We describe compositional architectures and certifications in the research project certMILS. Compositional architectures enable re-use of certified COTS (commercial off-the-shelf) components with a well-defined delegation of responsibilities between component developers and system integrators during cyber physical system design and certification. We show how we used a Common Criteria certified MILS (Multiple Independent Levels of Safety / Security) platform for compositional designs and IEC 62443-4-1/62443-4-2 security evaluations and certifications for composed systems from the domains of smart grid, railway, and subway, that are safety- and security-critical.

Security concerns become increasingly important in safe-ty-critical industrial cyberphysical systems. Different options for security certification exist. We describe a Common Criteria certification for a MILS separation kernel, and IEC 62443 analysis and certifications for the smart grid, railway and subway pilots using the MILS approach in the research project certMILS.

The Critical Infrastructure Protection (CIP) is a classic example of system of systems (SoS) management. We pay special attention to interdependencies among systems within SoS. The article deals with the requirements for the cyber gateway at the train transportation management system. More and more telemetry and remote control through communication systems are used on the track because of the technological development. The train at cyberspace acts as an end network that is connected to the operating center network via an open public network. The gateway must then meet the requirements of the railway infrastructure as well as the cyber infrastructure. We deal with the integration of various requirements for the train gateway into one verification and certification cycle in this paper. The requirement integration is important because, in the first it is necessary to ensure coherence and consistency between different requirements. The second reason is to speed up possible re-certification. A recertification is necessary because gateway adaptation or installation in a new environment. The European project certMILS deals with the issue of re-certification.

The Urban guided transport management system (UGTMS) as subway, transports from several hundreds of thousands to millions of passengers per day. Size and irreplaceability of subway transport capacity include the subway transport to the critical infrastructures of cities, regions or countries. Modern transport critical infrastructures contain in addition to physical and social parts also the cyber control systems and they are marked as cyber-physical systems (CPS). The CPSs are characterized by safety-critical nature, complexity, connectivity, and open technology. The CPS complexity, openness and dynamics form a large attack surface that may lead to failures and irreparable damage.
Multiple Independent Levels of Security (MILS) can meet the high system security requirements. The MILS is a high-assurance security architecture based on the concepts of separation and controlled information flow. The article discusses the possibilities of using the MILS platform in the data communication subsystem, which connects the individual UGTMS subsystems (Wayside subsystem, On-board subsystem and operation control subsystem). Therefore, the communication system should guarantee transmission parameters and do not affect security level of the respective subsystems.

The secure integration of model-based, safety-critical applications implemented in the programming suite Ansys SCADE is explained with the help of a demonstrator. The interoperability between the embedded devices of the demonstrator is achieved using the new TRDP middleware. Remote connections are secured using the WireGuard secure network channel. The demonstrator security concept addresses the different life cycles of its heterogeneous components by adoption of the robust MILS separation architecture. The goal of this open demonstrator is to show how these essential technologies can be composed to a secure safety-critical system.

This white paper is reporting on interoperability aspects of the Common Criteria Base Separation Kernel Protection Profile (PP) draft. This white paper captures the results of the collaboration on PP interoperability organised by University of Rostock in Task 9.2. It reports how the PP draft can be applied to the separation kernels of MILS platform providers and how well the PP draft addresses requirements of users such as system integrators. Previously, the WP 2 has created a PP with additional modules. To make the proposed PP most accessible to all potential stakeholders in the MILS domain and the Separation Kernel application domain, WP 9 proposed to gather feedback from the community for integration into the PP draft. The activities being discussed resemble mostly the Common Criteria User Forum presentations and its community involvement. Beyond that, certification bodies and a few known consortium contacts were directly contacted and invited to provide feedback. The questions asked, as well as the accumulated answers are presented. The white paper closes with a discussion on the continued improvement of the PP for proposed acceptance and adoption.

Abstract: The certMILS project (http://www.certmils.eu/) aims at easing building and certification of complex critical systems by using a certain architecture for structuring these systems into partitions that run on a separation kernel, called MILS (Multiple Independent Levels of Security / Safety). Once a critical system is structured by use of a separation kernel, then this technical structuring should lend itself also to a similarly logically structured security and safety argument in certification.

Analogous to the separation kernel that is to be used for building a MILS system, this white paper provides a security architecture template that is to be used for the certification of that MILS system.

