Skip to main content

Compositional security certification for medium- to high-assurance COTS-based systems in environments with emerging threats

Periodic Reporting for period 2 - certMILS (Compositional security certification for medium- to high-assurance COTS-based systems in environments with emerging threats)

Reporting period: 2018-07-01 to 2019-12-31

"Previously isolated physical systems have become connected to the Internet, thus becoming cyberphysical systems. For instance, in transportation, for passenger as well as operator comfort, almost all means of transportation (airplanes, trains, cars, and ships) are networked. Due to the havoc potential of a malicious attacker, the security of cyber-physical systems has obtained a lot of interest. However, unlike many other IT systems, cyber-physical systems usually have already been heavily scrutinised for safety for decades. While the safety protection against accidental faults does not address security, there are already established safety methods as well as “safety certification stakeholders”. Securing and certifying cyber-physical systems therefore must respect the existing safety certification processes.
certMILS develops a security certification methodology for Cyber-physical systems (CPS). CPS are characterised by safety-critical nature, complexity, connectivity and open technology. certMILS aims to increase the economic efficiency and European competitiveness of CPS development, while demonstrating the effectiveness of safety & security certification of composable systems. The ""MILS"" in certMILS stands for ""Multiple Independent Levels of Safety/Security"", indicating that certMILS uses a special kind of operating systems called ""separation kernel"" (SK). This kind of operating system focuses being highly deterministic and reliable and puts user functionality into the application layer.
certMILS generates interaction between developers, evaluation laboratories and certification authorities in three European countries creating standardised and validated compositional methodology for evaluating and certifying high assurance products; modular protection profile (PP) for SKs, addressing also hardware aspects for Common Criteria for Information Technology Security (CC) standard; evaluation of an SK according to this PP; guidance for developers and evaluators; assurance preservation throughout operational deployment. The approach is applied to 3 industrial pilots (smart grids, railway, and subway)."
"Activity 1: Compositional Methodology for Security Certification
WP1 ""Baseline for compositional evaluation"": Partners with security and safety backgrounds summarized existing compositional security regulations/interpretations (D1.1) what tools/techniques exist (D1.2) how to do compositional certification for an SK-based product (D1.3).
WP2 ""Standardisation of MILS integration methodology"": We drafted the Base MILS Protection Profile (D2.1) using the Security Target (ST) and evaluated that it meets CC content requirements. We identified potential PP Modules that could be of use for the MILS community for additional functionality (D2.2). We edited the Base PP and PP Modules in parallel due to interdependency. We created templates for a security architecture (D2.3) and guidance for using an SK to build secure CPS systems (D2.4).

Activity 2: MILS Platform Certification
WP3 ""MILS platform definition"" serves for the certification of an SK. It instantiates the more abstract WP2 work. We studied how the modular PP of WP2, consisting of a base PP and PP modules, represents this ST. We asked for certification body feedback.
WP4 ""MILS platform enhancement"" developed security testing methodology, considering the relevant standards CC and IEC 62443 and fuzzing to discover hard to find vulnerabilities. We implemented a certifiable partitioned network driver with accelerators and described a certifiable MILS design of secure boot and update.
WP5 ""MILS platform certification"" provides assurance that the MILS SK works as specified in the ST. We reviewed product and development artefacts, including the ST itself, documentation related to the product life cycle, development and guidance. We produced CC evaluation reports.

Activity 3: Certification Pilots
WP6 ""Pilot: Smart Grid"": For medium-assurance, a pilot was based on Industrial and Automation Control System (IACS) of an electrical substation, including Remote Terminal Units (RTU). We defined the security scope for the pilot, considering the standards IEC 62443 and CC. A master-slave configuration with control, communication and acquisition RTU devices was implemented. In order to scale the pilot from medium to high assurance, a compositional security design (with WP2 input) was made. We have ported the RTU architecture to PikeOS.
WP7 ""Pilot Railway"": A presentation of the use case demonstrator (security gateway) took place and the description of the use case of the railway pilot is done. Security requirements based on IEC 62443 for the railway pilot were defined and the pilot implemented.
WP8 ""Pilot Subway"": We specified the HW platform and operational environment of the demonstrator, defined SW components, which must be implemented to create application “T-composition” and defined standards to show the principles and procedures for the implementation, acceptance and subsequent certification, and the pilot was implemented.
We are now doing a security evaluation of all three pilots according to IEC 62443.

Activity 4: Management, dissemination and exploitation
We created a logo, templates and project colors to make certMILS recognisable in conferences, workshops and events. An IT infrastructure was set up, as well as a website, social media and Zenodo for public deliverables ( We validated our SK protection profile approach by soliciting feedback from SK experts (D9.2). The consortium has already organized 3 MILS workshops with proceedings at Zenodo, published 16 papers and 5 newsletters. Kick-off, technical and advisory board meetings took place, and monthly telcos are held. Risk assessment is continuously performed."
Our approach to use PP modules for certification (D2.1 D2.2) proved to be a good choice: when we started certMILS, modular PPs only had been proposed; but since April 2017 modular PPs are integrated into mainline CC. certMILS produced 11 additional PP modules for components that can be used as modules, far beyond initial expectations. The approach was validated with SK experts (D9.2). We initiated a CC users forum working group, with already SK vendors 11 persons (p.), certification bodies 2 p., evaluation laboratories 9 p., hardware vendors 2 p., Tier-1/2 3 p., 4 academics.
certMILS participates in IECEE for IEC 62443. Partners EZU and THA achieved one of the first IEC 62443-4-1 certifications worldwide. We learned that some standards are aware of each other, e.g. IEC 62443 IsaSecure SDLA explicitly acknowledges validity of CC certification for OS.
The certMILS approach to modular design, assurance, and certification, fosters safe and secure development of heterogeneous systems, increasing security assurance and decreasing costs. We formulated an approach how to use CC assurance for a SK for IEC 62443 (D1.3) security architecture templates (D2.3) and guidance for composed systems using IEC 62443 and CC (D2.4). We worked on system development processes that consider security throughout the development cycle (D1.3 D4.1) and validate this work in three demonstrators (smart grid, railway and subway).
certMILS Logo