A fully integrated software framework for secure data exchange in critical environments could address this issue. SYSGO developed this kind of framework for the automotive industry called SACoP (Secure Automotive Connectivity Platform), but this solution can also be used as a blueprint for a solution that enables secure communications in rolling stock and wayside signalling. The platform guarantees information security by protecting data transfer through strict encapsulation and separation of all communication channels. This partitioning is complemented by a secure boot process, an integrated intrusion detection system and a firewall. Partitioning also results in a minimized attack surface and allows restricting passenger access to non-critical applications and protocols such as HTTP. In the following, we will examine the contents of the SACoP platform in detail and discuss whether the underlying concepts can be re-used in a railway environment.
The connectivity platform leverages SYSGO's PikeOS real-time operating system (RTOS) hypervisor technology, which allows critical and non-critical infrastructure to run simultaneously in one system. Through its resource and time partitioning, PikeOS has been designed to meet all essential requirements for determinism and real-time, security, protection and virtualization. As a Type-1 hypervisor, it runs directly on the embedded hardware, making the overall system as powerful as possible. Furthermore, PikeOS supports certifiable multi-core designs. In addition to the strict separation of memory and I/O resources, the OS also masters a form of time partitioning that also meets the strictest requirements with regard to real-time capability. Several time windows are defined within a freely definable, repeating cycle (also called major time frame). One or more guest operating systems are assigned to these time windows. Within a time frame, fixed priorities can be assigned to the allocated operating systems. For railroad applications, time partitioning could be extended by another dimension and support for multi-core processors. This makes it possible to run different time partition schemes on different processor groups. Furthermore, extensive settings can be made with regard to cache behaviour in order to minimize hardware-related interference between the processor cores. On the software side, local locks (fine-grained locking) are used in the operating system, among other things, to prevent expiration of the expected worst case execution time (WCET) due to conflicts between the cores. The multiprocessor support has already been certified by TÜV-SÜD in accordance to EN 50128 and EN 50657 SIL 4.
Partitioning is Key
By using the hypervisor functionality in PikeOS to run applications in strictly separated partitions, safety-critical applications in particular can run uninterrupted in a given time frame. The platform can make use of the pre-certified PikeOS separation kernel version 4.2.3 (build S5577 for ARMv7/8 & x86_64) according to the Common Criteria EAL3+ security standard and could be certifiable for safety up to SIL-4. This means that only one hardware system is required when planning the software architecture, which reduces development and production costs and accelerates time to market. The platform offers a flexible software framework that helps customers design their software architecture to secure communications and updates.
A gateway supporting multiple protocols (3G/4G/5G) enables a variety of applications, such as over-the-air updates of applications, connectivity to the cloud back-end or uploading maintenance data. Software and firmware components of the entire system are updated using secure communication via TLS (FIPS certified). All update files are digitally signed to securely prevent tampering.
Internally, a WLAN hotspot set up for passengers is protected by the platform's firewall. The internal network is separated and can only be accessed via secure and monitored channels. The gateway supports Virtual Local Area Networks (VLAN).
Focus on Security
The platform uses a secure boot mechanism. Secure communication is ensured by a Transport Layer Security (TLS) library. Cryptography and storage are supported by executable binaries and configuration files that are digitally signed and stored on a secure Certified File System (CFS). The gateway's Network Intrusion Detection System (IDS) resides in a separate partition that monitors network traffic. Isolating different applications in separate partitions not only increases security, but also simplifies license management.
One of the great advantages of virtualization is that new functions can be added at any time. This usually requires the combination of existing software components with completely new and sometimes incompatible APIs (Application Programming Interfaces). Maintaining a stable software base while being able to fulfill end-user requests is a challenge. This is where virtualization comes into play. A running virtualized system is expandable by adding any number of partitions with guest operating systems without compromising security. The platform supports integration of different guests with additional applications, including PikeOS native, POSIX, Linux (generic via hardware virtualization), AGL (Automotive Grade Linux) and ELinOS, SYSGO's robust embedded Linux distribution.
Embedded application development for a partitioned system requires a cross toolchain, well-designed and easy-to-use configuration tools, remote debugging with OS awareness (thread states, virtual address mappings, etc.), a target board, remote application deployment, and timing analysis tools. With CODEO, an Eclipse-based IDE, SYSGO provides a complete embedded systems environment that covers the entire development cycle from early simulation/emulation tools to software update mechanisms for deployed systems.
