ensure
that no information is transmitted to an ADP system
which is not authorised or justified to receive it.
Other means of achieving such an ensurance have been
mentioned, and the cost/effectiveness of the security
filter compared with those means should be discussed.
Many aspects affecting the costs are unknown to the
study team. In consideration of this ignorance we must
confine ourselves to a mere discussion of the parameters
to take into account, leaving it to more knowing people
to fill in the parameters and finish the calculations.
The comparison is made with the following methods:
6.1 E̲N̲C̲R̲Y̲P̲T̲E̲D̲ ̲D̲A̲T̲A̲ ̲B̲A̲S̲E̲S̲
Although the use of encrypted data bases will enhance
the security in certain ways it seems to have little
or no effect on the type of security aimed at with
the security filter. Hence, we deem this comparison
not applicable.
6.2 D̲E̲D̲I̲C̲A̲T̲E̲D̲ ̲S̲Y̲S̲T̲E̲M̲S̲
A physical separate, dedicated system at "System High"
will give the highest possible security, provided it
is able to send only such messages which the "System
Low" is authorized to receive. Anyhow, a theoretical
possibility still exists that a "legal" message can
be sent with illegal contents.
If the "System High" shall make use of dedicated systems
for each communication line (or group of equally classified
and authorized communication lines) a number of computers
will be required in stead of one large computer. Whether
a number of smaller computers will be cheaper or more
expensive than one large computer depends on the local
circumstances. Also it must be considered whether the
computers can be accommodated within the facilities
available. Finally,
it must be considered that the computers cannot make
use of common data bases, for which reason any communication
between the computers must be hand carried.
A time-shared, dedicated system will give almost the
same advantages and disadvantages as the physically
dedicated system. However, a time shared system may
use common data bases, provided the problems around
multi-level security have been solved.
6.3 M̲A̲N̲U̲A̲L̲ ̲R̲E̲L̲E̲A̲S̲E̲
Letting a human being perform the filtering tasks is
a very easy and simply implemented way of introducing
a security filter.
It is also - seemingly - a very cheap solution to the
problem, just installing a terminal and a two-way switch.
The problems around manual relase of data are:
- it will (almost) always give a longer delay than
an electronic security filter.
- it will serve as a bottle neck in case of heavy
traffic, unless it is served by several, perhaps
many, operators, each of them in command of a terminal.
- the quality of the filtering process may be decreased
by human errors.
- the operating costs can be high, if a number of
operators must be on duty around the clock.
