\"Previously isolated physical systems have become connected to the Internet, thus becoming cyber-physical systems. For instance in transportation, for passenger as well as operator comfort, almost all means of transportation (airplanes, trains, cars, and ships) are networked...
\"Previously isolated physical systems have become connected to the Internet, thus becoming cyber-physical systems. For instance in transportation, for passenger as well as operator comfort, almost all means of transportation (airplanes, trains, cars, and ships) are networked. Due to the havoc potential of a malicious attacker, the security of cyber-physical systems has obtained a lot of interest. However, unlike many other IT systems, cyber-physical systems usually have already been heavily scrutinised for safety for decades. While the safety protection against accidental faults does not address security, there are already established safety methods as well as “safety certification stakeholdersâ€. Securing and certifying cyber-physical systems therefore must respect the existing safety certification processes.
certMILS develops a security certification methodology for Cyber-physical systems (CPS). CPS are characterised by safety-critical nature, complexity, connectivity and open technology. certMILS aims to increase the economic efficiency and European competitiveness of CPS development, while demonstrating the effectiveness of safety & security certification of composable systems. The \"\"MILS\"\" in certMILS stands for \"\"Multiple Independent Levels of Safety / Security\"\", which indicates that certMILS uses a special kind of operating systems called \"\"separation kernel\"\". This kind of operating system focuses being highly deterministic and reliable, and puts user functionality into the application layer.
certMILS generates rich interaction between developers, evaluation laboratories and certification authorities in three European countries resulting in:
* Standardised and validated methodology for evaluating and certifying high assurance products, this is a methodology that is modular as well as compositional
* Modular protection profile for reliable operating systems used for CPS (called \"\"separation kernel\"\"), addressing also hardware aspects for Common Criteria for Information Technology Security (CC) standard, and evaluation of an operating system according to this PP
* Guidelines for compositional security for developers and evaluators
* Preservation of certified assurance throughout operational deployment
* The approach is applied to three industrial pilots (smart grids, railway, and subway).
\"
\"certMILS has three technical activity lines and one management activity structured into work packages (WP).
Activity 1: Compositional Methodology for Security Certification
WP1 \"\"Baseline for compositional evaluation\"\": Partners with security and safety backgrounds worked together, summarizing already existing compositional security regulations/interpretations (D1.1), what tools/techniques exist (D1.2), our take at how to do compositional certification for a separation-kernel based product (D1.3).
WP2 \"\"Standardisation of MILS integration methodology\"\": We drafted the Base MILS Protection Profile (D2.1), using the Security Target and evaluated it that it meets CC content requirements. Many (sometimes weekly) discussions were held to identify which potential PP Modules would be needed by the MILS community (D2.2). We edited in parallel the Base PP and PP Modules due to strong interdependency. We created templates for a security architecture (D2.3) and guidance (D2.4), for using a separation kernel to build secure CPS systems.
Activity 2: MILS Platform Certification
WP3 \"\"MILS platform definition\"\" serves for the certification of a separation kernel. It is an instantiation of the more abstract WP2 work we did. We studied how the modular PP of WP2, consisting of a base PP and PP modules, can be used to represent this security target.
In WP4 \"\"MILS platform enhancement\"\" we developed a security testing methodology, considering the relevant standards CC and IEC 62443, and fuzzing to discover hard to find vulnerabilities. We implement a certifiable partitioned network driver on a complex SoC with a comprehensive packet processing and accelerators (work on the driver and the security testing will continue in the second reporting period) and described a certifiable design of secure boot and secure update in a MILS system.
WP5 \"\"MILS platform certification\"\" provides assurance that the MILS separation kernel works as specified in the Security Target (ST). We reviewed documentation, including the ST itself, documentation related to the product life cycle, development and guidance. Following the Common Criteria standard, we produced an evaluation report.
Activity 3: Certification Pilots
WP6 \"\"Pilot: Smart Grid\"\": For medium-assurance, a pilot was based on Industrial and Automation Control System (IACS) of an electrical substation, including Remote Terminal Units (RTU) as main devices. We defined the security scope for the pilot, considering the standards IEC 62443-4-2 and Common Criteria. A master-slave configuration with control, communication and acquisition RTU devices was implemented, ready to carry out the security evaluation. In order to scale the pilot from medium to high assurance, a compositional security design (with WP2 input) was made. We are porting the RTU architecture to PikeOS.
WP7 \"\"Pilot Railway\"\": A presentation of the use case demonstrator (security gateway) took place, description of the use case of the railway pilot is done. Security requirements based on IEC 62443 for the railway pilot are defined.
WP8 \"\"Pilot Subway\"\": We specified the HW platform and operational environment of the demonstrator has been specified, defined SW components, which must be implemented to create application “T-compositionâ€, and defined standards to show the principles and procedures for the implementation, acceptance and subsequent certification.
Activity 4: Management, dissemination and exploitation
We created logo, templates and project colors to make certMILS recognisable in fairs, conferences, workshops and events. certmMILS IT infrastructure has been set up, as well as a website, http://www.certmils.eu, Twitter, LinkedIn and Zenodo account. The consortium has already 2 workshops (http://mils-workshop.mils.community/), 6 published papers and 3 newsletters. Kick-off, technical and advisory board meetings took place, and monthly telcos are held. Risks assessment is continuously performed.
\"
Our approach to use PP modules for certification (D2.1, D2.2) proved a good choice: when we started certMILS, modular PPs only had been proposed (French ANSSI); but since April 2017 modular PPs have been integrated into mainline Common Criteria (CC). For feedback, we have initiated a working group at CC users forum, with already 5 separation kernel producers, 2 separation kernel users, 2 certification authorities, 2 evaluators, and 2 semiconductor vendors.
certMILS also contributes to IEC 62443 via active participation in IECEE.
The certMILS approach to modular design, assurance, and certification, fosters heterogeneous systems, increasing security assurance and decreasing costs. We have formulated an approach how to use Common Criteria assurance for a separation kernel for IEC 62443 (D1.3) and security architecture templates (D2.3) and guidance for composed systems using IEC 62443 and Common Criteria (D2.4). We also have worked on system development processes that consider security throughout the development cycle (D1.3, D4.1). We have validated this work in three demonstrators (smart grid, railway and subway).
More info: http://www.certmils.eu.