The certMILS project uses Zenodo as its open research data repository, in order to grant Open Access to scientific publications. Check out our Zenodo community certMILS!



Security certification experience for industrial cyberphysical systems using Common Criteria and IEC 62443 certifications in certMILS, Hohenegger, Andreas; Krummeck, Gerald; Baños, Janie; Ortega, Alvaro; Hager, Michal; Sterba, Jiri; Kertis, Tomaš; Novobilsky, Petr; Prochazka, Jan; Caracuel, Benito; Lourdes Sanz, Ana; Ramos, Francisco; Blasum, Holger; Eschweiler, Dominik; Gries, Caspar; Vögler, Torsten; Neškudla, Jan; Rollo, Jan; Burgstaller, Lisa; Truskaller, Martina; Koch, Klaus-Michael; Hametner, Reinhard; Rauscher, Sandro; Tummeltshammer, Peter; Golatowski, Frank; Schulz, Thorsten

expand[ More ]

Security concerns become increasingly important in safe-ty-critical industrial cyberphysical systems. Different options for security certification exist. We describe a Common Criteria certification for a MILS separation kernel, and IEC 62443 analysis and certifications for the smart grid, railway and subway pilots using the MILS approach in the research project certMILS.


Certification Cycles of Train Cyber Gateway, Prochazka, Jan; Novobilsky, Petr; Prochazkova, Dana; Kertis, Tomas

expand[ More ]

The Critical Infrastructure Protection (CIP) is a classic example of system of systems (SoS) management. We pay special attention to interdependencies among systems within SoS. The article deals with the requirements for the cyber gateway at the train transportation management system. More and more telemetry and remote control through communication systems are used on the track because of the technological development. The train at cyberspace acts as an end network that is connected to the operating center network via an open public network. The gateway must then meet the requirements of the railway infrastructure as well as the cyber infrastructure. We deal with the integration of various requirements for the train gateway into one verification and certification cycle in this paper. The requirement integration is important because, in the first it is necessary to ensure coherence and consistency between different requirements. The second reason is to speed up possible re-certification. A recertification is necessary because gateway adaptation or installation in a new environment. The European project certMILS deals with the issue of re-certification.


Cyber Security of Urban Guided Transport Management according to MILS Principles, Prochazka, Jan; Novobilsky, Petr; Prochazkova, Dana

expand[ More ]

The Urban guided transport management system (UGTMS) as subway, transports from several hundreds of thousands to millions of passengers per day. Size and irreplaceability of subway transport capacity include the subway transport to the critical infrastructures of cities, regions or countries. Modern transport critical infrastructures contain in addition to physical and social parts also the cyber control systems and they are marked as cyber-physical systems (CPS). The CPSs are characterized by safety-critical nature, complexity, connectivity, and open technology. The CPS complexity, openness and dynamics form a large attack surface that may lead to failures and irreparable damage.
Multiple Independent Levels of Security (MILS) can meet the high system security requirements. The MILS is a high-assurance security architecture based on the concepts of separation and controlled information flow. The article discusses the possibilities of using the MILS platform in the data communication subsystem, which connects the individual UGTMS subsystems (Wayside subsystem, On-board subsystem and operation control subsystem). Therefore, the communication system should guarantee transmission parameters and do not affect security level of the respective subsystems.

Integration Approach for Communications-based Train Control Applications in a High Assurance Security ArchitectureIntegration Approach for Communications-based Train Control Applications in a High Assurance Security Architecture, Schulz, Thorsten; Golatowski, Frank; Timmermann, Dirk

expand[ More ]

The secure integration of model-based, safety-critical applications implemented in the programming suite Ansys SCADE is explained with the help of a demonstrator. The interoperability between the embedded devices of the demonstrator is achieved using the new TRDP middleware. Remote connections are secured using the WireGuard secure network channel. The demonstrator security concept addresses the different life cycles of its heterogeneous components by adoption of the robust MILS separation architecture. The goal of this open demonstrator is to show how these essential technologies can be composed to a secure safety-critical system.

