|Stay up to date with project news, upcoming events and results
|Subscribe to Newsletter
The certMILS project uses Zenodo as its open research data repository, in order to grant Open Access to scientific publications. Check out our Zenodo community certMILS!
Security Certification of Cyber Physical Systems for Critical Infrastructure based on the Compositional MILS Architecture, Hohenegger, Andreas; Krummeck, Gerald; Baños, Janie; Ortega, Alvaro; Hager, Michal; Sterba, Jiri; Kertis, Tomaš; Novobilsky, Petr; Prochazka, Jan; Caracuel, Benito; Lourdes Sanz, Ana; Ramos, Francisco; Blasum, Holger; Eschweiler, Dominik; Gries, Caspar; Vögler, Torsten; Neškudla, Jan; Rollo, Jan; Burgstaller, Lisa; Truskaller, Martina; Koch, Klaus-Michael; Hametner, Reinhard; Rauscher, Sandro; Tummeltshammer, Peter; Golatowski, Frank; Schulz, Thorsten
We describe compositional architectures and certifications in the research project certMILS. Compositional architectures enable re-use of certified COTS (commercial off-the-shelf) components with a well-defined delegation of responsibilities between component developers and system integrators during cyber physical system design and certification. We show how we used a Common Criteria certified MILS (Multiple Independent Levels of Safety / Security) platform for compositional designs and IEC 62443-4-1/62443-4-2 security evaluations and certifications for composed systems from the domains of smart grid, railway, and subway, that are safety- and security-critical.
Security certification experience for industrial cyberphysical systems using Common Criteria and IEC 62443 certifications in certMILS, Hohenegger, Andreas; Krummeck, Gerald; Baños, Janie; Ortega, Alvaro; Hager, Michal; Sterba, Jiri; Kertis, Tomaš; Novobilsky, Petr; Prochazka, Jan; Caracuel, Benito; Lourdes Sanz, Ana; Ramos, Francisco; Blasum, Holger; Eschweiler, Dominik; Gries, Caspar; Vögler, Torsten; Neškudla, Jan; Rollo, Jan; Burgstaller, Lisa; Truskaller, Martina; Koch, Klaus-Michael; Hametner, Reinhard; Rauscher, Sandro; Tummeltshammer, Peter; Golatowski, Frank; Schulz, Thorsten
Security concerns become increasingly important in safe-ty-critical industrial cyberphysical systems. Different options for security certification exist. We describe a Common Criteria certification for a MILS separation kernel, and IEC 62443 analysis and certifications for the smart grid, railway and subway pilots using the MILS approach in the research project certMILS.
Certification Cycles of Train Cyber Gateway, Prochazka, Jan; Novobilsky, Petr; Prochazkova, Dana; Kertis, Tomas
The Critical Infrastructure Protection (CIP) is a classic example of system of systems (SoS) management. We pay special attention to interdependencies among systems within SoS. The article deals with the requirements for the cyber gateway at the train transportation management system. More and more telemetry and remote control through communication systems are used on the track because of the technological development. The train at cyberspace acts as an end network that is connected to the operating center network via an open public network. The gateway must then meet the requirements of the railway infrastructure as well as the cyber infrastructure. We deal with the integration of various requirements for the train gateway into one verification and certification cycle in this paper. The requirement integration is important because, in the first it is necessary to ensure coherence and consistency between different requirements. The second reason is to speed up possible re-certification. A recertification is necessary because gateway adaptation or installation in a new environment. The European project certMILS deals with the issue of re-certification.
Cyber Security of Urban Guided Transport Management according to MILS Principles, Prochazka, Jan; Novobilsky, Petr; Prochazkova, Dana
The Urban guided transport management system (UGTMS) as subway, transports from several hundreds of thousands to millions of passengers per day. Size and irreplaceability of subway transport capacity include the subway transport to the critical infrastructures of cities, regions or countries. Modern transport critical infrastructures contain in addition to physical and social parts also the cyber control systems and they are marked as cyber-physical systems (CPS). The CPSs are characterized by safety-critical nature, complexity, connectivity, and open technology. The CPS complexity, openness and dynamics form a large attack surface that may lead to failures and irreparable damage.
Multiple Independent Levels of Security (MILS) can meet the high system security requirements. The MILS is a high-assurance security architecture based on the concepts of separation and controlled information flow. The article discusses the possibilities of using the MILS platform in the data communication subsystem, which connects the individual UGTMS subsystems (Wayside subsystem, On-board subsystem and operation control subsystem). Therefore, the communication system should guarantee transmission parameters and do not affect security level of the respective subsystems.
Integration Approach for Communications-based Train Control Applications in a High Assurance Security ArchitectureIntegration Approach for Communications-based Train Control Applications in a High Assurance Security Architecture, Schulz, Thorsten; Golatowski, Frank; Timmermann, Dirk
The secure integration of model-based, safety-critical applications implemented in the programming suite Ansys SCADE is explained with the help of a demonstrator. The interoperability between the embedded devices of the demonstrator is achieved using the new TRDP middleware. Remote connections are secured using the WireGuard secure network channel. The demonstrator security concept addresses the different life cycles of its heterogeneous components by adoption of the robust MILS separation architecture. The goal of this open demonstrator is to show how these essential technologies can be composed to a secure safety-critical system.
