Critical Infrastructure Protection using Adaptive MILS

The fundamental principle on which the CITADEL project was founded is that to be resilient, a system must be adaptable. Critical infrastructures, systems of autonomous systems, cloud computing for safety- and security-critical applications, are all dynamic systems that demand reliability, robustness, resilience, security, and other attributes we refer to generically as dependability. These systems while proving high assurance must be developed, certified, deployed, and maintained at an affordable cost. Moreover, the modern environment has become hostile for the critical infrastructures requiring constantly adapting their safety and security behaviour.

Trustworthy adaptation requires that a system can be dynamically reconfigured at runtime without compromising the robustness and integrity of the system. Traditional certification practices have conservatively required critical systems to be static, and required assessment of the entire integrated system for certification. Adaptability has been at odds with certification. The Adaptive MILS technologies that have been developed in CITADEL have extended MILS, a successful paradigm for rigorously developed and assured composable static systems, with adaptation mechanisms and a framework within which those mechanisms may be safely and securely employed for reconfiguration within the constraints of a configuration policy.

MILS is a component-based approach to develop and certify critical systems. In the past, MILS implementations were provided only for fixed runtime architectures as they were based on statically configured MILS platforms. That is, the configuration information used to configure the exported resources of the separation kernel, and other MILS resource-sharing foundational components making up the MILS platform, was finalised before initialisation of the MILS platform. After initialisation there is no creation or destruction of exported resources, and no changes in the information flow policy. This is a characteristic shared with safety-critical real-time operating systems (RTOSs). The rationale, inherited from the safety domain, is that only static systems can be adequately well understood and analysed to achieve the required level of confidence that they will behave as expected. The approach has also been applied to security-critical systems needing the highest levels of assurance. A MILS platform that implements a full and flexible ability to change its configuration during runtime is said to be dynamic.

The CITADEL project has built upon the MILS technology accomplishments of D-MILS and Euro-MILS, and has carried out the research and development necessary to create adaptive MILS systems. Adaptive MILS will support a new generation of evolving adaptive critical Infrastructure systems in Europe, where adaptability is a crucial ingredient for the safety and security of future systems, and where the rigorous construction and verification made possible by MILS particular benefits.

The project has been finalised with all of the technological results being completed and evaluated in the context of three critical infrastructure demonstrations fro the Transport, Manufacuting and Communications sectors. Technologies delivered provide greater protection of Europe's critical infrastructures including the world’s first distributed adaptive MILS platform allowing regulated critical infrastructure to detect anomolies and threats and rapidly adapt the system to continue to operate safely without disruption of functions and services. The modelling language developed provides a holistic and fine-grained system development capability for critical infrastructures to establish dynamic reconfigurability of systems utilising multiple types of monitoring of communications and operations to ensure systems react, adapt and reconfigure when anomolies and threats occur. The technology components for developing distributed adaptive MILS systems for critical infrastructures support required certification and compliance requirements with provision of a high-assurance security evaluation methodology that automates the certification process and ensures continuous integrity of dynamic critical infrastructure systems as they adapt and reconfigure to address security threats. These capabilities have been deployed in the project in industrial critical infrastructure applications and validated to ensure they can be taken-up by industrial organisations across Europe.

Exploitation and dissemination of the technologies are being carried out in two parallel and complimentary directions. First is the inclusion of the project technologies in commercial platforms, networking systems, and monitoring products from the market leading technology providers that are members of the consortium. First project results will be available within commercial products in the first half of 2020. The second direction is availability in open source of the software tools used for modelling, developing and verifying distributed adaptive MILS systems for use in critical infrastructures. These technologies have already been made available in open source and accessible to European organisations seeking to develop critical infrastructure systems.

The project has achieved in its final phase the demonstration of the capabilities of the adaptive MILS technology in several industrial application scenarios, and has laid the technical foundations for a certification framework for use of adaptive MILS systems in critical infrastructure applications. The specific technological achivements of the CITADEL project include the following:
• Creation of the world’s first distributed adaptive MILS platform for safety/security-critical infrastructures allowing regulated critical infrastructure to operate safely in a hostile environment combining the previous results from diverse research projects in the MILS domain into a product-grade platform.
• Development of a user-friendly modelling language to describe reconfigurable systems and a high-assurance framework for adaptive reconfiguration providing a top-to-bottom (from high-level abstract declarative specifications to fine-grained configuration change invocations), and end-to-end (from specification of necessary properties to the verification and certification of systems possessing those properties) solution for complete and trustworthy development.
• Development of a European high-assurance security evaluation methodology that benefits European critical infrastructures based on the well-established Common Criteria framework to assess and build-up assurance guarantees for adaptive systems. In the face of constantly changing hostile environments, this is a key to highly resilient critical infrastructures which have to comply with multiple regulation requirements.
• Demonstration of the technology readiness of CITADEL technologies for adoption in European critical infrastructures by carrying out industrial tests of technologies within three European critical infrastructures according to the operators’ certification constraints.

The adaptive MILS technologies developed in the CITADEL project establishes a common framework for safety- and security-critical systems construction and certification, encouraging innovation among component and service suppliers, and leading to improved dependability while reducing the cost to develop, certify and deploy trustworthy critical infrastructure systems across Europe.