During the last years, a huge number of embedded computer devices have become online by means of different network technologies. That does not only apply to mobile phones but also to vehicles, industrial facilities, medical devices and even airplanes. Many of those are based on a software architecture or software components that have been designed before Security has become an issue.
In other words, these devices are vulnerable to Cyber Security attacks as their base system has been built without having network connectivity in mind. Looking at the various domains there are great hazards involved, such as induced failures in nuclear plants, theft or external influence of automobiles, stolen personal data or fatal events in air traffic.
In order to mitigate the vulnerability of such an embedded device one might be tempted to put it behind a firewall. That significantly reduces the risk but increases the costs, the power consumption, the weight and the amount of cabling.
Another approach would be the modernization of the software architecture without radical changes of the legacy (Safety) software. That can be achieved by introducing an up-to-date embedded operating system such as hardened Linux with a current kernel.
The legacy system would be isolated from the online functionality by running both parts in different processes. The communication between the processes could be accomplished by means of designated supervised channels.
The resulting architecture is shown in Figure 1.
There are still problems related with such a setup though:
The legacy implementation is out of the direct attack surface but now there is a Linux kernel involved that consists of millions of lines of source codes. As the number of software bugs grows with the size of the software, so does the number of vulnerabilities.
In case the legacy project requires real-time behaviour, the determinism of the system is compromised as Linux cannot guarantee worst case execution times (WCET). That even becomes more of a problem if there are Safety requirements.
If the system must be certified for Safety, e.g. for an airborne object, the costs for the certification of the Linux kernel would exceed any budget in terms of time and money.
Similar problems would arise for a Security certification, e.g. according to Common Criteria.
Figure 2 shows another approach that uses a real-time operating system that provides virtualization. The OS is relatively small, just a few thousand lines of codes. Certification according the DO-178C, ISO 26262, and Common Criteria is feasible.
The online part is connected to the network by means of an Ethernet driver that is strictly isolated from the rest of the system. The legacy Safety code is also running in a separate resource partition and even keeps its real-time behavior. There is also room for further non-critical feature updates by providing a complete Linux kernel.
Such an architecture can be build with SYSGO's PikeOS and ELinOS.
For the Automotive market there is already a reference solution available that has a focus on the protection of the internal network and field bus infrastructures. On the other hand, it allows the vehicle to securely communicate with other vehicles (V2V) and provides methods for on the air (OTG) software updates.
For more information, see the SACoP Product Page