Community Feedback on the Separation Kernel Protection Profile Draft, Schulz, Thorsten; Hohenegger, Andreas; Ortega, Alvaro; Blasum, Holger
This white paper is reporting on interoperability aspects of the Common Criteria Base Separation Kernel Protection Profile (PP) draft. This white paper captures the results of the collaboration on PP interoperability organised by University of Rostock in Task 9.2. It reports how the PP draft can be applied to the separation kernels of MILS platform providers and how well the PP draft addresses requirements of users such as system integrators. Previously, the WP 2 has created a PP with additional modules. To make the proposed PP most accessible to all potential stakeholders in the MILS domain and the Separation Kernel application domain, WP 9 proposed to gather feedback from the community for integration into the PP draft. The activities being discussed resemble mostly the Common Criteria User Forum presentations and its community involvement. Beyond that, certification bodies and a few known consortium contacts were directly contacted and invited to provide feedback. The questions asked, as well as the accumulated answers are presented. The white paper closes with a discussion on the continued improvement of the PP for proposed acceptance and adoption.
MILS Security Architecture Templates, Tverdyshev, Sergey; Caracuel, Benito; Álvarez, Amelia; Ortaga, Alvaro; Rico, Jose Emilio; Hametner, Reinhard; Blasum, Holger; Kertis, Tomáš; Schulz, Thorsten
Abstract: The certMILS project (http://www.certmils.eu/) aims at easing building and certification of complex critical systems by using a certain architecture for structuring these systems into partitions that run on a separation kernel, called MILS (Multiple Independent Levels of Security / Safety). Once a critical system is structured by use of a separation kernel, then this technical structuring should lend itself also to a similarly logically structured security and safety argument in certification.
Analogous to the separation kernel that is to be used for building a MILS system, this white paper provides a security architecture template that is to be used for the certification of that MILS system.
The target audience of this document is:
- Developers of systems, based on a MILS architecture, providing them a template about how to describe their MILS system.
- Security evaluators of a MILS-based system, giving hints about how the developer description can be used to argue for compliance to Common Criteria (CC) and IEC 62443.
The assurance case made by the security architecture template in this document identifies as building blocks the security mechanisms implemented by a MILS separation kernel and a typical application payload in partitions and derives typical security architecture arguments for MILS-based systems.
Strategy for Security Certification of the Development and Product Lifecycle in High Assurance Industrial Cyber-Physical Systems, T.Schulz, C. Gries, F. Golatowski, D. Timmermann, SIES 2018
Abstract: High assurance Cyber-Physical Systems (CPS) are the supporting pillars of the critical infrastructure. They support the power grid, the water supply, transportation systems and many other devices, where failure or undefined behaviour lead to risk for loss of life, danger to the environment and defective operational safety of production. Rigorous testing practices have assured reliable behaviour even for failure scenarios in their predictable environments. However, previously isolated systems have become connected to the Internet and expose an attack surface that is hard to predict. While the safety of high assurance CPS is well tested with a controlled residual risk, security risks will rise throughout the deployment of a system. Hence, this paper describes research for a testing methodology to tackle emerging threats and preserve certified security assurance.
Abstract: This paper presents the concept example of how to integrate safety and security using a platform approach. The TAS Control Platform is a SIL4 vital computing platform for railway applications developed within Thales to support many different safety-critical applications. Using common standards, MILS concepts and building up on a generic safety concept, enables the integration of safety and security with TAS Control Platform, while still providing support for legacy applications. With this platform approach many applications can benefit from the consistent safe and secure basis.
In Search for a Simple Secure Protocol for Safety-Critical High-Assurance Applications, T. Schulz, F. Golatowski, D. Timmermann, MILS 2018 workshop, hosted by DSN 2018 conference
Abstract: Security and cryptography protocols are seen by many as black-magic, largely due to their complex mathematical algorithms and entangled state-machines. This complexity has also led to numerous vulnerabilities in past years. Recent developments have simplified conformance requirements, and also introduced formal proofs to mainstream security protocols. In this work-in-progress publication we discuss, how this evolution has greatly improved the situation for critical systems, and how the architecture of MILS systems can raise the confidence for high-assurance systems.
Abstract: MILS (Multiple Independent Levels of Safety and Security) also is also inspired from modular systems such as integrated modular avionics. There are differences though: automotive electronic control units are under much more cost pressure than their avionics counterparts, and Classic AUTOSAR was targeting rather simple systems, with an initial focus on runnables that are compiled together, and we will highlight the difference as well as the evolution of AUTOSAR Adaptive that is much closer to the avionic model. On the other hand, AUTOSAR has a very good standardization momentum, resulting in hundreds of available documents, whereas the smaller MILS community has been less effusive. We map the AUTOSAR standards to MILS, to learn about (1) how well MILS systems can be used for AUTOSAR and vice-versa and (2) what other aspects the communities could mutually learn from.