The target audience of this document is:

• Developers of systems, based on a MILS architecture, providing them a template about how to describe their MILS system.
• Security evaluators of a MILS-based system, giving hints about how the developer description can be used to argue for compliance to Common Criteria (CC) and IEC 62443.

The assurance case made by the security architecture template in this document identifies as building blocks the security mechanisms implemented by a MILS separation kernel and a typical application payload in partitions and derives typical security architecture arguments for MILS-based systems.

Abstract: High assurance Cyber-Physical Systems (CPS) are the supporting pillars of the critical infrastructure. They support the power grid, the water supply, transportation systems and many other devices, where failure or undefined behaviour lead to risk for loss of life, danger to the environment and defective operational safety of production. Rigorous testing practices have assured reliable behaviour even for failure scenarios in their predictable environments. However, previously isolated systems have become connected to the Internet and expose an attack surface that is hard to predict. While the safety of high assurance CPS is well tested with a controlled residual risk, security risks will rise throughout the deployment of a system. Hence, this paper describes research for a testing methodology to tackle emerging threats and preserve certified security assurance.

Abstract: This paper presents the concept example of how to integrate safety and security using a platform approach. The TAS Control Platform is a SIL4 vital computing platform for railway applications developed within Thales to support many different safety-critical applications. Using common standards, MILS concepts and building up on a generic safety concept, enables the integration of safety and security with TAS Control Platform, while still providing support for legacy applications. With this platform approach many applications can benefit from the consistent safe and secure basis.

Abstract: Security and cryptography protocols are seen by many as black-magic, largely due to their complex mathematical algorithms and entangled state-machines. This complexity has also led to numerous vulnerabilities in past years. Recent developments have simplified conformance requirements, and also introduced formal proofs to mainstream security protocols. In this work-in-progress publication we discuss, how this evolution has greatly improved the situation for critical systems, and how the architecture of MILS systems can raise the confidence for high-assurance systems.

Abstract: MILS (Multiple Independent Levels of Safety and Security) also is also inspired from modular systems such as integrated modular avionics. There are differences though: automotive electronic control units are under much more cost pressure than their avionics counterparts, and Classic AUTOSAR was targeting rather simple systems, with an initial focus on runnables that are compiled together, and we will highlight the difference as well as the evolution of AUTOSAR Adaptive that is much closer to the avionic model. On the other hand, AUTOSAR has a very good standardization momentum, resulting in hundreds of available documents, whereas the smaller MILS community has been less effusive. We map the AUTOSAR standards to MILS, to learn about (1) how well MILS systems can be used for AUTOSAR and vice-versa and (2) what other aspects the communities could mutually learn from.

Abstract: You have to develop an embedded system? You need to show its conformance to a safety standard (e.g. IEC 61508, ISO 26262, DO-178) or a security standard (e.g. IEC 62443, Common Criteria)? How does your life get easier by using a MILS design? Using an embedded operating system can help with modularization. Moreover, a *MILS* embedded operating system isolates processes and their resources from each other. Resource management and information flow control enable separation in time and separation in space. In this paper we show standard compliance work units that MILS helps achieving by technical means.

Abstract: Abstract: A "security by design" method achieves robustness against programming errors and malicious attacks. A security by design method must be simple to understand. It must be simple to implement, and also to simple to verify. It must enable the developer to create assurance evidence coherent with the design decisions. MILS is a security by design method. In short, application of the MILS approach starts with partitioning the system under design into isolated compartments. System resources, e.g. CPUs, CPU time, memory, IO devices, files, are assigned to compartments. After that the communication channels between compartments are defined with respect to the required API (e.g. POSIX, ARINC, AUTOSAR). Communication and resource sharing between security domains have to be explicit, i.e. everything is forbidden what is not explicitly allowed. In parallel threat modeling is executed, i.e. define system assets to be protected, threat agents and possible malicious actions, system objectives to fight the threats. MILS provides a way to execute mixed-critical applications of different pedigrees on one system. The system as a whole still can be certified to the highest security and safety assurance levels. This makes the approach extremely interesting for modern complex systems, e.g. in a car infotainment system: Android applications can run on the same platform as AUTOSAR applications that communicate with the engine. Until ca. 2000 the MILS concept was mainly used in the US military. Now the commercial interest has picked up. We explain a MILS Architectural Template that simplifies to set up MILS systems. We finish with applications of the MILS concepts across automotive and avionics.