Community Feedback on the Separation Kernel Protection Profile Draft, Schulz, Thorsten; Hohenegger, Andreas; Ortega, Alvaro; Blasum, Holger

expand[ More ]

This white paper is reporting on interoperability aspects of the Common Criteria Base Separation Kernel Protection Profile (PP) draft. This white paper captures the results of the collaboration on PP interoperability organised by University of Rostock in Task 9.2. It reports how the PP draft can be applied to the separation kernels of MILS platform providers and how well the PP draft addresses requirements of users such as system integrators. Previously, the WP 2 has created a PP with additional modules. To make the proposed PP most accessible to all potential stakeholders in the MILS domain and the Separation Kernel application domain, WP 9 proposed to gather feedback from the community for integration into the PP draft. The activities being discussed resemble mostly the Common Criteria User Forum presentations and its community involvement. Beyond that, certification bodies and a few known consortium contacts were directly contacted and invited to provide feedback. The questions asked, as well as the accumulated answers are presented. The white paper closes with a discussion on the continued improvement of the PP for proposed acceptance and adoption.


MILS Security Architecture Templates, Tverdyshev, Sergey; Caracuel, Benito; Álvarez, Amelia; Ortaga, Alvaro; Rico, Jose Emilio; Hametner, Reinhard; Blasum, Holger; Kertis, Tomáš; Schulz, Thorsten

expand[ More ]

Abstract: The certMILS project ( aims at easing building and certification of complex critical systems by using a certain architecture for structuring these systems into partitions that run on a separation kernel, called MILS (Multiple Independent Levels of Security / Safety). Once a critical system is structured by use of a separation kernel, then this technical structuring should lend itself also to a similarly logically structured security and safety argument in certification.

Analogous to the separation kernel that is to be used for building a MILS system, this white paper provides a security architecture template that is to be used for the certification of that MILS system.

The target audience of this document is:

  • Developers of systems, based on a MILS architecture, providing them a template about how to describe their MILS system.
  • Security evaluators of a MILS-based system, giving hints about how the developer description can be used to argue for compliance to Common Criteria (CC) and IEC 62443.

The assurance case made by the security architecture template in this document identifies as building blocks the security mechanisms implemented by a MILS separation kernel and a typical application payload in partitions and derives typical security architecture arguments for MILS-based systems.

Strategy for Security Certification of the Development and Product Lifecycle in High Assurance Industrial Cyber-Physical Systems, T.Schulz, C. Gries, F. Golatowski, D. Timmermann, SIES 2018

expand[ More ]

Abstract: High assurance Cyber-Physical Systems (CPS) are the supporting pillars of the critical infrastructure. They support the power grid, the water supply, transportation systems and many other devices, where failure or undefined behaviour lead to risk for loss of life, danger to the environment and defective operational safety of production. Rigorous testing practices have assured reliable behaviour even for failure scenarios in their predictable environments. However, previously isolated systems have become connected to the Internet and expose an attack surface that is hard to predict. While the safety of high assurance CPS is well tested with a controlled residual risk, security risks will rise throughout the deployment of a system. Hence, this paper describes research for a testing methodology to tackle emerging threats and preserve certified security assurance.

A Platform Approach for Fusing Safety and Security on a Solid Foundation, R. Hametner, S. Resch, MILS 2018 workshop, hosted by DSN 2018 conference

expand[ More ]

Abstract: This paper presents the concept example of how to integrate safety and security using a platform approach. The TAS Control Platform is a SIL4 vital computing platform for railway applications developed within Thales to support many different safety-critical applications. Using common standards, MILS concepts and building up on a generic safety concept, enables the integration of safety and security with TAS Control Platform, while still providing support for legacy applications. With this platform approach many applications can benefit from the consistent safe and secure basis.

In Search for a Simple Secure Protocol for Safety-Critical High-Assurance Applications, T. Schulz, F. Golatowski, D. Timmermann, MILS 2018 workshop, hosted by DSN 2018 conference

expand[ More ]

Abstract: Security and cryptography protocols are seen by many as black-magic, largely due to their complex mathematical algorithms and entangled state-machines. This complexity has also led to numerous vulnerabilities in past years. Recent developments have simplified conformance requirements, and also introduced formal proofs to mainstream security protocols. In this work-in-progress publication we discuss, how this evolution has greatly improved the situation for critical systems, and how the architecture of MILS systems can raise the confidence for high-assurance systems.