Ease standard compliance by technical means via MILS, Sven Nordhoff, Holger Blasum, Embedded World Conference 2017
Abstract: You have to develop an embedded system? You need to show its conformance to a safety standard (e.g. IEC 61508, ISO 26262, DO-178) or a security standard (e.g. IEC 62443, Common Criteria)? How does your life get easier by using a MILS design? Using an embedded operating system can help with modularization. Moreover, a *MILS* embedded operating system isolates processes and their resources from each other. Resource management and information flow control enable separation in time and separation in space. In this paper we show standard compliance work units that MILS helps achieving by technical means.
Security by design: Introduction to MILS, Sergey Tverdyshev, Embedded World Conference 2017
Abstract: Abstract: A "security by design" method achieves robustness against programming errors and malicious attacks. A security by design method must be simple to understand. It must be simple to implement, and also to simple to verify. It must enable the developer to create assurance evidence coherent with the design decisions. MILS is a security by design method. In short, application of the MILS approach starts with partitioning the system under design into isolated compartments. System resources, e.g. CPUs, CPU time, memory, IO devices, files, are assigned to compartments. After that the communication channels between compartments are defined with respect to the required API (e.g. POSIX, ARINC, AUTOSAR). Communication and resource sharing between security domains have to be explicit, i.e. everything is forbidden what is not explicitly allowed. In parallel threat modeling is executed, i.e. define system assets to be protected, threat agents and possible malicious actions, system objectives to fight the threats. MILS provides a way to execute mixed-critical applications of different pedigrees on one system. The system as a whole still can be certified to the highest security and safety assurance levels. This makes the approach extremely interesting for modern complex systems, e.g. in a car infotainment system: Android applications can run on the same platform as AUTOSAR applications that communicate with the engine. Until ca. 2000 the MILS concept was mainly used in the US military. Now the commercial interest has picked up. We explain a MILS Architectural Template that simplifies to set up MILS systems. We finish with applications of the MILS concepts across automotive and avionics.
PUBLIC RTD DELIVERABLES
D1.1: Regulative Baseline: Compositional Security Evaluation
The output is a report that summarises the schemes for certification with special respect to the MILS platform and the pilots in the different EU member states where partners have good access to their own certification authorities, and outlines regulatory options, where these exist.
D1.2: List of tools and techniques applicable for high and medium assurance for efficient assurance [M12]
List of tools and requirements from standards and regulations that can be covered by the tool functionalities
D1.3: Compositional security certification methodology [M15]
The output is a report that summarises the choices of the options outlined in D1.1 that certMILS has made.
D2.1: Base MILS Platform Protection Profile
This is a Protection Profile (PP) according to the Common Criteria (CC). The PP serves as “base PP” of the modular PP. Note: The PP is a research output from the certMILS project. That is, it has not undergone Common Criteria certification.
D2.2: List of extensions of base PP [M16]
This is a list of extensions to the base PP that are available as modules in the modular PP. Note: The extensions are a research output from the certMILS project. That is, they have not undergone Common Criteria certification.
D2.3: Security architecture templates [M16]
Analogous to the separation kernel that is to be used for building a MILS system, this deliverable provides a security architecture template that is to be used for the certification of that MILS system. The target audience of this document is: (a) Developers of systems, based on a MILS architecture, providing them a template about how to describe their MILS system, and (b) Security evaluators of a MILS-based system, giving hints about how the developer description can be used to argue for compliance to Common Criteria (CC) and IEC 62443.
D2.4: Guidelines to use and apply PP for all involved stakeholders [M16]
The guidelines to use and apply the PP target system integrators and security evaluators.
D4.1: Security testing framework: strategy and approach [M09]
Approach, strategy, and architecture for the implementation of security testing framework is described.
D9.2: Report on PP operability [M24]
This deliverable reports on the efforts and results from (Common Criteria) community feedback from different vendors and stakeholders within the separation kernel application domain.
D4.4: Security testing framework [M28]
Final security testing approach for MILS platform and MILS platform components. This deliverable will contain a public report on developed security approach supplemented by confidential part about its application on SW components.
D6.4: Report on validated security certification methodology with smart grid pilot [M48]
Evaluation – Certification Gap Analysis of the Smart Grid pilot according to the IEC 62443-4-1 and 62443-4-2 standards.
D7.4: Report on validated security certification methodology with railway pilot [M48]
The report summarises how the methodology was applied, essential improvement suggestions, suggestion for integration into existing and emerging certification schemes, illustrating by examples how railway existing safety and regulatory requirements are enhanced by the security certification with focus on identifying and solving obstacles/conflicts between those requirements and security certification.
D8.4: Report on validated security certification methodology with subway pilot [M54]
The report contains how the methodology was applied, improvement suggestions, suggestion for integration into existing and emerging certification schemes, illustrating how subway existing safety and regulatory requirements are enhanced by the security certification with focus on identifying and solving obstacles/conflicts between those requirements and security certification.