Based on the MILS Architecture
PikeOS employs a security-by-design concept originating from the avionics industry: Multiple Independent Levels of Security (MILS), which targets controlled information flow and resource usage amongst software applications. MILS reduces certification complexity, promotes re-use, and enables secure updates to Cyberphysical Systems (CPS) throughout the entire life-cycle by providing certified separation of applications, i.e. if an application within a complex CPS fails or starts acting maliciously, other applications are unaffected.
According to MILS, systems are separated into three horizontal levels with different rights and levels of trustworthiness). The lowest level is the hardware with further platform and security modules. Level 2 contains the separation kernel, which controls all communication in the system and allocates computing time and memory access to the individual applications. Only it is privileged for hardware management access and is considered trustworthy with regard to security. All other modules of the second level system software are also trustworthy, but not privileged for direct hardware management access. They are used to configure and organize the overall system and monitor its functionality. All applications running in user mode are considered untrustworthy and are assigned to the third level.
The MILS concept formulates the consistent and uniform implementation of several security policies for the separation kernel in order to secure and maintain the trustworthiness of the system. The separation kernel is the element, which enables compositional security certification. The separation kernel itself shall be certified to be able to enforce these security policies with the required assurance (e.g., Evaluation Assurance Levels of ISO/IEC 15408). These security policies of the separation kernel are enforced by security functions whose implementation is reduced to an absolute minimum so that their evaluation and certification remains possible. They include, but are not limited to
- information flow: The separation kernel must enable and control the information flow between hardware, system software and applications;
- data isolation: The separation kernel isolates the memory areas and resources allocated to each application;
- clean CPU registers: The separation kernel deletes all entries in the CPU registers before another application is allowed to use the CPU;
- limitation of damage: The separation kernel limits malfunctions of an application to its partition. All other applications, the system software and the separation kernel itself are not affected.
A MILS platform has to be non-bypassable, evaluable, always invoked, and tamper-proof (NEAT) in order to provide the required high level of security.
MILS in Railway Applications
While originally developed and applied in military and avionic applications, the MILS concept is also entirely suitable for the railway industry, specifically with respect to certifiable systems. The EU funded certMILS project, in which SYSGO is actively involved, is currently developing a compositional security certification methodology to complex composable safety-critical systems operating in constantly evolving hostile environments. As part of this initiative, certMILS develops composable industrial CPS pilots for railway systems, certifies security of critical re-useable components, and ensures security certification for the pilots by certification labs in three EU countries with involvement of the authorities. While developing and applying the security certification methodology certMILS will respect and complement the existing safety certification processes.
The certMILS project’s main objectives are to transfer know-how in compositional safety certification to security certification and to make certification of composed systems affordable. It is also specifically designed as a European project in order to reduce dependence on US technologies. The aim is to increase the economic efficiency and European competitiveness of CPS development, while demonstrating the effectiveness of safety and security certification of composable systems.
One of the main targets of certMILS is to apply relevant security standards in the railway domain to foster homogenization of security requirements and help customers provide a conformant level of security in their products. Just like in the safety domain, the goal is to provide guidance for security building blocks, which can be integrated into complex systems using secure gateways for communication. In this way, the integrity of the system can be ensured from a security point of view. Furthermore, security gateways based on certified MILS Platforms will demonstrate modular security and reach high security levels.
Security on a safe Platform
The discussed platform could be applied to SYSGO’s and Kontron’s SAFe-VX platform. The SAFe-VX platform supports the rapid development and certification of safety-critical railroad systems and applications. SAFe-VX consists of proven COTS hardware from Kontron, SYSGO's PikeOS, and a safety library for communication. The package is completed by a comprehensive toolchain including debugging, tracing and monitoring, which is embedded in the integrated development environment CODEO. The development system has exactly the same components as potential target systems, so that the code can be transferred directly.
The hardware is a Safety Critical Computer based on VPX modules in a 19-inch rack. The VPX standard, also known as VITA46, has its origins in the proven VMEbus standard and focuses on increased performance when bridging between buses. The basic configuration consists of three redundant processor modules interconnected by a Gigabit Ethernet switch via the backplane. To prevent failures due to common cause, among other things, the boards are electrically isolated from each other. SAFe-VX does not exhibit a singular point of failure. The architecture is certifiable up to SIL4, and a certification kit is available.
More information at www.sysgo.com/railway