Classic and Adaptive AUTOSAR in MILS, H. Blasum, S. Tverdyshev, MILS 2018 workshop, hosted by DSN 2018 conference

expand[ More ]

Abstract: MILS (Multiple Independent Levels of Safety and Security) also is also inspired from modular systems such as integrated modular avionics. There are differences though: automotive electronic control units are under much more cost pressure than their avionics counterparts, and Classic AUTOSAR was targeting rather simple systems, with an initial focus on runnables that are compiled together, and we will highlight the difference as well as the evolution of AUTOSAR Adaptive that is much closer to the avionic model. On the other hand, AUTOSAR has a very good standardization momentum, resulting in hundreds of available documents, whereas the smaller MILS community has been less effusive. We map the AUTOSAR standards to MILS, to learn about (1) how well MILS systems can be used for AUTOSAR and vice-versa and (2) what other aspects the communities could mutually learn from.


Ease standard compliance by technical means via MILS, Sven Nordhoff, Holger Blasum, Embedded World Conference 2017

expand[ More ]

Abstract: You have to develop an embedded system? You need to show its conformance to a safety standard (e.g. IEC 61508, ISO 26262, DO-178) or a security standard (e.g. IEC 62443, Common Criteria)? How does your life get easier by using a MILS design? Using an embedded operating system can help with modularization. Moreover, a *MILS* embedded operating system isolates processes and their resources from each other. Resource management and information flow control enable separation in time and separation in space. In this paper we show standard compliance work units that MILS helps achieving by technical means.

Security by design: Introduction to MILS, Sergey Tverdyshev, Embedded World Conference 2017

expand[ More ]

Abstract: Abstract: A "security by design" method achieves robustness against programming errors and malicious attacks. A security by design method must be simple to understand. It must be simple to implement, and also to simple to verify. It must enable the developer to create assurance evidence coherent with the design decisions. MILS is a security by design method. In short, application of the MILS approach starts with partitioning the system under design into isolated compartments. System resources, e.g. CPUs, CPU time, memory, IO devices, files, are assigned to compartments. After that the communication channels between compartments are defined with respect to the required API (e.g. POSIX, ARINC, AUTOSAR). Communication and resource sharing between security domains have to be explicit, i.e. everything is forbidden what is not explicitly allowed. In parallel threat modeling is executed, i.e. define system assets to be protected, threat agents and possible malicious actions, system objectives to fight the threats. MILS provides a way to execute mixed-critical applications of different pedigrees on one system. The system as a whole still can be certified to the highest security and safety assurance levels. This makes the approach extremely interesting for modern complex systems, e.g. in a car infotainment system: Android applications can run on the same platform as AUTOSAR applications that communicate with the engine. Until ca. 2000 the MILS concept was mainly used in the US military. Now the commercial interest has picked up. We explain a MILS Architectural Template that simplifies to set up MILS systems. We finish with applications of the MILS concepts across automotive and avionics.


Period 1

D1.1 Regulative Baseline: Compositional Security Evaluation:
The output is a report that summarises the schemes for certification with special respect to the MILS platform and the pilots in the different EU member states where partners have good access to their own certification authorities, and outlines regulatory options, where these exist.

D1.2 : List of tools and techniques applicable for high and medium assurance for efficient assurance [M12]
List of tools and requirements from standards and regulations that can be covered by the tool functionalities

D1.3 : Compositional security certification methodology [M15]
The output is a report that summarises the choices of the options outlined in D1.1 that certMILS has made.

Base MILS Platform Protection Profile:
This is a Protection Profile (PP) according to the Common Criteria (CC). The PP serves as “base PP” of the modular PP. Note: The PP is a research output from the certMILS project. That is, it has not undergone Common Criteria certification.

D2.2 : List of extensions of base PP [M16]
This is a list of extensions to the base PP that are available as modules in the modular PP. Note: The extensions are a research output from the certMILS project. That is, they have not undergone Common Criteria certification.

D2.3 : Security architecture templates [M16]
The security architecture templates are editable documents that can be instantiated by the pilots. SYSGO as third party will be the lead beneficiary of D2.3.

D2.4 : Guidelines to use and apply PP for all involved stakeholders [M16]
The guidelines to use and apply the PP target system integrators and security evaluators.

D4.1 : Security testing framework: strategy and approach [M09]
Approach, strategy, and architecture for the implementation of security testing framework is described.


Background Image

We use cookies on our website. Some of them are essential for the operation of the site, while others help us to improve this site and the user experience (tracking cookies). You can decide for yourself whether you want to allow cookies or not. Please note that if you reject them, you may not be able to use all the functionalities of the site.