Cyber Security as a Design Objective
Furthermore, standard components are increasingly being used in military systems as well, without having been developed specifically for those systems. Where previously the military and the Pentagon in particular acted as the main driver of technological innovation, these days many applications are provided using COTS products (commercial off-the-shelf), which is to say standard products manufactured in large quantities for civilian purposes, which are accordingly cheap to obtain. In addition, such products benefit from corresponding development systems and a multitude of engineers with relevant expertise, allowing military IT systems to be developed more economically and above all more quickly. However, the use of COTS products also has its downsides because many products have vulnerabilities ‒ vulnerabilities which are known and therefore easily exploited by hackers. And, in contrast to an office computer, digitalised vehicles and weapon systems cannot simply be recalled to base at any time in order to run the latest security updates. Consequently, in May 2018, the US Department of Defense enforced an almost complete ban on the procurement and operation of COTS drones due to security issues, whereupon the Marine Corps had no option but to decommission 600 drones, at least temporarily, that had only just been purchased.
Avoidance of relevant Security Vulnerabilities
Security vulnerabilities are particularly critical in embedded systems that are relevant from a security perspective and responsible for certain monitoring and control functions; for example, in automotive, aerospace, rail, industrial or medical applications, as well as in the armed forces. Functional security ‒ i.e. avoiding mishaps ‒ has thus far been the focus for such applications, but cyber security has become substantially more important in recent years. These kinds of systems cannot be compromised, let alone taken over by hackers, under any circumstances, as such an outcome would have serious consequences, up to and including injury or loss of life. And even though military systems may be less interesting to hackers from an economic perspective, they do make promising targets for image reasons. There is also the possibility that electronic vulnerabilities could be exploited by nation states that command significant resources. This means that the cyber security of military systems necessitates incredibly high standards. The more the armed forces rely on autonomous systems, the more relevant this becomes. In such autonomous systems, or in unmanned, remote-controlled vehicles or weapon systems, each individual function is controlled by software, offering would-be hackers a huge target and numerous attack vectors.
Nevertheless, embedded systems in particular still have a lot of ground to make up where security is concerned. Whereas safeguarding functional security has always been a design principle in critical systems, IT security is still too often seen as something that can be augmented in later development cycles. For example, the United States Army Tank Automotive Research, Development and Engineering Center tendered for an Intrusion Detection System for existing military vehicles back in spring 2018. The aim is to defend such vehicles against attacks and mitigate the effects thereof. However, a system of this nature can only detect successful attacks that have already taken place ‒ it cannot prevent them. Meanwhile the Canadian armed forces are looking for trainers to support the crews of military vehicles in detecting and combating cyber attacks ‒ undoubtedly a laudable aim, but also a clear signal that their systems are manifestly vulnerable.
Critical Systems Protection
Cyber security is first and foremost a question of protecting critical systems against unauthorised access and manipulation in particular. Due to the agility and ‒ in the case of attacks carried out by nation states ‒ practically unlimited resources of hackers, this can only work if cyber security is defined as a fundamental goal from the start in the design and development phase. Once a technical system has been released, it is no longer possible to retroactively integrate cyber security. In principle, a number of aspects have to be taken into account in the design and development phase with regard to cyber security:
- The first relates to the individual electronic assemblies, referred to as embedded computers, that are responsible for all the functions available in the vehicle.
- The second is the communication between the individual components that make up the overall system and therefore the vehicle itself.
- The third is the numerous interfaces between the security-critical overall system ‒ such as a highly autonomous vehicle or weapon system ‒ and the outside world.
- Finally, data transmission and processing outside of the system, including within the cloud and the back-end, must be factored into security considerations.
The requirement for "Security by Design" becomes particularly important as increasing numbers of security-critical and non-critical applications are operated from within the vehicle and logically or physically linked to each other. While it is undesirable for an attacker to gain access to non-critical systems, it is not dangerous; if, however, they are able to use this gateway to access security-critical systems, the situation changes immediately – and dramatically. It is therefore essential to strictly isolate applications with different criticality levels from each other. This is relatively straightforward if a dedicated computer is used for each function, and if communication between each computer is kept to the bare minimum of what is necessary and takes place over secured communication channels. However, this impedes efforts to use COTS products and results in highly complex and potentially error-prone overall systems. The facility to strictly and securely isolate applications that are operated on the same hardware from each other, thereby preventing them from mutually affecting each other under any circumstances, is therefore required. In addition, such architecture must provide the option to support applications taking place in real time – which is to say those where a direct reaction to an event is necessary – as well as applications that are less time-sensitive.
PikeOS for securely isolating Applications
PikeOS from SYSGO offers developers of military systems an environment that guarantees application isolation; one which has proven itself in the aviation industry, meeting the extremely high security requirements involved. PikeOS is a modular software architecture that integrates multiple embedded applications on a single hardware platform. PikeOS offers both a full real-time operating system (Hard RTOS) and a virtualisation and partitioning system in order to support the specific requirements of applications in highly critical environments. The PikeOS platform is based on a small, certifiable microkernel which provides a virtualisation infrastructure. This enables various applications and resources to be placed within secure, individual partitions.
The PikeOS Hypervisor itself is certified to the highest industry standards and is therefore a suitable foundation for critical systems where ensuring functional security is just as important as guaranteeing IT security. The security mechanisms are essentially based on two principles: Strict isolation of applications by means of time and resource partitioning, and control of communication channels. The individual applications within the overall system can have differing criticality levels within this environment.
Thanks to the PikeOS security mechanisms, certification in line with sector-specific safety and security standards can be carried out separately for each application – an essential feature for keeping costs under control. In addition, PikeOS was the first platform to receive SIL 4 certification in multicore environments.
PikeOS is a European system and is therefore not subject to any restrictions. It is being continually developed by SYSGO GmbH and adapted to new requirements. SYSGO is a company within the French Thales Group, which also guarantees support for systems with a very long life cycle throughout the entire cycle.